From 3253dbfecbf2570aa4beea6704da6c2ea53c1666 Mon Sep 17 00:00:00 2001 From: Ivan Fernandez Calvo Date: Wed, 30 Sep 2020 18:47:13 +0200 Subject: [PATCH 01/18] ci: pipeline to generate the changelog (#21426) --- .ci/jobs/beats-release-changelog.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .ci/jobs/beats-release-changelog.yml diff --git a/.ci/jobs/beats-release-changelog.yml b/.ci/jobs/beats-release-changelog.yml new file mode 100644 index 000000000000..1cbd94c7168a --- /dev/null +++ b/.ci/jobs/beats-release-changelog.yml @@ -0,0 +1,20 @@ +--- +- job: + name: Beats/Release/beats-release-changelog + display-name: 'Prepare the Changelog for a Release' + description: 'Automate the steps to prepare the Changelog for a Release' + view: Beats + project-type: pipeline + pipeline-scm: + script-path: release_scripts/pipeline-release-changelog.groovy + scm: + - git: + url: git@github.com:elastic/ingest-dev.git + refspec: +refs/heads/*:refs/remotes/origin/* +refs/pull/*/head:refs/remotes/origin/pr/* + wipe-workspace: 'True' + name: origin + shallow-clone: true + credentials-id: f6c7695a-671e-4f4f-a331-acdce44ff9ba + reference-repo: /var/lib/jenkins/.git-references/ingest-dev.git + branches: + - master From fd52ca5adff8a68370e98ae89e101e4060776020 Mon Sep 17 00:00:00 2001 From: Lee Hinman <57081003+leehinman@users.noreply.github.com> Date: Wed, 30 Sep 2020 13:02:05 -0500 Subject: [PATCH 02/18] [Winlogbeat] Move winlogbeat javascript processor to libbeat (#21402) * Move winlogbeat processor to libbeat - needed for filebeat winlog input - changed name to windows - also register as winlogbeat for backwards compatibility --- libbeat/processors/script/javascript/module/include.go | 1 + .../script/javascript/module/windows}/doc.go | 6 +++--- .../script/javascript/module/windows/windows.go | 10 ++++++---- .../script/javascript/module/windows/windows_test.go | 2 +- winlogbeat/cmd/root.go | 1 - .../module/powershell/config/winlogbeat-powershell.js | 4 ++-- .../module/security/config/winlogbeat-security.js | 4 ++-- .../module/sysmon/config/winlogbeat-sysmon.js | 4 ++-- x-pack/winlogbeat/module/testing_windows.go | 1 - 9 files changed, 17 insertions(+), 16 deletions(-) rename {winlogbeat/processors/script/javascript/module/winlogbeat => libbeat/processors/script/javascript/module/windows}/doc.go (82%) rename winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat.go => libbeat/processors/script/javascript/module/windows/windows.go (87%) rename winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat_test.go => libbeat/processors/script/javascript/module/windows/windows_test.go (99%) diff --git a/libbeat/processors/script/javascript/module/include.go b/libbeat/processors/script/javascript/module/include.go index f30e423e7a23..b498dc90e21f 100644 --- a/libbeat/processors/script/javascript/module/include.go +++ b/libbeat/processors/script/javascript/module/include.go @@ -24,4 +24,5 @@ import ( _ "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module/path" _ "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module/processor" _ "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module/require" + _ "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module/windows" ) diff --git a/winlogbeat/processors/script/javascript/module/winlogbeat/doc.go b/libbeat/processors/script/javascript/module/windows/doc.go similarity index 82% rename from winlogbeat/processors/script/javascript/module/winlogbeat/doc.go rename to libbeat/processors/script/javascript/module/windows/doc.go index fc782636d09e..bca46a943400 100644 --- a/winlogbeat/processors/script/javascript/module/winlogbeat/doc.go +++ b/libbeat/processors/script/javascript/module/windows/doc.go @@ -15,7 +15,7 @@ // specific language governing permissions and limitations // under the License. -// Package winlogbeat registers the winlogbeat module with the javascript script -// processor. The module has utilities specific to Winlogbeat like parsing +// Package windows registers the windows module with the javascript script +// processor. The module has utilities specific to Windows like parsing // Windows command lines. -package winlogbeat +package windows diff --git a/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat.go b/libbeat/processors/script/javascript/module/windows/windows.go similarity index 87% rename from winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat.go rename to libbeat/processors/script/javascript/module/windows/windows.go index dc9439c5c673..2bbe7817fadc 100644 --- a/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat.go +++ b/libbeat/processors/script/javascript/module/windows/windows.go @@ -17,7 +17,7 @@ // +build windows -package winlogbeat +package windows import ( "syscall" @@ -60,11 +60,11 @@ func commandLineToArgvW(in string) ([]string, error) { return args, nil } -// Require registers the winlogbeat module that has utilities specific to -// Winlogbeat like parsing Windows command lines. It can be accessed using: +// Require registers the windows module that has utilities specific to +// Windows like parsing Windows command lines. It can be accessed using: // // // javascript -// var winlogbeat = require('winlogbeat'); +// var windows = require('windows'); // func Require(vm *goja.Runtime, module *goja.Object) { o := module.Get("exports").(*goja.Object) @@ -74,9 +74,11 @@ func Require(vm *goja.Runtime, module *goja.Object) { // Enable adds path to the given runtime. func Enable(runtime *goja.Runtime) { + runtime.Set("windows", require.Require(runtime, "windows")) runtime.Set("winlogbeat", require.Require(runtime, "winlogbeat")) } func init() { + require.RegisterNativeModule("windows", Require) require.RegisterNativeModule("winlogbeat", Require) } diff --git a/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat_test.go b/libbeat/processors/script/javascript/module/windows/windows_test.go similarity index 99% rename from winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat_test.go rename to libbeat/processors/script/javascript/module/windows/windows_test.go index 45c339cc1f2c..be213a79ba8c 100644 --- a/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat_test.go +++ b/libbeat/processors/script/javascript/module/windows/windows_test.go @@ -17,7 +17,7 @@ // +build windows -package winlogbeat +package windows import ( "testing" diff --git a/winlogbeat/cmd/root.go b/winlogbeat/cmd/root.go index 7e25e7178136..2cd26a9fe8e9 100644 --- a/winlogbeat/cmd/root.go +++ b/winlogbeat/cmd/root.go @@ -30,7 +30,6 @@ import ( // Import processors and supporting modules. _ "github.com/elastic/beats/v7/libbeat/processors/script" _ "github.com/elastic/beats/v7/libbeat/processors/timestamp" - _ "github.com/elastic/beats/v7/winlogbeat/processors/script/javascript/module/winlogbeat" ) const ( diff --git a/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js b/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js index 71ce567ccc78..4ef1155086bc 100644 --- a/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js +++ b/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js @@ -5,7 +5,7 @@ var powershell = (function () { var path = require("path"); var processor = require("processor"); - var winlogbeat = require("winlogbeat"); + var windows = require("windows"); var normalizeCommonFieldNames = new processor.Convert({ fields: [ @@ -183,7 +183,7 @@ var powershell = (function () { if (!commandLine) { return; } - evt.Put(target, winlogbeat.splitCommandLine(commandLine)); + evt.Put(target, windows.splitCommandLine(commandLine)); }; var addProcessArgs = function (evt) { diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js index 9a0899165b9b..5a8e91b677bc 100644 --- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -5,7 +5,7 @@ var security = (function () { var path = require("path"); var processor = require("processor"); - var winlogbeat = require("winlogbeat"); + var windows = require("windows"); // Logon Types // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events @@ -1670,7 +1670,7 @@ var security = (function () { if (!cl) { return; } - evt.Put("process.args", winlogbeat.splitCommandLine(cl)); + evt.Put("process.args", windows.splitCommandLine(cl)); evt.Put("process.command_line", cl); }) .Build(); diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index 5fcedb9e40e5..5b09c98fc32f 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -15,7 +15,7 @@ if (!String.prototype.startsWith) { var sysmon = (function () { var path = require("path"); var processor = require("processor"); - var winlogbeat = require("winlogbeat"); + var windows = require("windows"); var net = require("net"); // Windows error codes for DNS. This list was generated using @@ -311,7 +311,7 @@ var sysmon = (function () { if (!commandLine) { return; } - evt.Put(target, winlogbeat.splitCommandLine(commandLine)); + evt.Put(target, windows.splitCommandLine(commandLine)); }; var splitProcessArgs = function (evt) { diff --git a/x-pack/winlogbeat/module/testing_windows.go b/x-pack/winlogbeat/module/testing_windows.go index 12b2102070f1..058e2320a9de 100644 --- a/x-pack/winlogbeat/module/testing_windows.go +++ b/x-pack/winlogbeat/module/testing_windows.go @@ -28,7 +28,6 @@ import ( // Register javascript modules. _ "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module" - _ "github.com/elastic/beats/v7/winlogbeat/processors/script/javascript/module/winlogbeat" ) var update = flag.Bool("update", false, "update golden files") From eae9f5c156467f2f23df5afc4e73b63c01e3091b Mon Sep 17 00:00:00 2001 From: Lee Hinman <57081003+leehinman@users.noreply.github.com> Date: Wed, 30 Sep 2020 13:09:57 -0500 Subject: [PATCH 03/18] Add field limit check for AWS Cloudtrail flattened fields (#21388) add 32k length check for - aws.cloudtrail.flattened.request_parameters - aws.cloudtrail.flattened.response_elements - aws.cloudtrail.flattened.additional_eventdata - aws.cloudtrail.flattened.service_event_details Closes #21382 --- CHANGELOG.next.asciidoc | 1 + .../module/aws/cloudtrail/ingest/pipeline.yml | 62 ++++++++----------- 2 files changed, 26 insertions(+), 37 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 223dace9e494..a96a23db9d8f 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -275,6 +275,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Handle multiple upstreams in ingress-controller. {pull}21215[21215] - Provide backwards compatibility for the `append` processor when Elasticsearch is less than 7.10.0. {pull}21159[21159] - Fix checkpoint module when logs contain time field. {pull}20567[20567] +- Add field limit check for AWS Cloudtrail flattened fields. {pull}21388[21388] {issue}21382[21382] *Heartbeat* diff --git a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml index 8421e12d7f03..8ceec6ff1009 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml @@ -146,37 +146,36 @@ processors: field: "json.errorMessage" target_field: "aws.cloudtrail.error_message" ignore_failure: true - - rename: - field: json.requestParameters - target_field: "aws.cloudtrail.flattened.request_parameters" - if: ctx?.json?.requestParameters != null - script: lang: painless source: | - if (ctx.aws.cloudtrail.flattened.request_parameters != null) { - ctx.aws.cloudtrail.request_parameters = ctx.aws.cloudtrail.flattened.request_parameters.toString(); + if (ctx.aws.cloudtrail?.flattened == null) { + Map map = new HashMap(); + ctx.aws.cloudtrail.put("flattened", map); + } + if (ctx.json.requestParameters != null) { + ctx.aws.cloudtrail.request_parameters = ctx.json.requestParameters.toString(); + if (ctx.aws.cloudtrail.request_parameters.length() < 32766) { + ctx.aws.cloudtrail.flattened.put("request_parameters", ctx.json.requestParameters); + } } - ignore_failure: true - - rename: - field: json.responseElements - target_field: "aws.cloudtrail.flattened.response_elements" - if: ctx?.json?.responseElements != null - - script: - lang: painless - source: | - if (ctx.aws.cloudtrail.flattened.response_elements != null) { - ctx.aws.cloudtrail.response_elements = ctx.aws.cloudtrail.flattened.response_elements.toString(); + if (ctx.json.responseElements != null) { + ctx.aws.cloudtrail.response_elements = ctx.json.responseElements.toString(); + if (ctx.aws.cloudtrail.response_elements.length() < 32766) { + ctx.aws.cloudtrail.flattened.put("response_elements", ctx.json.responseElements); + } } - ignore_failure: true - - rename: - field: json.additionalEventData - target_field: "aws.cloudtrail.flattened.additional_eventdata" - if: ctx?.json?.additionalEventData != null - - script: - lang: painless - source: | - if (ctx.aws.cloudtrail.flattened.additional_eventdata != null) { - ctx.aws.cloudtrail.additional_eventdata = ctx.aws.cloudtrail.flattened.additional_eventdata.toString(); + if (ctx.json.additionalEventData != null) { + ctx.aws.cloudtrail.additional_eventdata = ctx.json.additionalEventData.toString(); + if (ctx.aws.cloudtrail.additional_eventdata.length() < 32766) { + ctx.aws.cloudtrail.flattened.put("additional_eventdata", ctx.json.additionalEventData); + } + } + if (ctx.json.serviceEventDetails != null) { + ctx.aws.cloudtrail.service_event_details = ctx.json.serviceEventDetails.toString(); + if (ctx.aws.cloudtrail.service_event_details.length() < 32766) { + ctx.aws.cloudtrail.flattened.put("service_event_details", ctx.json.serviceEventDetails); + } } ignore_failure: true - rename: @@ -219,17 +218,6 @@ processors: field: "json.recipientAccountId" target_field: "aws.cloudtrail.recipient_account_id" ignore_failure: true - - rename: - field: json.serviceEventDetails - target_field: "aws.cloudtrail.flattened.service_event_details" - if: ctx?.json?.serviceEventDetails != null - - script: - lang: painless - source: | - if (ctx.aws.cloudtrail.flattened.service_event_details != null) { - ctx.aws.cloudtrail.service_event_details = ctx.aws.cloudtrail.flattened.service_event_details.toString(); - } - ignore_failure: true - rename: field: "json.sharedEventId" target_field: "aws.cloudtrail.shared_event_id" From f07eeaa02a1100be29cf1f2fa045a6c4a8d8a16d Mon Sep 17 00:00:00 2001 From: Michal Pristas Date: Thu, 1 Oct 2020 08:52:03 +0200 Subject: [PATCH 04/18] [Ingest Manager] Upgrade Action: make source URI optional (#21372) [Ingest Manager] Upgrade Action: make source URI optional (#21372) --- .../pkg/agent/application/upgrade/step_unpack.go | 4 ++-- .../pkg/agent/application/upgrade/upgrade.go | 15 +++++++++++++-- x-pack/elastic-agent/pkg/fleetapi/action.go | 2 +- 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_unpack.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_unpack.go index ae3d05edd160..8efb2de21403 100644 --- a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_unpack.go +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_unpack.go @@ -23,8 +23,8 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" ) -// untar unpacks archive correctly, skips root (symlink, config...) unpacks data/* -func (u *Upgrader) unpack(ctx context.Context, version, sourceURI, archivePath string) (string, error) { +// unpack unpacks archive correctly, skips root (symlink, config...) unpacks data/* +func (u *Upgrader) unpack(ctx context.Context, version, archivePath string) (string, error) { // unpack must occur in directory that holds the installation directory // or the extraction will be double nested var hash string diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go index 9c2c4f022869..de3a577281d7 100644 --- a/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go @@ -75,12 +75,13 @@ func (u *Upgrader) Upgrade(ctx context.Context, a *fleetapi.ActionUpgrade) error "running under control of the systems supervisor") } - archivePath, err := u.downloadArtifact(ctx, a.Version, a.SourceURI) + sourceURI, err := u.sourceURI(a.Version, a.SourceURI) + archivePath, err := u.downloadArtifact(ctx, a.Version, sourceURI) if err != nil { return err } - newHash, err := u.unpack(ctx, a.Version, a.SourceURI, archivePath) + newHash, err := u.unpack(ctx, a.Version, archivePath) if err != nil { return err } @@ -147,6 +148,16 @@ func (u *Upgrader) Ack(ctx context.Context) error { return ioutil.WriteFile(markerFile, markerBytes, 0600) } +func (u *Upgrader) sourceURI(version, retrievedURI string) (string, error) { + if strings.HasSuffix(version, "-SNAPSHOT") && retrievedURI == "" { + return "", errors.New("snapshot upgrade requires source uri", errors.TypeConfig) + } + if retrievedURI != "" { + return retrievedURI, nil + } + + return u.settings.SourceURI, nil +} func rollbackInstall(hash string) { os.RemoveAll(filepath.Join(paths.Data(), fmt.Sprintf("%s-%s", agentName, hash))) diff --git a/x-pack/elastic-agent/pkg/fleetapi/action.go b/x-pack/elastic-agent/pkg/fleetapi/action.go index d53b7fdfcfba..2329546629cf 100644 --- a/x-pack/elastic-agent/pkg/fleetapi/action.go +++ b/x-pack/elastic-agent/pkg/fleetapi/action.go @@ -97,7 +97,7 @@ type ActionUpgrade struct { ActionID string `json:"id" yaml:"id"` ActionType string `json:"type" yaml:"type"` Version string `json:"version" yaml:"version"` - SourceURI string `json:"source_uri" yaml:"source_uri"` + SourceURI string `json:"source_uri,omitempty" yaml:"source_uri,omitempty"` } func (a *ActionUpgrade) String() string { From 690afe941f3d08f7abd49f09e1a8845331673853 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20=C3=81lvarez?= Date: Thu, 1 Oct 2020 09:14:01 +0200 Subject: [PATCH 05/18] Initial spec file for apm-server (#21225) Start with Elasticsearch output only for now --- .../elastic-agent/spec/apm-server.yml.disabled | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 x-pack/elastic-agent/spec/apm-server.yml.disabled diff --git a/x-pack/elastic-agent/spec/apm-server.yml.disabled b/x-pack/elastic-agent/spec/apm-server.yml.disabled new file mode 100644 index 000000000000..c84405dfaddc --- /dev/null +++ b/x-pack/elastic-agent/spec/apm-server.yml.disabled @@ -0,0 +1,16 @@ +name: APM-Server +cmd: apm-server +artifact: apm-server +args: ["-E", "management.enabled=true", "-E", "management.mode=x-pack-fleet"] +rules: + - fix_stream: {} + - filter_values: + selector: inputs + key: type + values: + - apm + - filter: + selectors: + - inputs + - output +when: length(${inputs}) > 0 and hasKey(${output}, 'elasticsearch') From cb624cfd18ac07e06e633a3d960d0926bd759730 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Thu, 1 Oct 2020 10:24:01 +0200 Subject: [PATCH 06/18] Add initial skeleton of filestream input (#21427) ## What does this PR do? This PR adds the skeleton of the new `filestream` input. The name of the input can be changed. The input was renamed from `logfile` because we are not going to provide the same options as the current `log` input. As `logfile` is already used by Agent for the `log` input, it is easier to adopt a new input with a different name. The PR seems big, but the contents of `filebeat/input/filestream/internal/input-logfile` is basically the same as `filebeat/input/v2/input-cursor`. It is separated into a different folder because when the time comes, we would like to unify the two input types. The main difference between the two inputs is that the `configure` function of `input-logfile` returns a `Prospector` which finds inputs dynamically. Whereas `input-cursor` requires a list of paths without globbing. The following files need review: * filebeat/input/filestream/input.go * filebeat/input/filestream/internal/input-logfile/fswatch.go * filebeat/input/filestream/internal/input-logfile/harvester.go * filebeat/input/filestream/internal/input-logfile/input.go * filebeat/input/filestream/internal/input-logfile/prospector.go * filebeat/input/filestream/prospector.go The others are the same as `input-cursor`. Also, updated tests are coming in a new PR. ## Related issues First step https://github.com/elastic/beats/issues/20243 --- filebeat/input/filestream/input.go | 68 ++++ .../internal/input-logfile/clean.go | 124 +++++++ .../internal/input-logfile/clean_test.go | 162 ++++++++ .../internal/input-logfile/cursor.go | 43 +++ .../internal/input-logfile/cursor_test.go | 124 +++++++ .../filestream/internal/input-logfile/doc.go | 58 +++ .../internal/input-logfile/fswatch.go | 65 ++++ .../internal/input-logfile/harvester.go | 125 +++++++ .../internal/input-logfile/input.go | 106 ++++++ .../internal/input-logfile/manager.go | 199 ++++++++++ .../internal/input-logfile/prospector.go | 35 ++ .../internal/input-logfile/publish.go | 153 ++++++++ .../internal/input-logfile/publish_test.go | 158 ++++++++ .../internal/input-logfile/store.go | 324 ++++++++++++++++ .../internal/input-logfile/store_test.go | 351 ++++++++++++++++++ filebeat/input/filestream/prospector.go | 38 ++ 16 files changed, 2133 insertions(+) create mode 100644 filebeat/input/filestream/input.go create mode 100644 filebeat/input/filestream/internal/input-logfile/clean.go create mode 100644 filebeat/input/filestream/internal/input-logfile/clean_test.go create mode 100644 filebeat/input/filestream/internal/input-logfile/cursor.go create mode 100644 filebeat/input/filestream/internal/input-logfile/cursor_test.go create mode 100644 filebeat/input/filestream/internal/input-logfile/doc.go create mode 100644 filebeat/input/filestream/internal/input-logfile/fswatch.go create mode 100644 filebeat/input/filestream/internal/input-logfile/harvester.go create mode 100644 filebeat/input/filestream/internal/input-logfile/input.go create mode 100644 filebeat/input/filestream/internal/input-logfile/manager.go create mode 100644 filebeat/input/filestream/internal/input-logfile/prospector.go create mode 100644 filebeat/input/filestream/internal/input-logfile/publish.go create mode 100644 filebeat/input/filestream/internal/input-logfile/publish_test.go create mode 100644 filebeat/input/filestream/internal/input-logfile/store.go create mode 100644 filebeat/input/filestream/internal/input-logfile/store_test.go create mode 100644 filebeat/input/filestream/prospector.go diff --git a/filebeat/input/filestream/input.go b/filebeat/input/filestream/input.go new file mode 100644 index 000000000000..487a5f01c2aa --- /dev/null +++ b/filebeat/input/filestream/input.go @@ -0,0 +1,68 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package filestream + +import ( + loginp "github.com/elastic/beats/v7/filebeat/input/filestream/internal/input-logfile" + input "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/feature" + "github.com/elastic/beats/v7/libbeat/logp" +) + +// filestream is the input for reading from files which +// are actively written by other applications. +type filestream struct{} + +const pluginName = "filestream" + +// Plugin creates a new filestream input plugin for creating a stateful input. +func Plugin(log *logp.Logger, store loginp.StateStore) input.Plugin { + return input.Plugin{ + Name: pluginName, + Stability: feature.Experimental, + Deprecated: false, + Info: "filestream input", + Doc: "The filestream input collects logs from the local filestream service", + Manager: &loginp.InputManager{ + Logger: log, + StateStore: store, + Type: pluginName, + Configure: configure, + }, + } +} + +func configure(cfg *common.Config) (loginp.Prospector, loginp.Harvester, error) { + panic("TODO: implement me") +} + +func (inp *filestream) Name() string { return pluginName } + +func (inp *filestream) Test(src loginp.Source, ctx input.TestContext) error { + panic("TODO: implement me") +} + +func (inp *filestream) Run( + ctx input.Context, + src loginp.Source, + cursor loginp.Cursor, + publisher loginp.Publisher, +) error { + panic("TODO: implement me") +} diff --git a/filebeat/input/filestream/internal/input-logfile/clean.go b/filebeat/input/filestream/internal/input-logfile/clean.go new file mode 100644 index 000000000000..d738dabbc556 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/clean.go @@ -0,0 +1,124 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "time" + + "github.com/elastic/go-concert/timed" + "github.com/elastic/go-concert/unison" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +// cleaner removes finished entries from the registry file. +type cleaner struct { + log *logp.Logger +} + +// run starts a loop that tries to clean entries from the registry. +// The cleaner locks the store, such that no new states can be created +// during the cleanup phase. Only resources that are finished and whos TTL +// (clean_timeout setting) has expired will be removed. +// +// Resources are considered "Finished" if they do not have a current owner (active input), and +// if they have no pending updates that still need to be written to the registry file after associated +// events have been ACKed by the outputs. +// The event acquisition timestamp is used as reference to clean resources. If a resources was blocked +// for a long time, and the life time has been exhausted, then the resource will be removed immediately +// once the last event has been ACKed. +func (c *cleaner) run(canceler unison.Canceler, store *store, interval time.Duration) { + started := time.Now() + timed.Periodic(canceler, interval, func() error { + gcStore(c.log, started, store) + return nil + }) +} + +// gcStore looks for resources to remove and deletes these. `gcStore` receives +// the start timestamp of the cleaner as reference. If we have entries without +// updates in the registry, that are older than `started`, we will use `started +// + ttl` to decide if an entry will be removed. This way old entries are not +// removed immediately on startup if the Beat is down for a longer period of +// time. +func gcStore(log *logp.Logger, started time.Time, store *store) { + log.Debugf("Start store cleanup") + defer log.Debugf("Done store cleanup") + + states := store.ephemeralStore + states.mu.Lock() + defer states.mu.Unlock() + + keys := gcFind(states.table, started, time.Now()) + if len(keys) == 0 { + log.Debug("No entries to remove were found") + return + } + + if err := gcClean(store, keys); err != nil { + log.Errorf("Failed to remove all entries from the registry: %+v", err) + } +} + +// gcFind searches the store of resources that can be removed. A set of keys to delete is returned. +func gcFind(table map[string]*resource, started, now time.Time) map[string]struct{} { + keys := map[string]struct{}{} + for key, resource := range table { + clean := checkCleanResource(started, now, resource) + if !clean { + // do not clean the resource if it is still live or not serialized to the persistent store yet. + continue + } + keys[key] = struct{}{} + } + + return keys +} + +// gcClean removes key value pairs in the removeSet from the store. +// If deletion in the persistent store fails the entry is kept in memory and +// eventually cleaned up later. +func gcClean(store *store, removeSet map[string]struct{}) error { + for key := range removeSet { + if err := store.persistentStore.Remove(key); err != nil { + return err + } + delete(store.ephemeralStore.table, key) + } + return nil +} + +// checkCleanResource returns true for a key-value pair is assumed to be old, +// if is not in use and there are no more pending updates that still need to be +// written to the persistent store anymore. +func checkCleanResource(started, now time.Time, resource *resource) bool { + if !resource.Finished() { + return false + } + + resource.stateMutex.Lock() + defer resource.stateMutex.Unlock() + + ttl := resource.internalState.TTL + reference := resource.internalState.Updated + if started.After(reference) { + reference = started + } + + return reference.Add(ttl).Before(now) && resource.stored +} diff --git a/filebeat/input/filestream/internal/input-logfile/clean_test.go b/filebeat/input/filestream/internal/input-logfile/clean_test.go new file mode 100644 index 000000000000..83e5bff412fc --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/clean_test.go @@ -0,0 +1,162 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "testing" + "time" + + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +func TestGCStore(t *testing.T) { + t.Run("empty store", func(t *testing.T) { + started := time.Now() + + backend := createSampleStore(t, nil) + store := testOpenStore(t, "test", backend) + defer store.Release() + + gcStore(logp.NewLogger("test"), started, store) + + want := map[string]state{} + checkEqualStoreState(t, want, backend.snapshot()) + }) + + t.Run("state is still alive", func(t *testing.T) { + started := time.Now() + const ttl = 60 * time.Second + + initState := map[string]state{ + "test::key": { + TTL: ttl, + Updated: started.Add(-ttl / 2), + }, + } + + backend := createSampleStore(t, initState) + store := testOpenStore(t, "test", backend) + defer store.Release() + + gcStore(logp.NewLogger("test"), started, store) + + checkEqualStoreState(t, initState, backend.snapshot()) + }) + + t.Run("old state can be removed", func(t *testing.T) { + const ttl = 60 * time.Second + started := time.Now().Add(-5 * ttl) // cleanup process is running for a while already + + initState := map[string]state{ + "test::key": { + TTL: ttl, + Updated: started.Add(-ttl), + }, + } + + backend := createSampleStore(t, initState) + store := testOpenStore(t, "test", backend) + defer store.Release() + + gcStore(logp.NewLogger("test"), started, store) + + want := map[string]state{} + checkEqualStoreState(t, want, backend.snapshot()) + }) + + t.Run("old state is not removed if cleanup is not active long enough", func(t *testing.T) { + const ttl = 60 * time.Minute + started := time.Now() + + initState := map[string]state{ + "test::key": { + TTL: ttl, + Updated: started.Add(-2 * ttl), + }, + } + + backend := createSampleStore(t, initState) + store := testOpenStore(t, "test", backend) + defer store.Release() + + gcStore(logp.NewLogger("test"), started, store) + + checkEqualStoreState(t, initState, backend.snapshot()) + }) + + t.Run("old state but resource is accessed", func(t *testing.T) { + const ttl = 60 * time.Second + started := time.Now().Add(-5 * ttl) // cleanup process is running for a while already + + initState := map[string]state{ + "test::key": { + TTL: ttl, + Updated: started.Add(-ttl), + }, + } + + backend := createSampleStore(t, initState) + store := testOpenStore(t, "test", backend) + defer store.Release() + + // access resource and check it is not gc'ed + res := store.Get("test::key") + gcStore(logp.NewLogger("test"), started, store) + checkEqualStoreState(t, initState, backend.snapshot()) + + // release resource and check it gets gc'ed + res.Release() + want := map[string]state{} + gcStore(logp.NewLogger("test"), started, store) + checkEqualStoreState(t, want, backend.snapshot()) + }) + + t.Run("old state but resource has pending updates", func(t *testing.T) { + const ttl = 60 * time.Second + started := time.Now().Add(-5 * ttl) // cleanup process is running for a while already + + initState := map[string]state{ + "test::key": { + TTL: ttl, + Updated: started.Add(-ttl), + }, + } + + backend := createSampleStore(t, initState) + store := testOpenStore(t, "test", backend) + defer store.Release() + + // create pending update operation + res := store.Get("test::key") + op, err := createUpdateOp(store, res, "test-state-update") + require.NoError(t, err) + res.Release() + + // cleanup fails + gcStore(logp.NewLogger("test"), started, store) + checkEqualStoreState(t, initState, backend.snapshot()) + + // cancel operation (no more pending operations) and try to gc again + op.done(1) + gcStore(logp.NewLogger("test"), started, store) + want := map[string]state{} + checkEqualStoreState(t, want, backend.snapshot()) + }) +} diff --git a/filebeat/input/filestream/internal/input-logfile/cursor.go b/filebeat/input/filestream/internal/input-logfile/cursor.go new file mode 100644 index 000000000000..37de24fe56c0 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/cursor.go @@ -0,0 +1,43 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +// Cursor allows the input to check if cursor status has been stored +// in the past and unpack the status into a custom structure. +type Cursor struct { + store *store + resource *resource +} + +func makeCursor(store *store, res *resource) Cursor { + return Cursor{store: store, resource: res} +} + +// IsNew returns true if no cursor information has been stored +// for the current Source. +func (c Cursor) IsNew() bool { return c.resource.IsNew() } + +// Unpack deserialized the cursor state into to. Unpack fails if no pointer is +// given, or if the structure to points to is not compatible with the document +// stored. +func (c Cursor) Unpack(to interface{}) error { + if c.IsNew() { + return nil + } + return c.resource.UnpackCursor(to) +} diff --git a/filebeat/input/filestream/internal/input-logfile/cursor_test.go b/filebeat/input/filestream/internal/input-logfile/cursor_test.go new file mode 100644 index 000000000000..db2ff0c3a30e --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/cursor_test.go @@ -0,0 +1,124 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "testing" + + "github.com/stretchr/testify/require" +) + +func TestCursor_IsNew(t *testing.T) { + t.Run("true if key is not in store", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + + cursor := makeCursor(store, store.Get("test::key")) + require.True(t, cursor.IsNew()) + }) + + t.Run("true if key is in store but without cursor value", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key": {Cursor: nil}, + })) + defer store.Release() + + cursor := makeCursor(store, store.Get("test::key")) + require.True(t, cursor.IsNew()) + }) + + t.Run("false if key with cursor value is in persistent store", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key": {Cursor: "test"}, + })) + defer store.Release() + + cursor := makeCursor(store, store.Get("test::key")) + require.False(t, cursor.IsNew()) + }) + + t.Run("false if key with cursor value is in memory store only", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key": {Cursor: nil}, + })) + defer store.Release() + + res := store.Get("test::key") + op, err := createUpdateOp(store, res, "test-state-update") + require.NoError(t, err) + defer op.done(1) + + cursor := makeCursor(store, res) + require.False(t, cursor.IsNew()) + }) +} + +func TestCursor_Unpack(t *testing.T) { + t.Run("nothing to unpack if key is new", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + + var st string + cursor := makeCursor(store, store.Get("test::key")) + + require.NoError(t, cursor.Unpack(&st)) + require.Equal(t, "", st) + }) + + t.Run("unpack fails if types are not compatible", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key": {Cursor: "test"}, + })) + defer store.Release() + + var st struct{ A uint } + cursor := makeCursor(store, store.Get("test::key")) + require.Error(t, cursor.Unpack(&st)) + }) + + t.Run("unpack from state in persistent store", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key": {Cursor: "test"}, + })) + defer store.Release() + + var st string + cursor := makeCursor(store, store.Get("test::key")) + + require.NoError(t, cursor.Unpack(&st)) + require.Equal(t, "test", st) + }) + + t.Run("unpack from in memory state if updates are pending", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key": {Cursor: "test"}, + })) + defer store.Release() + + res := store.Get("test::key") + op, err := createUpdateOp(store, res, "test-state-update") + require.NoError(t, err) + defer op.done(1) + + var st string + cursor := makeCursor(store, store.Get("test::key")) + + require.NoError(t, cursor.Unpack(&st)) + require.Equal(t, "test-state-update", st) + }) +} diff --git a/filebeat/input/filestream/internal/input-logfile/doc.go b/filebeat/input/filestream/internal/input-logfile/doc.go new file mode 100644 index 000000000000..cf318d4bfed1 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/doc.go @@ -0,0 +1,58 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Package cursor provides an InputManager for use with the v2 API, that is +// capable of storing an internal cursor state between restarts. +// +// The InputManager requires authors to Implement a configuration function and +// the cursor.Input interface. The configuration function returns a slice of +// sources ([]Source) that it has read from the configuration object, and the +// actual Input that will be used to collect events from each configured +// source. +// When Run a go-routine will be started per configured source. If two inputs have +// configured the same source, only one will be active, while the other waits +// for the resource to become free. +// The manager keeps track of the state per source. When publishing an event a +// new cursor value can be passed as well. Future instance of the input can +// read the last published cursor state. +// +// For each source an in-memory and a persitent state are tracked. Internal +// meta updates by the input manager can not be read by Inputs, and will be +// written to the persistent store immediately. Cursor state updates are read +// and update by the input. Cursor updates are written to the persistent store +// only after the events have been ACKed by the output. Internally the input +// manager keeps track of already ACKed updates and pending ACKs. +// In order to guarantee progress even if the pbulishing is slow or blocked, all cursor +// updates are written to the in-memory state immediately. Source without any +// pending updates are in-sync (in-memory state == persistet state). All +// updates are ordered, but we allow the in-memory state to be ahead of the +// persistent state. +// When an input is started, the cursor state is read from the in-memory state. +// This way a new input instance can continue where other inputs have been +// stopped, even if we still have in-flight events from older input instances. +// The coordination between inputs guarantees that all updates are always in +// order. +// +// When a shutdown signal is received, the publisher is directly disconnected +// from the outputs. As all coordination is directly handled by the +// InputManager, shutdown will be immediate (once the input itself has +// returned), and can not be blocked by the outputs. +// +// An input that is about to collect a source that is already collected by +// another input will wait until the other input has returned or the current +// input did receive a shutdown signal. +package input_logfile diff --git a/filebeat/input/filestream/internal/input-logfile/fswatch.go b/filebeat/input/filestream/internal/input-logfile/fswatch.go new file mode 100644 index 000000000000..685b54253a41 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/fswatch.go @@ -0,0 +1,65 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "os" + + "github.com/elastic/go-concert/unison" +) + +const ( + OpDone Operation = iota + OpCreate + OpWrite + OpDelete + OpRename +) + +// Operation describes what happened to a file. +type Operation uint8 + +// FSEvent returns inforamation about file system changes. +type FSEvent struct { + // NewPath is the new path of the file. + NewPath string + // OldPath is the previous path to the file, is it was + // deleted or renamed. + OldPath string + // Op is the file system event: create, write, rename, remove + Op Operation + // Info describes the file in the event. + Info os.FileInfo +} + +// FSScanner retrieves a list of files from the file system. +type FSScanner interface { + // GetFiles returns the list of monitored files. + // The keys of the map are the paths to the files and + // the values are the FileInfos describing the file. + GetFiles() map[string]os.FileInfo +} + +// FSWatcher returns file events of the monitored files. +type FSWatcher interface { + // Run is the event loop which watchers for changes + // in the file system and returns events based on the data. + Run(unison.Canceler) + // Event returns the next event captured by FSWatcher. + Event() FSEvent +} diff --git a/filebeat/input/filestream/internal/input-logfile/harvester.go b/filebeat/input/filestream/internal/input-logfile/harvester.go new file mode 100644 index 000000000000..d2f184cac7b1 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/harvester.go @@ -0,0 +1,125 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "context" + "fmt" + "runtime/debug" + "time" + + input "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/go-concert/ctxtool" + "github.com/elastic/go-concert/unison" +) + +// Harvester is the reader which collects the lines from +// the configured source. +type Harvester interface { + // Name returns the type of the Harvester + Name() string + // Test checks if the Harvester can be started with the given configuration. + Test(Source, input.TestContext) error + // Run is the event loop which reads from the source + // and forwards it to the publisher. + Run(input.Context, Source, Cursor, Publisher) error +} + +// HarvesterGroup is responsible for running the +// Harvesters started by the Prospector. +type HarvesterGroup struct { + manager *InputManager + readers map[string]context.CancelFunc + pipeline beat.PipelineConnector + harvester Harvester + cleanTimeout time.Duration + store *store + tg unison.TaskGroup +} + +// Run starts the Harvester for a Source. +func (hg *HarvesterGroup) Run(ctx input.Context, s Source) error { + log := ctx.Logger.With("source", s.Name()) + log.Debug("Starting harvester for file") + + harvesterCtx, cancelHarvester := context.WithCancel(ctxtool.FromCanceller(ctx.Cancelation)) + ctx.Cancelation = harvesterCtx + + resource, err := hg.manager.lock(ctx, s.Name()) + if err != nil { + cancelHarvester() + return err + } + + if _, ok := hg.readers[s.Name()]; ok { + cancelHarvester() + log.Debug("A harvester is already running for file") + return nil + } + hg.readers[s.Name()] = cancelHarvester + + hg.store.UpdateTTL(resource, hg.cleanTimeout) + + client, err := hg.pipeline.ConnectWith(beat.ClientConfig{ + CloseRef: ctx.Cancelation, + ACKHandler: newInputACKHandler(ctx.Logger), + }) + if err != nil { + cancelHarvester() + return err + } + + cursor := makeCursor(hg.store, resource) + publisher := &cursorPublisher{canceler: ctx.Cancelation, client: client, cursor: &cursor} + + go func(cancel context.CancelFunc) { + defer client.Close() + defer log.Debug("Stopped harvester for file") + defer cancel() + defer releaseResource(resource) + defer delete(hg.readers, s.Name()) + + defer func() { + if v := recover(); v != nil { + err := fmt.Errorf("harvester panic with: %+v\n%s", v, debug.Stack()) + ctx.Logger.Errorf("Harvester crashed with: %+v", err) + } + }() + + err := hg.harvester.Run(ctx, s, cursor, publisher) + if err != nil { + log.Errorf("Harvester stopped: %v", err) + } + }(cancelHarvester) + return nil +} + +// Cancel stops the running Harvester for a given Source. +func (hg *HarvesterGroup) Cancel(s Source) error { + if cancel, ok := hg.readers[s.Name()]; ok { + cancel() + return nil + } + return fmt.Errorf("no such harvester %s", s.Name()) +} + +func releaseResource(resource *resource) { + resource.lock.Unlock() + resource.Release() +} diff --git a/filebeat/input/filestream/internal/input-logfile/input.go b/filebeat/input/filestream/internal/input-logfile/input.go new file mode 100644 index 000000000000..7084315b0c15 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/input.go @@ -0,0 +1,106 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "context" + "time" + + input "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common/acker" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/go-concert/ctxtool" + "github.com/elastic/go-concert/unison" +) + +type managedInput struct { + manager *InputManager + prospector Prospector + harvester Harvester + cleanTimeout time.Duration +} + +// Name is required to implement the v2.Input interface +func (inp *managedInput) Name() string { return inp.harvester.Name() } + +// Test runs the Test method for each configured source. +func (inp *managedInput) Test(ctx input.TestContext) error { + return inp.prospector.Test() +} + +// Run +func (inp *managedInput) Run( + ctx input.Context, + pipeline beat.PipelineConnector, +) (err error) { + // Setup cancellation using a custom cancel context. All workers will be + // stopped if one failed badly by returning an error. + cancelCtx, cancel := context.WithCancel(ctxtool.FromCanceller(ctx.Cancelation)) + defer cancel() + ctx.Cancelation = cancelCtx + + store := inp.manager.store + store.Retain() + defer store.Release() + + hg := &HarvesterGroup{ + pipeline: pipeline, + readers: make(map[string]context.CancelFunc), + manager: inp.manager, + cleanTimeout: inp.cleanTimeout, + harvester: inp.harvester, + store: store, + tg: unison.TaskGroup{}, + } + + stateStore, err := inp.manager.StateStore.Access() + if err != nil { + return err + } + defer stateStore.Close() + + inp.prospector.Run(ctx, stateStore, hg) + + return nil +} + +func newInputACKHandler(log *logp.Logger) beat.ACKer { + return acker.EventPrivateReporter(func(acked int, private []interface{}) { + var n uint + var last int + for i := 0; i < len(private); i++ { + current := private[i] + if current == nil { + continue + } + + if _, ok := current.(*updateOp); !ok { + continue + } + + n++ + last = i + } + + if n == 0 { + return + } + private[last].(*updateOp).Execute(n) + }) +} diff --git a/filebeat/input/filestream/internal/input-logfile/manager.go b/filebeat/input/filestream/internal/input-logfile/manager.go new file mode 100644 index 000000000000..db3c600d2bc7 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/manager.go @@ -0,0 +1,199 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "errors" + "sync" + "time" + + "github.com/urso/sderr" + + "github.com/elastic/go-concert/unison" + + input "github.com/elastic/beats/v7/filebeat/input/v2" + v2 "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/statestore" +) + +// InputManager is used to create, manage, and coordinate stateful inputs and +// their persistent state. +// The InputManager ensures that only one input can be active for a unique source. +// If two inputs have overlapping sources, both can still collect data, but +// only one input will collect from the common source. +// +// The InputManager automatically cleans up old entries without an active +// input, and without any pending update operations for the persistent store. +// +// The Type field is used to create the key name in the persistent store. Users +// are allowed to add a custome per input configuration ID using the `id` +// setting, to collect the same source multiple times, but with different +// state. The key name in the persistent store becomes -[]- +type InputManager struct { + Logger *logp.Logger + + // StateStore gives the InputManager access to the persitent key value store. + StateStore StateStore + + // Type must contain the name of the input type. It is used to create the key name + // for all sources the inputs collect from. + Type string + + // DefaultCleanTimeout configures the key/value garbage collection interval. + // The InputManager will only collect keys for the configured 'Type' + DefaultCleanTimeout time.Duration + + // Configure returns an array of Sources, and a configured Input instances + // that will be used to collect events from each source. + Configure func(cfg *common.Config) (Prospector, Harvester, error) + + initOnce sync.Once + initErr error + store *store +} + +// Source describe a source the input can collect data from. +// The `Name` method must return an unique name, that will be used to identify +// the source in the persistent state store. +type Source interface { + Name() string +} + +var errNoSourceConfigured = errors.New("no source has been configured") +var errNoInputRunner = errors.New("no input runner available") + +// StateStore interface and configurations used to give the Manager access to the persistent store. +type StateStore interface { + Access() (*statestore.Store, error) + CleanupInterval() time.Duration +} + +func (cim *InputManager) init() error { + cim.initOnce.Do(func() { + if cim.DefaultCleanTimeout <= 0 { + cim.DefaultCleanTimeout = 30 * time.Minute + } + + log := cim.Logger.With("input_type", cim.Type) + var store *store + store, cim.initErr = openStore(log, cim.StateStore, cim.Type) + if cim.initErr != nil { + return + } + + cim.store = store + }) + + return cim.initErr +} + +// Init starts background processes for deleting old entries from the +// persistent store if mode is ModeRun. +func (cim *InputManager) Init(group unison.Group, mode v2.Mode) error { + if mode != v2.ModeRun { + return nil + } + + if err := cim.init(); err != nil { + return err + } + + log := cim.Logger.With("input_type", cim.Type) + + store := cim.store + cleaner := &cleaner{log: log} + store.Retain() + err := group.Go(func(canceler unison.Canceler) error { + defer cim.shutdown() + defer store.Release() + interval := cim.StateStore.CleanupInterval() + if interval <= 0 { + interval = 5 * time.Minute + } + cleaner.run(canceler, store, interval) + return nil + }) + if err != nil { + store.Release() + cim.shutdown() + return sderr.Wrap(err, "Can not start registry cleanup process") + } + + return nil +} + +func (cim *InputManager) shutdown() { + cim.store.Release() +} + +// Create builds a new v2.Input using the provided Configure function. +// The Input will run a go-routine per source that has been configured. +func (cim *InputManager) Create(config *common.Config) (input.Input, error) { + if err := cim.init(); err != nil { + return nil, err + } + + settings := struct { + ID string `config:"id"` + CleanTimeout time.Duration `config:"clean_timeout"` + }{ID: "", CleanTimeout: cim.DefaultCleanTimeout} + if err := config.Unpack(&settings); err != nil { + return nil, err + } + + prospector, harvester, err := cim.Configure(config) + if err != nil { + return nil, err + } + if harvester == nil { + return nil, errNoInputRunner + } + + return &managedInput{ + manager: cim, + prospector: prospector, + harvester: harvester, + cleanTimeout: settings.CleanTimeout, + }, nil +} + +// Lock locks a key for exclusive access and returns an resource that can be used to modify +// the cursor state and unlock the key. +func (cim *InputManager) lock(ctx input.Context, key string) (*resource, error) { + resource := cim.store.Get(key) + err := lockResource(ctx.Logger, resource, ctx.Cancelation) + if err != nil { + resource.Release() + return nil, err + } + return resource, nil +} + +func lockResource(log *logp.Logger, resource *resource, canceler input.Canceler) error { + if !resource.lock.TryLock() { + log.Infof("Resource '%v' currently in use, waiting...", resource.key) + err := resource.lock.LockContext(canceler) + if err != nil { + log.Infof("Input for resource '%v' has been stopped while waiting", resource.key) + return err + } + } + return nil +} diff --git a/filebeat/input/filestream/internal/input-logfile/prospector.go b/filebeat/input/filestream/internal/input-logfile/prospector.go new file mode 100644 index 000000000000..9488596eb2c7 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/prospector.go @@ -0,0 +1,35 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + input "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/statestore" +) + +// Prospector is responsible for starting, stopping harvesters +// based on the retrieved information about the configured paths. +// It also updates the statestore with the meta data of the running harvesters. +type Prospector interface { + // Run starts the event loop and handles the incoming events + // either by starting/stopping a harvester, or updating the statestore. + Run(input.Context, *statestore.Store, *HarvesterGroup) + // Test checks if the Prospector is able to run the configuration + // specified by the user. + Test() error +} diff --git a/filebeat/input/filestream/internal/input-logfile/publish.go b/filebeat/input/filestream/internal/input-logfile/publish.go new file mode 100644 index 000000000000..547a82c479f2 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/publish.go @@ -0,0 +1,153 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "time" + + input "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common/transform/typeconv" + "github.com/elastic/beats/v7/libbeat/statestore" +) + +// Publisher is used to publish an event and update the cursor in a single call to Publish. +// Inputs are allowed to pass `nil` as cursor state. In this case the state is not updated, but the +// event will still be published as is. +type Publisher interface { + Publish(event beat.Event, cursor interface{}) error +} + +// cursorPublisher implements the Publisher interface and used internally by the managedInput. +// When publishing an event with cursor state updates, the cursorPublisher +// updates the in memory state and create an updateOp that is used to schedule +// an update for the persistent store. The updateOp is run by the inputs ACK +// handler, persisting the pending update. +type cursorPublisher struct { + canceler input.Canceler + client beat.Client + cursor *Cursor +} + +// updateOp keeps track of pending updates that are not written to the persistent store yet. +// Update operations are ordered. The input manager guarantees that only one +// input can create update operation for a source, such that new input +// instances can add update operations to be executed after already pending +// update operations from older inputs instances that have been shutdown. +type updateOp struct { + store *store + resource *resource + + // state updates to persist + timestamp time.Time + ttl time.Duration + delta interface{} +} + +// Publish publishes an event. Publish returns false if the inputs cancellation context has been marked as done. +// If cursorUpdate is not nil, Publish updates the in memory state and create and updateOp for the pending update. +// It overwrite event.Private with the update operation, before finally sending the event. +// The ACK ordering in the publisher pipeline guarantees that update operations +// will be ACKed and executed in the correct order. +func (c *cursorPublisher) Publish(event beat.Event, cursorUpdate interface{}) error { + if cursorUpdate == nil { + return c.forward(event) + } + + op, err := createUpdateOp(c.cursor.store, c.cursor.resource, cursorUpdate) + if err != nil { + return err + } + + event.Private = op + return c.forward(event) +} + +func (c *cursorPublisher) forward(event beat.Event) error { + c.client.Publish(event) + if c.canceler == nil { + return nil + } + return c.canceler.Err() +} + +func createUpdateOp(store *store, resource *resource, updates interface{}) (*updateOp, error) { + ts := time.Now() + + resource.stateMutex.Lock() + defer resource.stateMutex.Unlock() + + cursor := resource.pendingCursor + if resource.activeCursorOperations == 0 { + var tmp interface{} + typeconv.Convert(&tmp, cursor) + resource.pendingCursor = tmp + cursor = tmp + } + if err := typeconv.Convert(&cursor, updates); err != nil { + return nil, err + } + resource.pendingCursor = cursor + + resource.Retain() + resource.activeCursorOperations++ + return &updateOp{ + resource: resource, + store: store, + timestamp: ts, + delta: updates, + }, nil +} + +// done releases resources held by the last N updateOps. +func (op *updateOp) done(n uint) { + op.resource.UpdatesReleaseN(n) + op.resource = nil + *op = updateOp{} +} + +// Execute updates the persistent store with the scheduled changes and releases the resource. +func (op *updateOp) Execute(n uint) { + resource := op.resource + defer op.done(n) + + resource.stateMutex.Lock() + defer resource.stateMutex.Unlock() + + resource.activeCursorOperations -= n + if resource.activeCursorOperations == 0 { + resource.cursor = resource.pendingCursor + resource.pendingCursor = nil + } else { + typeconv.Convert(&resource.cursor, op.delta) + } + + if resource.internalState.Updated.Before(op.timestamp) { + resource.internalState.Updated = op.timestamp + } + + err := op.store.persistentStore.Set(resource.key, resource.inSyncStateSnapshot()) + if err != nil { + if !statestore.IsClosed(err) { + op.store.log.Errorf("Failed to update state in the registry for '%v'", resource.key) + } + } else { + resource.internalInSync = true + resource.stored = true + } +} diff --git a/filebeat/input/filestream/internal/input-logfile/publish_test.go b/filebeat/input/filestream/internal/input-logfile/publish_test.go new file mode 100644 index 000000000000..ede25670a953 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/publish_test.go @@ -0,0 +1,158 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "context" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/beat" + pubtest "github.com/elastic/beats/v7/libbeat/publisher/testing" +) + +func TestPublish(t *testing.T) { + t.Run("event with cursor state creates update operation", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + cursor := makeCursor(store, store.Get("test::key")) + + var actual beat.Event + client := &pubtest.FakeClient{ + PublishFunc: func(event beat.Event) { actual = event }, + } + publisher := cursorPublisher{nil, client, &cursor} + publisher.Publish(beat.Event{}, "test") + + require.NotNil(t, actual.Private) + }) + + t.Run("event without cursor creates no update operation", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + cursor := makeCursor(store, store.Get("test::key")) + + var actual beat.Event + client := &pubtest.FakeClient{ + PublishFunc: func(event beat.Event) { actual = event }, + } + publisher := cursorPublisher{nil, client, &cursor} + publisher.Publish(beat.Event{}, nil) + require.Nil(t, actual.Private) + }) + + t.Run("publish returns error if context has been cancelled", func(t *testing.T) { + ctx, cancel := context.WithCancel(context.TODO()) + cancel() + + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + cursor := makeCursor(store, store.Get("test::key")) + + publisher := cursorPublisher{ctx, &pubtest.FakeClient{}, &cursor} + err := publisher.Publish(beat.Event{}, nil) + require.Equal(t, context.Canceled, err) + }) +} + +func TestOp_Execute(t *testing.T) { + t.Run("applying final op marks the key as finished", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + res := store.Get("test::key") + + // create op and release resource. The 'resource' must still be active + op := mustCreateUpdateOp(t, store, res, "test-updated-cursor-state") + res.Release() + require.False(t, res.Finished()) + + // this was the last op, the resource should become inactive + op.Execute(1) + require.True(t, res.Finished()) + + // validate state: + inSyncCursor := storeInSyncSnapshot(store)["test::key"].Cursor + inMemCursor := storeMemorySnapshot(store)["test::key"].Cursor + want := "test-updated-cursor-state" + assert.Equal(t, want, inSyncCursor) + assert.Equal(t, want, inMemCursor) + }) + + t.Run("acking multiple ops applies the latest update and marks key as finished", func(t *testing.T) { + // when acking N events, intermediate updates are dropped in favor of the latest update operation. + // This test checks that the resource is correctly marked as finished. + + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + res := store.Get("test::key") + + // create update operations and release resource. The 'resource' must still be active + mustCreateUpdateOp(t, store, res, "test-updated-cursor-state-dropped") + op := mustCreateUpdateOp(t, store, res, "test-updated-cursor-state-final") + res.Release() + require.False(t, res.Finished()) + + // this was the last op, the resource should become inactive + op.Execute(2) + require.True(t, res.Finished()) + + // validate state: + inSyncCursor := storeInSyncSnapshot(store)["test::key"].Cursor + inMemCursor := storeMemorySnapshot(store)["test::key"].Cursor + want := "test-updated-cursor-state-final" + assert.Equal(t, want, inSyncCursor) + assert.Equal(t, want, inMemCursor) + }) + + t.Run("ACK only subset of pending ops will only update up to ACKed state", func(t *testing.T) { + // when acking N events, intermediate updates are dropped in favor of the latest update operation. + // This test checks that the resource is correctly marked as finished. + + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + res := store.Get("test::key") + + // create update operations and release resource. The 'resource' must still be active + op1 := mustCreateUpdateOp(t, store, res, "test-updated-cursor-state-intermediate") + op2 := mustCreateUpdateOp(t, store, res, "test-updated-cursor-state-final") + res.Release() + require.False(t, res.Finished()) + + defer op2.done(1) // cleanup after test + + // this was the intermediate op, the resource should still be active + op1.Execute(1) + require.False(t, res.Finished()) + + // validate state (in memory state is always up to data to most recent update): + inSyncCursor := storeInSyncSnapshot(store)["test::key"].Cursor + inMemCursor := storeMemorySnapshot(store)["test::key"].Cursor + assert.Equal(t, "test-updated-cursor-state-intermediate", inSyncCursor) + assert.Equal(t, "test-updated-cursor-state-final", inMemCursor) + }) +} + +func mustCreateUpdateOp(t *testing.T, store *store, resource *resource, updates interface{}) *updateOp { + op, err := createUpdateOp(store, resource, updates) + if err != nil { + t.Fatalf("Failed to create update op: %v", err) + } + return op +} diff --git a/filebeat/input/filestream/internal/input-logfile/store.go b/filebeat/input/filestream/internal/input-logfile/store.go new file mode 100644 index 000000000000..8267565f5514 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/store.go @@ -0,0 +1,324 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "strings" + "sync" + "time" + + "github.com/elastic/beats/v7/libbeat/common/atomic" + "github.com/elastic/beats/v7/libbeat/common/cleanup" + "github.com/elastic/beats/v7/libbeat/common/transform/typeconv" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/statestore" + "github.com/elastic/go-concert" + "github.com/elastic/go-concert/unison" +) + +// store encapsulates the persistent store and the in memory state store, that +// can be ahead of the the persistent store. +// The store lifetime is managed by a reference counter. Once all owners (the +// session, and the resource cleaner) have dropped ownership, backing resources +// will be released and closed. +type store struct { + log *logp.Logger + refCount concert.RefCount + persistentStore *statestore.Store + ephemeralStore *states +} + +// states stores resource states in memory. When a cursor for an input is updated, +// it's state is updated first. The entry in the persistent store 'follows' the internal state. +// As long as a resources stored in states is not 'Finished', the in memory +// store is assumed to be ahead (in memory and persistent state are out of +// sync). +type states struct { + mu sync.Mutex + table map[string]*resource +} + +// resource holds the in memory state and keeps track of pending updates and inputs collecting +// event for the resource its key. +// A resource is assumed active for as long as at least one input has (or tries +// to) acuired the lock, and as long as there are pending updateOp instances in +// the pipeline not ACKed yet. The key can not gc'ed by the cleaner, as long as the resource is active. +// +// State chagnes and writes to the persistent store are protected using the +// stateMutex, to ensure full consistency between direct writes and updates +// after ACK. +type resource struct { + // pending counts the number of Inputs and outstanding registry updates. + // as long as pending is > 0 the resource is in used and must not be garbage collected. + pending atomic.Uint64 + + // lock guarantees only one input create updates for this entry + lock unison.Mutex + + // key of the resource as used for the registry. + key string + + // stateMutex is used to lock the resource when it is update/read from + // multiple go-routines like the ACK handler or the input publishing an + // event. + // stateMutex is used to access the fields 'stored', 'state' and 'internalInSync' + stateMutex sync.Mutex + + // stored indicates that the state is available in the registry file. It is false for new entries. + stored bool + + // internalInSync is true if all 'Internal' metadata like TTL or update timestamp are in sync. + // Normally resources are added when being created. But if operations failed we will retry inserting + // them on each update operation until we eventually succeeded + internalInSync bool + + activeCursorOperations uint + internalState stateInternal + + // cursor states. The cursor holds the state as it is currently known to the + // persistent store, while pendingCursor contains the most recent update + // (in-memory state), that still needs to be synced to the persistent store. + // The pendingCursor is nil if there are no pending updates. + // When processing update operations on ACKs, the state is applied to cursor + // first, which is finally written to the persistent store. This ensures that + // we always write the complete state of the key/value pair. + cursor interface{} + pendingCursor interface{} +} + +type ( + // state represents the full document as it is stored in the registry. + // + // The TTL and Update fields are for internal use only. + // + // The `Cursor` namespace is used to store the cursor information that are + // required to continue processing from the last known position. Cursor + // updates in the registry file are only executed after events have been + // ACKed by the outputs. Therefore the cursor MUST NOT include any + // information that are require to identify/track the source we are + // collecting from. + state struct { + TTL time.Duration + Updated time.Time + Cursor interface{} + } + + stateInternal struct { + TTL time.Duration + Updated time.Time + } +) + +// hook into store close for testing purposes +var closeStore = (*store).close + +func openStore(log *logp.Logger, statestore StateStore, prefix string) (*store, error) { + ok := false + + persistentStore, err := statestore.Access() + if err != nil { + return nil, err + } + defer cleanup.IfNot(&ok, func() { persistentStore.Close() }) + + states, err := readStates(log, persistentStore, prefix) + if err != nil { + return nil, err + } + + ok = true + return &store{ + log: log, + persistentStore: persistentStore, + ephemeralStore: states, + }, nil +} + +func (s *store) Retain() { s.refCount.Retain() } +func (s *store) Release() { + if s.refCount.Release() { + closeStore(s) + } +} + +func (s *store) close() { + if err := s.persistentStore.Close(); err != nil { + s.log.Errorf("Closing registry store did report an error: %+v", err) + } +} + +// Get returns the resource for the key. +// A new shared resource is generated if the key is not known. The generated +// resource is not synced to disk yet. +func (s *store) Get(key string) *resource { + return s.ephemeralStore.Find(key, true) +} + +// UpdateTTL updates the time-to-live of a resource. Inactive resources with expired TTL are subject to removal. +// The TTL value is part of the internal state, and will be written immediately to the persistent store. +// On update the resource its `cursor` state is used, to keep the cursor state in sync with the current known +// on disk store state. +func (s *store) UpdateTTL(resource *resource, ttl time.Duration) { + resource.stateMutex.Lock() + defer resource.stateMutex.Unlock() + if resource.stored && resource.internalState.TTL == ttl { + return + } + + resource.internalState.TTL = ttl + if resource.internalState.Updated.IsZero() { + resource.internalState.Updated = time.Now() + } + + err := s.persistentStore.Set(resource.key, state{ + TTL: resource.internalState.TTL, + Updated: resource.internalState.Updated, + Cursor: resource.cursor, + }) + if err != nil { + s.log.Errorf("Failed to update resource management fields for '%v'", resource.key) + resource.internalInSync = false + } else { + resource.stored = true + resource.internalInSync = true + } +} + +// Find returns the resource for a given key. If the key is unknown and create is set to false nil will be returned. +// The resource returned by Find is marked as active. (*resource).Release must be called to mark the resource as inactive again. +func (s *states) Find(key string, create bool) *resource { + s.mu.Lock() + defer s.mu.Unlock() + + if resource := s.table[key]; resource != nil { + resource.Retain() + return resource + } + + if !create { + return nil + } + + // resource is owned by table(session) and input that uses the resource. + resource := &resource{ + stored: false, + key: key, + lock: unison.MakeMutex(), + } + s.table[key] = resource + resource.Retain() + return resource +} + +// IsNew returns true if we have no state recorded for the current resource. +func (r *resource) IsNew() bool { + r.stateMutex.Lock() + defer r.stateMutex.Unlock() + return r.pendingCursor == nil && r.cursor == nil +} + +// Retain is used to indicate that 'resource' gets an additional 'owner'. +// Owners of an resource can be active inputs or pending update operations +// not yet written to disk. +func (r *resource) Retain() { r.pending.Inc() } + +// Release reduced the owner ship counter of the resource. +func (r *resource) Release() { r.pending.Dec() } + +// UpdatesReleaseN is used to release ownership of N pending update operations. +func (r *resource) UpdatesReleaseN(n uint) { + r.pending.Sub(uint64(n)) +} + +// Finished returns true if the resource is not in use and if there are no pending updates +// that still need to be written to the registry. +func (r *resource) Finished() bool { return r.pending.Load() == 0 } + +// UnpackCursor deserializes the in memory state. +func (r *resource) UnpackCursor(to interface{}) error { + r.stateMutex.Lock() + defer r.stateMutex.Unlock() + if r.activeCursorOperations == 0 { + return typeconv.Convert(to, r.cursor) + } + return typeconv.Convert(to, r.pendingCursor) +} + +// syncStateSnapshot returns the current insync state based on already ACKed update operations. +func (r *resource) inSyncStateSnapshot() state { + return state{ + TTL: r.internalState.TTL, + Updated: r.internalState.Updated, + Cursor: r.cursor, + } +} + +// stateSnapshot returns the current in memory state, that already contains state updates +// not yet ACKed. +func (r *resource) stateSnapshot() state { + cursor := r.pendingCursor + if r.activeCursorOperations == 0 { + cursor = r.cursor + } + + return state{ + TTL: r.internalState.TTL, + Updated: r.internalState.Updated, + Cursor: cursor, + } +} + +func readStates(log *logp.Logger, store *statestore.Store, prefix string) (*states, error) { + keyPrefix := prefix + "::" + states := &states{ + table: map[string]*resource{}, + } + + err := store.Each(func(key string, dec statestore.ValueDecoder) (bool, error) { + if !strings.HasPrefix(string(key), keyPrefix) { + return true, nil + } + + var st state + if err := dec.Decode(&st); err != nil { + log.Errorf("Failed to read regisry state for '%v', cursor state will be ignored. Error was: %+v", + key, err) + return true, nil + } + + resource := &resource{ + key: key, + stored: true, + lock: unison.MakeMutex(), + internalInSync: true, + internalState: stateInternal{ + TTL: st.TTL, + Updated: st.Updated, + }, + cursor: st.Cursor, + } + states.table[resource.key] = resource + + return true, nil + }) + + if err != nil { + return nil, err + } + return states, nil +} diff --git a/filebeat/input/filestream/internal/input-logfile/store_test.go b/filebeat/input/filestream/internal/input-logfile/store_test.go new file mode 100644 index 000000000000..71ea41298b2a --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/store_test.go @@ -0,0 +1,351 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "errors" + "testing" + "time" + + "github.com/google/go-cmp/cmp" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/statestore" + "github.com/elastic/beats/v7/libbeat/statestore/storetest" +) + +type testStateStore struct { + Store *statestore.Store + GCPeriod time.Duration +} + +func TestStore_OpenClose(t *testing.T) { + t.Run("releasing store closes", func(t *testing.T) { + var closed bool + cleanup := closeStoreWith(func(s *store) { + closed = true + s.close() + }) + defer cleanup() + + store := testOpenStore(t, "test", nil) + store.Release() + + require.True(t, closed) + }) + + t.Run("fail if persistent store can not be accessed", func(t *testing.T) { + _, err := openStore(logp.NewLogger("test"), testStateStore{}, "test") + require.Error(t, err) + }) + + t.Run("load from empty", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + require.Equal(t, 0, len(storeMemorySnapshot(store))) + require.Equal(t, 0, len(storeInSyncSnapshot(store))) + }) + + t.Run("already available state is loaded", func(t *testing.T) { + states := map[string]state{ + "test::key0": {Cursor: "1"}, + "test::key1": {Cursor: "2"}, + } + + store := testOpenStore(t, "test", createSampleStore(t, states)) + defer store.Release() + + checkEqualStoreState(t, states, storeMemorySnapshot(store)) + checkEqualStoreState(t, states, storeInSyncSnapshot(store)) + }) + + t.Run("ignore entries with wrong index on open", func(t *testing.T) { + states := map[string]state{ + "test::key0": {Cursor: "1"}, + "other::key": {Cursor: "2"}, + } + + store := testOpenStore(t, "test", createSampleStore(t, states)) + defer store.Release() + + want := map[string]state{ + "test::key0": {Cursor: "1"}, + } + checkEqualStoreState(t, want, storeMemorySnapshot(store)) + checkEqualStoreState(t, want, storeInSyncSnapshot(store)) + }) +} + +func TestStore_Get(t *testing.T) { + t.Run("find existing resource", func(t *testing.T) { + cursorState := state{Cursor: "1"} + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key0": cursorState, + })) + defer store.Release() + + res := store.Get("test::key0") + require.NotNil(t, res) + defer res.Release() + + // check in memory state matches matches original persistent state + require.Equal(t, cursorState, res.stateSnapshot()) + // check assumed in-sync state matches matches original persistent state + require.Equal(t, cursorState, res.inSyncStateSnapshot()) + }) + + t.Run("access unknown resource", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + + res := store.Get("test::key") + require.NotNil(t, res) + defer res.Release() + + // new resource has empty state + require.Equal(t, state{}, res.stateSnapshot()) + }) + + t.Run("same resource is returned", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + + res1 := store.Get("test::key") + require.NotNil(t, res1) + defer res1.Release() + + res2 := store.Get("test::key") + require.NotNil(t, res2) + defer res2.Release() + + assert.Equal(t, res1, res2) + }) +} + +func TestStore_UpdateTTL(t *testing.T) { + t.Run("add TTL for new entry to store", func(t *testing.T) { + // when creating a resource we set the TTL and insert a new key value pair without cursor value into the store: + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + + res := store.Get("test::key") + store.UpdateTTL(res, 60*time.Second) + + want := map[string]state{ + "test::key": { + TTL: 60 * time.Second, + Updated: res.internalState.Updated, + Cursor: nil, + }, + } + + checkEqualStoreState(t, want, storeMemorySnapshot(store)) + checkEqualStoreState(t, want, storeInSyncSnapshot(store)) + }) + + t.Run("update TTL for in-sync resource does not overwrite state", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key": { + TTL: 1 * time.Second, + Cursor: "test", + }, + })) + defer store.Release() + + res := store.Get("test::key") + store.UpdateTTL(res, 60*time.Second) + want := map[string]state{ + "test::key": { + Updated: res.internalState.Updated, + TTL: 60 * time.Second, + Cursor: "test", + }, + } + + checkEqualStoreState(t, want, storeMemorySnapshot(store)) + checkEqualStoreState(t, want, storeInSyncSnapshot(store)) + }) + + t.Run("update TTL for resource with pending updates", func(t *testing.T) { + // This test updates the resource TTL while update operations are still + // pending, but not synced to the persistent store yet. + // UpdateTTL changes the state in the persistent store immediately, and must therefore + // serialize the old in-sync state with update meta-data. + + // create store + backend := createSampleStore(t, map[string]state{ + "test::key": { + TTL: 1 * time.Second, + Cursor: "test", + }, + }) + store := testOpenStore(t, "test", backend) + defer store.Release() + + // create pending update operation + res := store.Get("test::key") + op, err := createUpdateOp(store, res, "test-state-update") + require.NoError(t, err) + defer op.done(1) + + // Update key/value pair TTL. This will update the internal state in the + // persistent store only, not modifying the old cursor state yet. + store.UpdateTTL(res, 60*time.Second) + + // validate + wantMemoryState := state{ + Updated: res.internalState.Updated, + TTL: 60 * time.Second, + Cursor: "test-state-update", + } + wantInSyncState := state{ + Updated: res.internalState.Updated, + TTL: 60 * time.Second, + Cursor: "test", + } + + checkEqualStoreState(t, map[string]state{"test::key": wantMemoryState}, storeMemorySnapshot(store)) + checkEqualStoreState(t, map[string]state{"test::key": wantInSyncState}, storeInSyncSnapshot(store)) + checkEqualStoreState(t, map[string]state{"test::key": wantInSyncState}, backend.snapshot()) + }) +} + +func closeStoreWith(fn func(s *store)) func() { + old := closeStore + closeStore = fn + return func() { + closeStore = old + } +} + +func testOpenStore(t *testing.T, prefix string, persistentStore StateStore) *store { + if persistentStore == nil { + persistentStore = createSampleStore(t, nil) + } + + store, err := openStore(logp.NewLogger("test"), persistentStore, prefix) + if err != nil { + t.Fatalf("failed to open the store") + } + return store +} + +func createSampleStore(t *testing.T, data map[string]state) testStateStore { + storeReg := statestore.NewRegistry(storetest.NewMemoryStoreBackend()) + store, err := storeReg.Get("test") + if err != nil { + t.Fatalf("Failed to access store: %v", err) + } + + for k, v := range data { + if err := store.Set(k, v); err != nil { + t.Fatalf("Error when populating the sample store: %v", err) + } + } + + return testStateStore{ + Store: store, + } +} + +func (ts testStateStore) WithGCPeriod(d time.Duration) testStateStore { ts.GCPeriod = d; return ts } +func (ts testStateStore) CleanupInterval() time.Duration { return ts.GCPeriod } +func (ts testStateStore) Access() (*statestore.Store, error) { + if ts.Store == nil { + return nil, errors.New("no store configured") + } + return ts.Store, nil +} + +// snapshot copies all key/value pairs from the persistent store into a table for inspection. +func (ts testStateStore) snapshot() map[string]state { + states := map[string]state{} + err := ts.Store.Each(func(key string, dec statestore.ValueDecoder) (bool, error) { + var st state + if err := dec.Decode(&st); err != nil { + return false, err + } + states[key] = st + return true, nil + }) + + if err != nil { + panic("unexpected decode error from persistent test store") + } + return states +} + +// storeMemorySnapshot copies all key/value pairs into a table for inspection. +// The state returned reflects the in memory state, which can be ahead of the +// persistent state. +// +// Note: The state returned by storeMemorySnapshot is always ahead of the state returned by storeInSyncSnapshot. +// All key value pairs are fully in-sync, if both snapshot functions return the same state. +func storeMemorySnapshot(store *store) map[string]state { + store.ephemeralStore.mu.Lock() + defer store.ephemeralStore.mu.Unlock() + + states := map[string]state{} + for k, res := range store.ephemeralStore.table { + states[k] = res.stateSnapshot() + } + return states +} + +// storeInSyncSnapshot copies all key/value pairs into the table for inspection. +// The state returned reflects the current state that the in-memory tables assumed to be +// written to the persistent store already. + +// Note: The state returned by storeMemorySnapshot is always ahead of the state returned by storeInSyncSnapshot. +// All key value pairs are fully in-sync, if both snapshot functions return the same state. +func storeInSyncSnapshot(store *store) map[string]state { + store.ephemeralStore.mu.Lock() + defer store.ephemeralStore.mu.Unlock() + + states := map[string]state{} + for k, res := range store.ephemeralStore.table { + states[k] = res.inSyncStateSnapshot() + } + return states +} + +// checkEqualStoreState compares 2 store snapshot tables for equality. The test +// fails with Errorf if the state differ. +// +// Note: testify is too strict when comparing timestamp, better use checkEqualStoreState. +func checkEqualStoreState(t *testing.T, want, got map[string]state) bool { + if d := cmp.Diff(want, got); d != "" { + t.Errorf("store state mismatch (-want +got):\n%s", d) + return false + } + return true +} + +// requireEqualStoreState compares 2 store snapshot tables for equality. The test +// fails with Fatalf if the state differ. +// +// Note: testify is too strict when comparing timestamp, better use checkEqualStoreState. +func requireEqualStoreState(t *testing.T, want, got map[string]state) bool { + if d := cmp.Diff(want, got); d != "" { + t.Fatalf("store state mismatch (-want +got):\n%s", d) + return false + } + return true +} diff --git a/filebeat/input/filestream/prospector.go b/filebeat/input/filestream/prospector.go new file mode 100644 index 000000000000..257574b9ca1a --- /dev/null +++ b/filebeat/input/filestream/prospector.go @@ -0,0 +1,38 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package filestream + +import ( + loginp "github.com/elastic/beats/v7/filebeat/input/filestream/internal/input-logfile" + input "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/statestore" +) + +// fileProspector implements the Prospector interface. +// It contains a file scanner which returns file system events. +// The FS events then trigger either new Harvester runs or updates +// the statestore. +type fileProspector struct{} + +func (p *fileProspector) Run(ctx input.Context, s *statestore.Store, hg *loginp.HarvesterGroup) { + panic("TODO: implement me") +} + +func (p *fileProspector) Test() error { + panic("TODO: implement me") +} From b2244e1b2473b862de540720e28c4747a7ab3cca Mon Sep 17 00:00:00 2001 From: Victor Martinez Date: Thu, 1 Oct 2020 09:43:21 +0100 Subject: [PATCH 07/18] [JJBB] Use reference repo for fast checkouts (#21410) --- .ci/jobs/beats.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.ci/jobs/beats.yml b/.ci/jobs/beats.yml index 3e4c8e509809..6f59a9bcdf8e 100644 --- a/.ci/jobs/beats.yml +++ b/.ci/jobs/beats.yml @@ -53,6 +53,7 @@ recursive: true parent-credentials: true timeout: 100 + reference-repo: /var/lib/jenkins/.git-references/beats.git timeout: '15' use-author: true wipe-workspace: true From 514809a13cd078be71c0bccac03dccc0cc81f0e9 Mon Sep 17 00:00:00 2001 From: Victor Martinez Date: Thu, 1 Oct 2020 12:03:48 +0100 Subject: [PATCH 08/18] Revert "[JJBB] Set shallow cloning to 10 (#21409)" (#21447) This reverts commit cadd5ff70e679f76e41f32daa1d56734ddf3ae8c. --- .ci/jobs/apm-beats-update.yml | 2 +- .ci/jobs/beats-tester.yml | 2 +- .ci/jobs/beats-windows-mbp.yml | 2 +- .ci/jobs/beats.yml | 2 +- .ci/jobs/golang-crossbuild-mbp.yml | 2 +- .ci/jobs/packaging.yml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.ci/jobs/apm-beats-update.yml b/.ci/jobs/apm-beats-update.yml index 2ae688ffab77..8bdc322f65a7 100644 --- a/.ci/jobs/apm-beats-update.yml +++ b/.ci/jobs/apm-beats-update.yml @@ -48,7 +48,7 @@ before: true prune: true shallow-clone: true - depth: 10 + depth: 3 do-not-fetch-tags: true submodule: disable: false diff --git a/.ci/jobs/beats-tester.yml b/.ci/jobs/beats-tester.yml index 808123a225e9..522abfa5e5c4 100644 --- a/.ci/jobs/beats-tester.yml +++ b/.ci/jobs/beats-tester.yml @@ -44,7 +44,7 @@ before: true prune: true shallow-clone: true - depth: 10 + depth: 3 do-not-fetch-tags: true submodule: disable: false diff --git a/.ci/jobs/beats-windows-mbp.yml b/.ci/jobs/beats-windows-mbp.yml index 7ea26c9ba18f..64efa009979b 100644 --- a/.ci/jobs/beats-windows-mbp.yml +++ b/.ci/jobs/beats-windows-mbp.yml @@ -44,7 +44,7 @@ before: true prune: true shallow-clone: true - depth: 10 + depth: 4 do-not-fetch-tags: true submodule: disable: false diff --git a/.ci/jobs/beats.yml b/.ci/jobs/beats.yml index 6f59a9bcdf8e..b075d8bbdf24 100644 --- a/.ci/jobs/beats.yml +++ b/.ci/jobs/beats.yml @@ -46,7 +46,7 @@ before: true prune: true shallow-clone: true - depth: 10 + depth: 3 do-not-fetch-tags: true submodule: disable: false diff --git a/.ci/jobs/golang-crossbuild-mbp.yml b/.ci/jobs/golang-crossbuild-mbp.yml index 45175d169f69..46303790610f 100644 --- a/.ci/jobs/golang-crossbuild-mbp.yml +++ b/.ci/jobs/golang-crossbuild-mbp.yml @@ -31,7 +31,7 @@ before: true prune: true shallow-clone: true - depth: 10 + depth: 4 do-not-fetch-tags: true submodule: disable: false diff --git a/.ci/jobs/packaging.yml b/.ci/jobs/packaging.yml index fd6fb9f90c6b..0dce4d4672b8 100644 --- a/.ci/jobs/packaging.yml +++ b/.ci/jobs/packaging.yml @@ -44,7 +44,7 @@ before: true prune: true shallow-clone: true - depth: 10 + depth: 3 do-not-fetch-tags: true submodule: disable: false From 075696e6a142762600cd74a1aa1daa749f8af41e Mon Sep 17 00:00:00 2001 From: Michal Pristas Date: Thu, 1 Oct 2020 18:04:11 +0200 Subject: [PATCH 09/18] [Ingest Manager] Send snapshot flag together with metadata (#21285) [Ingest Manager] Send snapshot flag together with metadata (#21285) --- .../agent/application/info/agent_metadata.go | 16 +++++++-- .../pkg/agent/application/upgrade/upgrade.go | 36 +++++++++---------- x-pack/elastic-agent/pkg/release/upgrade.go | 4 +-- x-pack/elastic-agent/pkg/release/version.go | 2 +- 4 files changed, 35 insertions(+), 23 deletions(-) diff --git a/x-pack/elastic-agent/pkg/agent/application/info/agent_metadata.go b/x-pack/elastic-agent/pkg/agent/application/info/agent_metadata.go index c98f9b8e0154..c5712646cfb3 100644 --- a/x-pack/elastic-agent/pkg/agent/application/info/agent_metadata.go +++ b/x-pack/elastic-agent/pkg/agent/application/info/agent_metadata.go @@ -10,6 +10,7 @@ import ( "runtime" "strings" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/install" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" "github.com/elastic/go-sysinfo" "github.com/elastic/go-sysinfo/types" @@ -33,6 +34,12 @@ type AgentECSMeta struct { ID string `json:"id"` // Version specifies current version of an agent. Version string `json:"version"` + // Snapshot is a flag specifying that the agent used is a snapshot build. + Snapshot bool `json:"snapshot"` + // BuildOriginal is an extended build information for the agent. + BuildOriginal string `json:"build.original"` + // Upgradeable is a flag specifying if it is possible for agent to be upgraded. + Upgradeable bool `json:"upgradeable"` } // SystemECSMeta is a collection of operating system metadata in ECS compliant object form. @@ -126,8 +133,13 @@ func (i *AgentInfo) ECSMetadata() (*ECSMeta, error) { return &ECSMeta{ Elastic: &ElasticECSMeta{ Agent: &AgentECSMeta{ - ID: i.agentID, - Version: release.Version(), + ID: i.agentID, + Version: release.Version(), + Snapshot: release.Snapshot(), + BuildOriginal: release.Info().String(), + // only upgradeable if running from Agent installer and running under the + // control of the system supervisor (or built specifically with upgrading enabled) + Upgradeable: release.Upgradeable() || (install.RunningInstalled() && install.RunningUnderSupervisor()), }, }, Host: &HostECSMeta{ diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go index de3a577281d7..cac36ef7922a 100644 --- a/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go @@ -33,12 +33,12 @@ const ( // Upgrader performs an upgrade type Upgrader struct { - settings *artifact.Config - log *logger.Logger - closers []context.CancelFunc - reexec reexecManager - acker acker - upgradable bool + settings *artifact.Config + log *logger.Logger + closers []context.CancelFunc + reexec reexecManager + acker acker + upgradeable bool } type reexecManager interface { @@ -53,23 +53,23 @@ type acker interface { // NewUpgrader creates an upgrader which is capable of performing upgrade operation func NewUpgrader(settings *artifact.Config, log *logger.Logger, closers []context.CancelFunc, reexec reexecManager, a acker) *Upgrader { return &Upgrader{ - settings: settings, - log: log, - closers: closers, - reexec: reexec, - acker: a, - upgradable: getUpgradable(), + settings: settings, + log: log, + closers: closers, + reexec: reexec, + acker: a, + upgradeable: getUpgradable(), } } -// Upgradable returns true if the Elastic Agent can be upgraded. -func (u *Upgrader) Upgradable() bool { - return u.upgradable +// Upgradeable returns true if the Elastic Agent can be upgraded. +func (u *Upgrader) Upgradeable() bool { + return u.upgradeable } // Upgrade upgrades running agent func (u *Upgrader) Upgrade(ctx context.Context, a *fleetapi.ActionUpgrade) error { - if !u.upgradable { + if !u.upgradeable { return fmt.Errorf( "cannot be upgraded; must be installed with install sub-command and " + "running under control of the systems supervisor") @@ -164,9 +164,9 @@ func rollbackInstall(hash string) { } func getUpgradable() bool { - // only upgradable if running from Agent installer and running under the + // only upgradeable if running from Agent installer and running under the // control of the system supervisor (or built specifically with upgrading enabled) - return release.Upgradable() || (install.RunningInstalled() && install.RunningUnderSupervisor()) + return release.Upgradeable() || (install.RunningInstalled() && install.RunningUnderSupervisor()) } func copyActionStore(newHash string) error { diff --git a/x-pack/elastic-agent/pkg/release/upgrade.go b/x-pack/elastic-agent/pkg/release/upgrade.go index ac1e8552dd25..2e63eb47ad58 100644 --- a/x-pack/elastic-agent/pkg/release/upgrade.go +++ b/x-pack/elastic-agent/pkg/release/upgrade.go @@ -4,7 +4,7 @@ package release -// Upgradable return true when release is built specifically for upgrading. -func Upgradable() bool { +// Upgradeable return true when release is built specifically for upgrading. +func Upgradeable() bool { return allowUpgrade == "true" } diff --git a/x-pack/elastic-agent/pkg/release/version.go b/x-pack/elastic-agent/pkg/release/version.go index dae609a67334..05f0063afdfb 100644 --- a/x-pack/elastic-agent/pkg/release/version.go +++ b/x-pack/elastic-agent/pkg/release/version.go @@ -76,7 +76,7 @@ func Info() VersionInfo { } // String returns the string format for the version information. -func (v *VersionInfo) String() string { +func (v VersionInfo) String() string { var sb strings.Builder sb.WriteString(v.Version) From 8e9298e222f234f158258e1a0b02d712fd6ff954 Mon Sep 17 00:00:00 2001 From: DeDe Morton Date: Thu, 1 Oct 2020 11:59:55 -0700 Subject: [PATCH 10/18] Edit SQL module docs and fix broken doc structure (#21233) * Edit SQL module docs and fix broken doc structure * Apply suggestions from code review Co-authored-by: Brandon Morelli * Run make update Co-authored-by: Brandon Morelli --- metricbeat/docs/modules/sql.asciidoc | 102 +++++++++++------- .../metricbeat/module/sql/_meta/docs.asciidoc | 102 +++++++++++------- .../module/sql/query/_meta/docs.asciidoc | 6 +- 3 files changed, 127 insertions(+), 83 deletions(-) diff --git a/metricbeat/docs/modules/sql.asciidoc b/metricbeat/docs/modules/sql.asciidoc index 69726a1fe7df..6e944cf5c13d 100644 --- a/metricbeat/docs/modules/sql.asciidoc +++ b/metricbeat/docs/modules/sql.asciidoc @@ -8,24 +8,45 @@ This file is generated! See scripts/mage/docs_collector.go beta[] -The SQL module allows to execute custom queries against an SQL database and store the results to Elasticsearch. +The SQL module allows you to execute custom queries against an SQL database and +store the results in {es}. -The currently supported databases are the ones already included in Metricbeat, which are: -- PostgreSQL -- MySQL -- Oracle -- Microsoft SQL -- CockroachDB +This module supports the databases that you can monitor with {metricbeat}, +including: -== Quickstart +* PostgreSQL +* MySQL +* Oracle +* Microsoft SQL +* CockroachDB -You can setup the module by activating it first running +To enable the module, run: - metricbeat module enable sql +[source,shell] +---- +metricbeat module enable sql +---- + +After enabling the module, open `modules.d/sql.yml` and set the required +fields: + +`driver`:: The driver can be any driver that has a {metricbeat} module, such as +`mssql` or `postgres`. +`sql_query`:: The single query you want to run. +`sql_response_format`:: Either `variables` or `table`: +`variables`::: Expects a two-column table that looks like a key/value result. +The left column is considered a key and the right column the value. This mode +generates a single event on each fetch operation. +`table`::: Expects any number of columns. This mode generates a single event for +each row. + +[float] +=== Example: capture Innodb-related metrics -Once it is activated, open `modules.d/sql.yml` and fill the required fields. This is an example that captures Innodb related metrics from the result of the query `SHOW GLOBAL STATUS LIKE 'Innodb_system%'` in a MySQL database: +This `sql.yml` configuration shows how to capture Innodb-related metrics that +result from the query `SHOW GLOBAL STATUS LIKE 'Innodb_system%'` in a MySQL +database: -.sql.yml [source,yaml] ---- - module: sql @@ -39,7 +60,8 @@ Once it is activated, open `modules.d/sql.yml` and fill the required fields. Thi sql_response_format: variables ---- -.SHOW GLOBAL STATUS LIKE 'Innodb_system%' +The `SHOW GLOBAL STATUS` query results in this table: + |==== |Variable_name|Value @@ -49,18 +71,11 @@ Once it is activated, open `modules.d/sql.yml` and fill the required fields. Thi |Innodb_system_rows_updated|315 |==== +Results are grouped by type in the result event for convenient mapping in +{es}. For example, `strings` values are grouped into `sql.strings`, `numeric` +into `sql.numeric`, and so on. -Keys in the YAML are defined as follow: - -- `driver`: The drivers currently supported are those which already have a Metricbeat module like `mssql` or `postgres`. -- `sql_query`: Is the single query you want to run -- `sql_response_format`: You have 2 options here: - - `variables`: Expects a table which looks like a key/value result. With 2 columns, left column will be considered a key and the right column the value. This mode generates a single event on each fetch operation. - - `table`: Table mode can contain any number of columns and a single event will be generated for each row. - -Results will be grouped by type in the result event for convenient mapping in Elasticsearch. So `strings` values will be grouped into `sql.strings`, `numeric` into `sql.numeric` and so on and so forth. - -The event generated with the example above looks like this: +The example shown earlier generates this event: [source,json] ---- @@ -112,9 +127,13 @@ The event generated with the example above looks like this: } ---- -In this example, we are querying PostgreSQL and generate a "table" result, hence a single event for each row returned +[float] +=== Example: query PostgreSQL and generate a "table" result + +This `sql.yml` configuration shows how to query PostgreSQL and generate +a "table" result. This configuration generates a single event for each row +returned: -.sql.yml [source,yaml] ---- - module: sql @@ -128,7 +147,8 @@ In this example, we are querying PostgreSQL and generate a "table" result, hence sql_response_format: table ---- -.SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database +The SELECT query results in this table: + |==== |datid|datname|blks_read|blks_hit|tup_returned|tup_fetched|stats_reset @@ -137,7 +157,8 @@ In this example, we are querying PostgreSQL and generate a "table" result, hence |13407|template0|0|0|0|0| |==== -With 3 rows on the table, three events will be generated with the contents of each row. As an example, below you can see the event created for the first row: +Because the table contains three rows, three events are generated, one event +for each row. For example, this event is created for the first row: [source,json] ---- @@ -194,14 +215,11 @@ With 3 rows on the table, three events will be generated with the contents of ea } ---- +[float] +=== Example: get the buffer catch hit ratio in Oracle -== More examples - -=== Oracle: - -Get the buffer cache hit ratio: +This `sql.yml` configuration shows how to get the buffer cache hit ratio: -.sql.yml [source,yaml] ---- - module: sql @@ -215,6 +233,7 @@ Get the buffer cache hit ratio: sql_response_format: table ---- +The example generates this event: [source,json] ---- @@ -269,11 +288,11 @@ Get the buffer cache hit ratio: } ---- -=== MSSQL +[float] +=== Example: get the buffer cache hit ratio for MSSQL -Get the buffer cache hit ratio: +This `sql.yml` configuration gets the buffer cache hit ratio: -.sql.yml [source,yaml] ---- - module: sql @@ -287,6 +306,8 @@ Get the buffer cache hit ratio: sql_response_format: table ---- +The example generates this event: + [source,json] ---- { @@ -338,11 +359,12 @@ Get the buffer cache hit ratio: } ---- -=== Two or more queries +[float] +=== Example: launch two or more queries -If you want to launch two or more queries, you need to specify them with their full configuration for each query. For example: +To launch two or more queries, specify the full configuration for each query. +For example: -.sql.yml [source,yaml] ---- - module: sql diff --git a/x-pack/metricbeat/module/sql/_meta/docs.asciidoc b/x-pack/metricbeat/module/sql/_meta/docs.asciidoc index 31751f264ece..d445d62e3056 100644 --- a/x-pack/metricbeat/module/sql/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/sql/_meta/docs.asciidoc @@ -1,21 +1,42 @@ -The SQL module allows to execute custom queries against an SQL database and store the results to Elasticsearch. +The SQL module allows you to execute custom queries against an SQL database and +store the results in {es}. -The currently supported databases are the ones already included in Metricbeat, which are: -- PostgreSQL -- MySQL -- Oracle -- Microsoft SQL -- CockroachDB +This module supports the databases that you can monitor with {metricbeat}, +including: -== Quickstart +* PostgreSQL +* MySQL +* Oracle +* Microsoft SQL +* CockroachDB -You can setup the module by activating it first running +To enable the module, run: - metricbeat module enable sql +[source,shell] +---- +metricbeat module enable sql +---- + +After enabling the module, open `modules.d/sql.yml` and set the required +fields: + +`driver`:: The driver can be any driver that has a {metricbeat} module, such as +`mssql` or `postgres`. +`sql_query`:: The single query you want to run. +`sql_response_format`:: Either `variables` or `table`: +`variables`::: Expects a two-column table that looks like a key/value result. +The left column is considered a key and the right column the value. This mode +generates a single event on each fetch operation. +`table`::: Expects any number of columns. This mode generates a single event for +each row. -Once it is activated, open `modules.d/sql.yml` and fill the required fields. This is an example that captures Innodb related metrics from the result of the query `SHOW GLOBAL STATUS LIKE 'Innodb_system%'` in a MySQL database: +[float] +=== Example: capture Innodb-related metrics + +This `sql.yml` configuration shows how to capture Innodb-related metrics that +result from the query `SHOW GLOBAL STATUS LIKE 'Innodb_system%'` in a MySQL +database: -.sql.yml [source,yaml] ---- - module: sql @@ -29,7 +50,8 @@ Once it is activated, open `modules.d/sql.yml` and fill the required fields. Thi sql_response_format: variables ---- -.SHOW GLOBAL STATUS LIKE 'Innodb_system%' +The `SHOW GLOBAL STATUS` query results in this table: + |==== |Variable_name|Value @@ -39,18 +61,11 @@ Once it is activated, open `modules.d/sql.yml` and fill the required fields. Thi |Innodb_system_rows_updated|315 |==== +Results are grouped by type in the result event for convenient mapping in +{es}. For example, `strings` values are grouped into `sql.strings`, `numeric` +into `sql.numeric`, and so on. -Keys in the YAML are defined as follow: - -- `driver`: The drivers currently supported are those which already have a Metricbeat module like `mssql` or `postgres`. -- `sql_query`: Is the single query you want to run -- `sql_response_format`: You have 2 options here: - - `variables`: Expects a table which looks like a key/value result. With 2 columns, left column will be considered a key and the right column the value. This mode generates a single event on each fetch operation. - - `table`: Table mode can contain any number of columns and a single event will be generated for each row. - -Results will be grouped by type in the result event for convenient mapping in Elasticsearch. So `strings` values will be grouped into `sql.strings`, `numeric` into `sql.numeric` and so on and so forth. - -The event generated with the example above looks like this: +The example shown earlier generates this event: [source,json] ---- @@ -102,9 +117,13 @@ The event generated with the example above looks like this: } ---- -In this example, we are querying PostgreSQL and generate a "table" result, hence a single event for each row returned +[float] +=== Example: query PostgreSQL and generate a "table" result + +This `sql.yml` configuration shows how to query PostgreSQL and generate +a "table" result. This configuration generates a single event for each row +returned: -.sql.yml [source,yaml] ---- - module: sql @@ -118,7 +137,8 @@ In this example, we are querying PostgreSQL and generate a "table" result, hence sql_response_format: table ---- -.SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database +The SELECT query results in this table: + |==== |datid|datname|blks_read|blks_hit|tup_returned|tup_fetched|stats_reset @@ -127,7 +147,8 @@ In this example, we are querying PostgreSQL and generate a "table" result, hence |13407|template0|0|0|0|0| |==== -With 3 rows on the table, three events will be generated with the contents of each row. As an example, below you can see the event created for the first row: +Because the table contains three rows, three events are generated, one event +for each row. For example, this event is created for the first row: [source,json] ---- @@ -184,14 +205,11 @@ With 3 rows on the table, three events will be generated with the contents of ea } ---- +[float] +=== Example: get the buffer catch hit ratio in Oracle -== More examples +This `sql.yml` configuration shows how to get the buffer cache hit ratio: -=== Oracle: - -Get the buffer cache hit ratio: - -.sql.yml [source,yaml] ---- - module: sql @@ -205,6 +223,7 @@ Get the buffer cache hit ratio: sql_response_format: table ---- +The example generates this event: [source,json] ---- @@ -259,11 +278,11 @@ Get the buffer cache hit ratio: } ---- -=== MSSQL +[float] +=== Example: get the buffer cache hit ratio for MSSQL -Get the buffer cache hit ratio: +This `sql.yml` configuration gets the buffer cache hit ratio: -.sql.yml [source,yaml] ---- - module: sql @@ -277,6 +296,8 @@ Get the buffer cache hit ratio: sql_response_format: table ---- +The example generates this event: + [source,json] ---- { @@ -328,11 +349,12 @@ Get the buffer cache hit ratio: } ---- -=== Two or more queries +[float] +=== Example: launch two or more queries -If you want to launch two or more queries, you need to specify them with their full configuration for each query. For example: +To launch two or more queries, specify the full configuration for each query. +For example: -.sql.yml [source,yaml] ---- - module: sql diff --git a/x-pack/metricbeat/module/sql/query/_meta/docs.asciidoc b/x-pack/metricbeat/module/sql/query/_meta/docs.asciidoc index df05a99c95ce..8f48f8507de5 100644 --- a/x-pack/metricbeat/module/sql/query/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/sql/query/_meta/docs.asciidoc @@ -1,4 +1,4 @@ -The sql `query` metricset collect rows returned by a query. +The sql `query` metricset collects rows returned by a query. -Fields names (columns) will be returned as lowercase. -Values will be returned as numeric or string. \ No newline at end of file +Field names (columns) are returned as lowercase strings. Values are returned as numeric +or string. From 13a54632caa9c69f1126733addbfa2e69a34f2d4 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Thu, 1 Oct 2020 23:04:30 -0400 Subject: [PATCH 11/18] Update Filebeat module expected logs files (#21454) Elasticsearch added country_name to the list of default field for geo in https://github.com/elastic/elasticsearch/pull/62915. So the expected files needed updated. --- .../test/darwin-2.4.23.log-expected.json | 3 + .../access/test/ssl-request.log-expected.json | 1 + .../apache/error/test/test.log-expected.json | 2 + .../log/test/default.log-expected.json | 1 + .../log/test/haproxy.log-expected.json | 1 + .../iis/access/test/test.log-expected.json | 2 + .../test/iis_error_url.log-expected.json | 8 + .../iis/error/test/test.log-expected.json | 3 + .../access/test/access.log-expected.json | 8 + .../test/test-with-host.log-expected.json | 4 + .../nginx/access/test/test.log-expected.json | 4 + .../test/test.log-expected.json | 2 +- .../auth/test/secure-rhel7.log-expected.json | 35 ++ .../system/auth/test/test.log-expected.json | 2 + .../access/test/test.log-expected.json | 4 + .../test/assume-role-json.log-expected.json | 1 + .../create-key-pair-json.log-expected.json | 1 + .../test/update-trail-json.log-expected.json | 1 + .../application-lb-http.log-expected.json | 10 + .../aws/elb/test/elb-http.log-expected.json | 5 + .../aws/elb/test/elb-tcp.log-expected.json | 6 + .../test/example-nlb-tcp.log-expected.json | 1 + .../test/s3_server_access.log-expected.json | 6 + .../accept-reject-traffic.log-expected.json | 4 + .../test/tcp-flag-sequence.log-expected.json | 1 + .../test/activitylogs.log-expected.json | 2 + .../supporttickets_write.log-expected.json | 2 + .../test/signinlogs.log-expected.json | 2 + .../test/generated.log-expected.json | 4 +- .../module/cef/log/test/cef.log-expected.json | 3 + .../cef/log/test/checkpoint.log-expected.json | 1 + .../test/checkpoint.log-expected.json | 45 ++ .../additional_messages.log-expected.json | 10 + .../cisco/asa/test/asa-fix.log-expected.json | 1 + .../asa/test/dap_records.log-expected.json | 1 + .../cisco/ftd/test/dns.log-expected.json | 21 + .../security-connection.log-expected.json | 6 + .../security-file-malware.log-expected.json | 2 + .../security-malware-site.log-expected.json | 2 + .../test/cisco-ios-syslog.log-expected.json | 7 + .../meraki/test/generated.log-expected.json | 128 ++--- .../test/generated.log-expected.json | 40 +- .../corepas/test/generated.log-expected.json | 418 +++++++------- .../log/test/envoy-json.log-expected.json | 1 + .../log/test/envoy.log-expected.json | 1 + .../bigipafm/test/generated.log-expected.json | 402 +++++++------- .../bigipapm/test/generated.log-expected.json | 12 +- .../test/generated.log-expected.json | 176 +++--- .../firewall/test/fortinet.log-expected.json | 29 + .../test/generated.log-expected.json | 24 +- .../test/generated.log-expected.json | 320 +++++------ .../audit-log-entries.json.log-expected.json | 2 + .../firewall/test/test.log-expected.json | 3 + ...in-application-test.json.log-expected.json | 18 +- ...admin-calendar-test.json.log-expected.json | 26 +- ...ite-admin-chat-test.json.log-expected.json | 8 +- ...admin-chromeos-test.json.log-expected.json | 42 +- ...admin-contacts-test.json.log-expected.json | 2 +- ...delegatedadmin-test.json.log-expected.json | 16 +- ...ite-admin-docs-test.json.log-expected.json | 8 +- ...e-admin-domain-test.json.log-expected.json | 170 +++--- ...te-admin-gmail-test.json.log-expected.json | 20 +- ...e-admin-groups-test.json.log-expected.json | 28 +- ...admin-licenses-test.json.log-expected.json | 16 +- ...e-admin-mobile-test.json.log-expected.json | 62 +-- ...uite-admin-org-test.json.log-expected.json | 34 +- ...admin-security-test.json.log-expected.json | 48 +- ...te-admin-sites-test.json.log-expected.json | 10 +- ...ite-admin-user-test.json.log-expected.json | 150 +++--- .../gsuite-drive-test.json.log-expected.json | 56 +- .../gsuite-groups-test.json.log-expected.json | 50 +- .../gsuite-login-test.json.log-expected.json | 20 +- .../gsuite-saml-test.json.log-expected.json | 4 +- ...-user_accounts-test.json.log-expected.json | 16 +- .../test/generated.log-expected.json | 456 ++++++++-------- .../iptables/log/test/geo.log-expected.json | 1 + .../test/generated.log-expected.json | 20 +- .../test/misp-test.json.log-expected.json | 1 + .../test/generated.log-expected.json | 28 +- .../test/04-sharepoint.log-expected.json | 4 + .../06-sharepointfileop.log-expected.json | 11 + .../audit/test/08-azuread.log-expected.json | 99 ++++ .../test/14-sp-sharing-op.log-expected.json | 5 + .../15-azuread-sts-logon.log-expected.json | 69 +++ .../audit/test/22-yammer.log-expected.json | 1 + .../okta-system-test.json.log-expected.json | 3 + .../test/pan_inc_other.log-expected.json | 1 + .../test/pan_inc_threat.log-expected.json | 100 ++++ .../test/pan_inc_traffic.log-expected.json | 95 ++++ .../panw/panos/test/threat.log-expected.json | 76 +++ .../panw/panos/test/traffic.log-expected.json | 98 ++++ .../log/test/generated.log-expected.json | 54 +- .../firewall/test/general.log-expected.json | 6 + .../firewall/test/generated.log-expected.json | 80 +-- .../utm/test/generated.log-expected.json | 90 ++-- .../xg/test/anti-spam.log-expected.json | 6 + .../xg/test/anti-virus.log-expected.json | 6 + .../sophos/xg/test/atp.log-expected.json | 4 + .../sophos/xg/test/cfilter.log-expected.json | 10 + .../sophos/xg/test/event.log-expected.json | 6 + .../sophos/xg/test/firewall.log-expected.json | 9 + .../sophos/xg/test/idp.log-expected.json | 3 + .../sophos/xg/test/waf.log-expected.json | 6 + .../squid/log/test/access1.log-expected.json | 420 +++++++++------ .../eve/test/eve-alerts.log-expected.json | 20 + .../eve/test/eve-small.log-expected.json | 1 + .../test/generated.log-expected.json | 14 +- .../test/connection-json.log-expected.json | 3 + .../http/test/http-json.log-expected.json | 1 + .../zeek/irc/test/irc-json.log-expected.json | 3 + .../notice/test/notice-json.log-expected.json | 2 + .../zeek/sip/test/sip-json.log-expected.json | 5 + .../zeek/ssl/test/ssl-json.log-expected.json | 2 + .../test/traceroute-json.log-expected.json | 1 + .../tunnel/test/tunnel-json.log-expected.json | 2 + .../zia/test/generated.log-expected.json | 508 +++++++++--------- .../zscaler/zia/test/test.log-expected.json | 4 +- 117 files changed, 2951 insertions(+), 1968 deletions(-) diff --git a/filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json b/filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json index 9c61a6065afb..1f3600f2e09c 100644 --- a/filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json +++ b/filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json @@ -76,6 +76,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -105,6 +106,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -134,6 +136,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", diff --git a/filebeat/module/apache/access/test/ssl-request.log-expected.json b/filebeat/module/apache/access/test/ssl-request.log-expected.json index 9898d82cef08..3eb3e283b198 100644 --- a/filebeat/module/apache/access/test/ssl-request.log-expected.json +++ b/filebeat/module/apache/access/test/ssl-request.log-expected.json @@ -38,6 +38,7 @@ "source.address": "11.19.0.217", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "11.19.0.217", diff --git a/filebeat/module/apache/error/test/test.log-expected.json b/filebeat/module/apache/error/test/test.log-expected.json index fbc9605ef388..d9f470db46a4 100644 --- a/filebeat/module/apache/error/test/test.log-expected.json +++ b/filebeat/module/apache/error/test/test.log-expected.json @@ -56,6 +56,7 @@ "source.geo.city_name": "Newnan", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 33.3708, "source.geo.location.lon": -84.8154, "source.geo.region_iso_code": "US-GA", @@ -84,6 +85,7 @@ "source.geo.city_name": "Beijing", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 39.9288, "source.geo.location.lon": 116.3889, "source.geo.region_iso_code": "CN-BJ", diff --git a/filebeat/module/haproxy/log/test/default.log-expected.json b/filebeat/module/haproxy/log/test/default.log-expected.json index f58515d6172c..4da9bc98f174 100644 --- a/filebeat/module/haproxy/log/test/default.log-expected.json +++ b/filebeat/module/haproxy/log/test/default.log-expected.json @@ -30,6 +30,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", diff --git a/filebeat/module/haproxy/log/test/haproxy.log-expected.json b/filebeat/module/haproxy/log/test/haproxy.log-expected.json index 474b7a5e5d30..b33e80ab0731 100644 --- a/filebeat/module/haproxy/log/test/haproxy.log-expected.json +++ b/filebeat/module/haproxy/log/test/haproxy.log-expected.json @@ -47,6 +47,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", diff --git a/filebeat/module/iis/access/test/test.log-expected.json b/filebeat/module/iis/access/test/test.log-expected.json index adb56a2eadd7..786333c1379d 100644 --- a/filebeat/module/iis/access/test/test.log-expected.json +++ b/filebeat/module/iis/access/test/test.log-expected.json @@ -34,6 +34,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -127,6 +128,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", diff --git a/filebeat/module/iis/error/test/iis_error_url.log-expected.json b/filebeat/module/iis/error/test/iis_error_url.log-expected.json index 0cb2fb038b4f..8adb2e6d1d06 100644 --- a/filebeat/module/iis/error/test/iis_error_url.log-expected.json +++ b/filebeat/module/iis/error/test/iis_error_url.log-expected.json @@ -30,6 +30,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", @@ -67,6 +68,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", @@ -104,6 +106,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", @@ -141,6 +144,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", @@ -178,6 +182,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", @@ -215,6 +220,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", @@ -252,6 +258,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", @@ -289,6 +296,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", diff --git a/filebeat/module/iis/error/test/test.log-expected.json b/filebeat/module/iis/error/test/test.log-expected.json index 50ec549dd6bc..506ee6ba2edd 100644 --- a/filebeat/module/iis/error/test/test.log-expected.json +++ b/filebeat/module/iis/error/test/test.log-expected.json @@ -66,6 +66,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -108,6 +109,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -146,6 +148,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", diff --git a/filebeat/module/nginx/access/test/access.log-expected.json b/filebeat/module/nginx/access/test/access.log-expected.json index 92519cc1e811..7981a316c952 100644 --- a/filebeat/module/nginx/access/test/access.log-expected.json +++ b/filebeat/module/nginx/access/test/access.log-expected.json @@ -32,6 +32,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -80,6 +81,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -127,6 +129,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -174,6 +177,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -222,6 +226,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -269,6 +274,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -316,6 +322,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -363,6 +370,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", diff --git a/filebeat/module/nginx/access/test/test-with-host.log-expected.json b/filebeat/module/nginx/access/test/test-with-host.log-expected.json index a19686951847..e07836ce5208 100644 --- a/filebeat/module/nginx/access/test/test-with-host.log-expected.json +++ b/filebeat/module/nginx/access/test/test-with-host.log-expected.json @@ -115,6 +115,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -164,6 +165,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -216,6 +218,7 @@ "source.geo.city_name": "Springfield", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 39.7647, "source.geo.location.lon": -89.7379, "source.geo.region_iso_code": "US-IL", @@ -260,6 +263,7 @@ "source.address": "2a03:0000:10ff:f00f:0000:0000:0:8000", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PT", + "source.geo.country_name": "Portugal", "source.geo.location.lat": 39.5, "source.geo.location.lon": -8.0, "source.ip": "2a03:0000:10ff:f00f:0000:0000:0:8000", diff --git a/filebeat/module/nginx/access/test/test.log-expected.json b/filebeat/module/nginx/access/test/test.log-expected.json index 75caf6cf9f8a..b27c9ccf19bc 100644 --- a/filebeat/module/nginx/access/test/test.log-expected.json +++ b/filebeat/module/nginx/access/test/test.log-expected.json @@ -112,6 +112,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -159,6 +160,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -209,6 +211,7 @@ "source.geo.city_name": "Springfield", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 39.7647, "source.geo.location.lon": -89.7379, "source.geo.region_iso_code": "US-IL", @@ -251,6 +254,7 @@ "source.address": "2a03:0000:10ff:f00f:0000:0000:0:8000", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PT", + "source.geo.country_name": "Portugal", "source.geo.location.lat": 39.5, "source.geo.location.lon": -8.0, "source.ip": "2a03:0000:10ff:f00f:0000:0000:0:8000", diff --git a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json index e8b09bc1abda..89c37b4a38e7 100644 --- a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json +++ b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json @@ -1322,4 +1322,4 @@ "user_agent.os.version": "10.14", "user_agent.version": "72.0." } -] +] \ No newline at end of file diff --git a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json index 7d8ece1d7f24..50134594bfcc 100644 --- a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json +++ b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json @@ -33,6 +33,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -94,6 +95,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -155,6 +157,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -284,6 +287,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -345,6 +349,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -406,6 +411,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -467,6 +473,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -528,6 +535,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -691,6 +699,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -752,6 +761,7 @@ "source.as.organization.name": "CHINANET Guangdong province network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -813,6 +823,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -874,6 +885,7 @@ "source.as.organization.name": "CHINANET Guangdong province network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -935,6 +947,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -996,6 +1009,7 @@ "source.as.organization.name": "CHINANET Guangdong province network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -1074,6 +1088,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1135,6 +1150,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1264,6 +1280,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1325,6 +1342,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1386,6 +1404,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1447,6 +1466,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1508,6 +1528,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1637,6 +1658,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1698,6 +1720,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1759,6 +1782,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1820,6 +1844,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1881,6 +1906,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -2010,6 +2036,7 @@ "source.as.organization.name": "CHINANET Guangdong province network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -2071,6 +2098,7 @@ "source.as.organization.name": "CHINANET Guangdong province network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -2132,6 +2160,7 @@ "source.as.organization.name": "CHINANET Guangdong province network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -2244,6 +2273,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -2305,6 +2335,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -2366,6 +2397,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -2427,6 +2459,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -2488,6 +2521,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -2617,6 +2651,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", diff --git a/filebeat/module/system/auth/test/test.log-expected.json b/filebeat/module/system/auth/test/test.log-expected.json index 88d32188bb7c..dc677ebb58c7 100644 --- a/filebeat/module/system/auth/test/test.log-expected.json +++ b/filebeat/module/system/auth/test/test.log-expected.json @@ -140,6 +140,7 @@ "source.as.organization.name": "CHINANET Guangdong province network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -196,6 +197,7 @@ "source.geo.city_name": "Hangzhou", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 30.294, "source.geo.location.lon": 120.1619, "source.geo.region_iso_code": "CN-ZJ", diff --git a/filebeat/module/traefik/access/test/test.log-expected.json b/filebeat/module/traefik/access/test/test.log-expected.json index a5723ed5c27c..631673fe3515 100644 --- a/filebeat/module/traefik/access/test/test.log-expected.json +++ b/filebeat/module/traefik/access/test/test.log-expected.json @@ -69,6 +69,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -116,6 +117,7 @@ "source.geo.city_name": "Ottawa", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "CA", + "source.geo.country_name": "Canada", "source.geo.location.lat": 45.2691, "source.geo.location.lon": -75.7518, "source.geo.region_iso_code": "CA-ON", @@ -203,6 +205,7 @@ "source.geo.city_name": "Warsaw", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PL", + "source.geo.country_name": "Poland", "source.geo.location.lat": 52.25, "source.geo.location.lon": 21.0, "source.geo.region_iso_code": "PL-14", @@ -249,6 +252,7 @@ "source.geo.city_name": "Gda\u0144sk", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PL", + "source.geo.country_name": "Poland", "source.geo.location.lat": 54.3605, "source.geo.location.lon": 18.649, "source.geo.region_iso_code": "PL-22", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json index 3bdb628e7fb1..47691a242dc8 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json @@ -63,6 +63,7 @@ "source.as.organization.name": "CHINA UNICOM China169 Backbone", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 29.5569, "source.geo.location.lon": 106.5531, "source.geo.region_iso_code": "CN-CQ", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json index 5783ade81ede..41cca74d099d 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json @@ -39,6 +39,7 @@ "source.geo.city_name": "Ashburn", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 39.0481, "source.geo.location.lon": -77.4728, "source.geo.region_iso_code": "US-VA", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json index c9ee01ef238c..1531a7c1e5a3 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json @@ -32,6 +32,7 @@ "source.geo.city_name": "Boardman", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 45.8491, "source.geo.location.lon": -119.7143, "source.geo.region_iso_code": "US-OR", diff --git a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json index a566b2f94785..28e1564e9288 100644 --- a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json @@ -35,6 +35,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -83,6 +84,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -131,6 +133,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -179,6 +182,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -227,6 +231,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -275,6 +280,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -323,6 +329,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -375,6 +382,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -427,6 +435,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -479,6 +488,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", diff --git a/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json index c1916fd1ec27..48701c8a9853 100644 --- a/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json @@ -31,6 +31,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", @@ -74,6 +75,7 @@ "source.geo.city_name": "Mytishchi", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.9089, "source.geo.location.lon": 37.7339, "source.geo.region_iso_code": "RU-MOS", @@ -117,6 +119,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -160,6 +163,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -203,6 +207,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", diff --git a/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json b/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json index 8b394e2b07ea..e960e2117638 100644 --- a/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json @@ -25,6 +25,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -61,6 +62,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -97,6 +99,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -133,6 +136,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -169,6 +173,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -205,6 +210,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", diff --git a/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json index e95641544245..b5db726de69f 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json @@ -30,6 +30,7 @@ "source.geo.city_name": "Ashburn", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 39.0481, "source.geo.location.lon": -77.4728, "source.geo.region_iso_code": "US-VA", diff --git a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json index 273b15125567..187f7f335891 100644 --- a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json +++ b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json @@ -33,6 +33,7 @@ "geo.city_name": "Ashburn", "geo.continent_name": "North America", "geo.country_iso_code": "US", + "geo.country_name": "United States", "geo.location.lat": 39.0481, "geo.location.lon": -77.4728, "geo.region_iso_code": "US-VA", @@ -95,6 +96,7 @@ "geo.city_name": "Ashburn", "geo.continent_name": "North America", "geo.country_iso_code": "US", + "geo.country_name": "United States", "geo.location.lat": 39.0481, "geo.location.lon": -77.4728, "geo.region_iso_code": "US-VA", @@ -158,6 +160,7 @@ "geo.city_name": "Ashburn", "geo.continent_name": "North America", "geo.country_iso_code": "US", + "geo.country_name": "United States", "geo.location.lat": 39.0481, "geo.location.lon": -77.4728, "geo.region_iso_code": "US-VA", @@ -220,6 +223,7 @@ "geo.city_name": "Ashburn", "geo.continent_name": "North America", "geo.country_iso_code": "US", + "geo.country_name": "United States", "geo.location.lat": 39.0481, "geo.location.lon": -77.4728, "geo.region_iso_code": "US-VA", @@ -279,6 +283,7 @@ "geo.city_name": "Teruel", "geo.continent_name": "Europe", "geo.country_iso_code": "ES", + "geo.country_name": "Spain", "geo.location.lat": 40.3456, "geo.location.lon": -1.1065, "geo.region_iso_code": "ES-TE", @@ -331,6 +336,7 @@ "geo.city_name": "Denver", "geo.continent_name": "North America", "geo.country_iso_code": "US", + "geo.country_name": "United States", "geo.location.lat": 39.7044, "geo.location.lon": -105.0023, "geo.region_iso_code": "US-CO", diff --git a/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json index 170b8851ec91..1f1b3e061b24 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json @@ -13,6 +13,7 @@ "destination.as.organization.name": "Consorci de Serveis Universitaris de Catalunya", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "ES", + "destination.geo.country_name": "Spain", "destination.geo.location.lat": 40.4172, "destination.geo.location.lon": -3.684, "destination.ip": "158.109.0.1", @@ -47,6 +48,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", @@ -72,6 +74,7 @@ "destination.as.organization.name": "Consorci de Serveis Universitaris de Catalunya", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "ES", + "destination.geo.country_name": "Spain", "destination.geo.location.lat": 40.4172, "destination.geo.location.lon": -3.684, "destination.ip": "158.109.0.1", @@ -106,6 +109,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", diff --git a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json index 6b7b788ac972..ba0293752ca0 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json @@ -49,6 +49,7 @@ "source.geo.city_name": "Dublin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "IE", + "source.geo.country_name": "Ireland", "source.geo.location.lat": 53.3338, "source.geo.location.lon": -6.2488, "source.geo.region_iso_code": "IE-L", diff --git a/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json b/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json index 4c0e8d4701a4..3f86faee0840 100644 --- a/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json +++ b/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json @@ -47,6 +47,7 @@ "fileset.name": "activitylogs", "geo.continent_name": "Europe", "geo.country_iso_code": "GB", + "geo.country_name": "United Kingdom", "geo.location.lat": 51.4964, "geo.location.lon": -0.1224, "input.type": "log", @@ -55,6 +56,7 @@ "service.type": "azure", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", "source.geo.location.lat": 51.4964, "source.geo.location.lon": -0.1224, "source.ip": "51.251.141.41", diff --git a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json index db962bd4df6f..5f14108e4c4f 100644 --- a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json +++ b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json @@ -52,6 +52,7 @@ "fileset.name": "activitylogs", "geo.continent_name": "Asia", "geo.country_iso_code": "JP", + "geo.country_name": "Japan", "geo.location.lat": 35.69, "geo.location.lon": 139.69, "input.type": "log", @@ -62,6 +63,7 @@ "source.as.organization.name": "KDDI CORPORATION", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "JP", + "source.geo.country_name": "Japan", "source.geo.location.lat": 35.69, "source.geo.location.lon": 139.69, "source.ip": "111.111.111.11", diff --git a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json index 6a0f96ae261a..db0643ccf25b 100644 --- a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json +++ b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json @@ -66,6 +66,7 @@ "source.geo.city_name": "Farnham Royal", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", "source.geo.location.lat": 51.5333, "source.geo.location.lon": -0.6167, "source.geo.region_iso_code": "GB-BKM", @@ -145,6 +146,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "8.8.8.8", diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json index ff70486fab55..ed4c2bb4d7f3 100644 --- a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json @@ -496,8 +496,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", "related.ip": [ - "10.18.165.35", - "10.110.109.5" + "10.110.109.5", + "10.18.165.35" ], "rsa.internal.messageid": "outbound/smtp", "rsa.investigations.event_cat": 1901000000, diff --git a/x-pack/filebeat/module/cef/log/test/cef.log-expected.json b/x-pack/filebeat/module/cef/log/test/cef.log-expected.json index ca0127defbdd..d2902dc24b66 100644 --- a/x-pack/filebeat/module/cef/log/test/cef.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/cef.log-expected.json @@ -45,6 +45,7 @@ "service.type": "cef", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "6.7.8.9", @@ -77,6 +78,7 @@ "destination.geo.city_name": "Moscow", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7527, "destination.geo.location.lon": 37.6172, "destination.geo.region_iso_code": "RU-MOW", @@ -114,6 +116,7 @@ "service.type": "cef", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "6.7.8.9", diff --git a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json index 8d0272290322..eefe063490d3 100644 --- a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json @@ -48,6 +48,7 @@ "destination.geo.city_name": "Des Moines", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 41.6006, "destination.geo.location.lon": -93.6112, "destination.geo.region_iso_code": "US-IA", diff --git a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json index fd07aa51eca8..30fc5952b01f 100644 --- a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json +++ b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json @@ -150,6 +150,7 @@ "destination.geo.city_name": "Tel Aviv", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "IL", + "destination.geo.country_name": "Israel", "destination.geo.location.lat": 32.0678, "destination.geo.location.lon": 34.7647, "destination.geo.region_iso_code": "IL-TA", @@ -270,6 +271,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -388,6 +390,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -506,6 +509,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -624,6 +628,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.81.142.43", @@ -742,6 +747,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -860,6 +866,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -978,6 +985,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -1096,6 +1104,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -1214,6 +1223,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -1332,6 +1342,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -1450,6 +1461,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -1568,6 +1580,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -1686,6 +1699,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -1804,6 +1818,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -1922,6 +1937,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -2040,6 +2056,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -2206,6 +2223,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -2298,6 +2316,7 @@ "destination.geo.city_name": "Tel Aviv", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "IL", + "destination.geo.country_name": "Israel", "destination.geo.location.lat": 32.0678, "destination.geo.location.lon": 34.7647, "destination.geo.region_iso_code": "IL-TA", @@ -2526,6 +2545,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -2644,6 +2664,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -2762,6 +2783,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -2880,6 +2902,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -2998,6 +3021,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -3116,6 +3140,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -3282,6 +3307,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -3400,6 +3426,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -3518,6 +3545,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -3636,6 +3664,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -3754,6 +3783,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -3818,6 +3848,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -3990,6 +4021,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -4108,6 +4140,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -4254,6 +4287,7 @@ "destination.geo.city_name": "Tel Aviv", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "IL", + "destination.geo.country_name": "Israel", "destination.geo.location.lat": 32.0678, "destination.geo.location.lon": 34.7647, "destination.geo.region_iso_code": "IL-TA", @@ -4428,6 +4462,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.81.142.43", @@ -4546,6 +4581,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -4664,6 +4700,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -4782,6 +4819,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -4900,6 +4938,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -5018,6 +5057,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -5136,6 +5176,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -5254,6 +5295,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -5372,6 +5414,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -5490,6 +5533,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -5608,6 +5652,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index 73d42d43af78..66cc3da4b0cd 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -1136,6 +1136,7 @@ "destination.geo.city_name": "Thousand Oaks", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 34.197, "destination.geo.location.lon": -118.8199, "destination.geo.region_iso_code": "US-CA", @@ -2417,6 +2418,7 @@ "destination.geo.city_name": "Clermont-Ferrand", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 45.7838, "destination.geo.location.lon": 3.0966, "destination.geo.region_iso_code": "FR-63", @@ -2467,6 +2469,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", @@ -2542,6 +2545,7 @@ "destination.geo.city_name": "Riga", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "LV", + "destination.geo.country_name": "Latvia", "destination.geo.location.lat": 56.9496, "destination.geo.location.lon": 24.0978, "destination.geo.region_iso_code": "LV-RIX", @@ -2927,6 +2931,7 @@ "source.geo.city_name": "London", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", "source.geo.location.lat": 51.5888, "source.geo.location.lon": -0.0247, "source.geo.region_iso_code": "GB-ENG", @@ -2946,6 +2951,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5888, "destination.geo.location.lon": -0.0247, "destination.geo.region_iso_code": "GB-ENG", @@ -3029,6 +3035,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "8.8.8.8", @@ -3075,6 +3082,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "8.8.8.8", @@ -3093,6 +3101,7 @@ "destination.geo.city_name": "Stoke Newington", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5638, "destination.geo.location.lon": -0.0765, "destination.geo.region_iso_code": "GB-HCK", @@ -3139,6 +3148,7 @@ "source.geo.city_name": "Dublin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "IE", + "source.geo.country_name": "Ireland", "source.geo.location.lat": 53.3338, "source.geo.location.lon": -6.2488, "source.geo.region_iso_code": "IE-L", diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index 94f2b616d271..a57299252caf 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -509,6 +509,7 @@ "destination.address": "1.2.33.40", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "CN", + "destination.geo.country_name": "China", "destination.geo.location.lat": 23.1167, "destination.geo.location.lon": 113.25, "destination.geo.region_iso_code": "CN-GD", diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json index bb691462f78b..e86dd81aead3 100644 --- a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json @@ -35,6 +35,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index 37efb99f4832..b7b065dea1c0 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -39,6 +39,7 @@ "destination.bytes": 145, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -147,6 +148,7 @@ "destination.bytes": 193, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -253,6 +255,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -361,6 +364,7 @@ "destination.bytes": 200, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -468,6 +472,7 @@ "destination.bytes": 193, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -574,6 +579,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -683,6 +689,7 @@ "destination.bytes": 199, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -789,6 +796,7 @@ "destination.bytes": 221, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -896,6 +904,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1004,6 +1013,7 @@ "destination.bytes": 722, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1111,6 +1121,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6109, "destination.geo.location.lon": -122.3303, "destination.geo.region_iso_code": "US-WA", @@ -1217,6 +1228,7 @@ "destination.bytes": 313, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1322,6 +1334,7 @@ "destination.bytes": 180, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 48.8582, "destination.geo.location.lon": 2.3387, "destination.ip": "9.9.9.9", @@ -1428,6 +1441,7 @@ "destination.bytes": 108, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 48.8582, "destination.geo.location.lon": 2.3387, "destination.ip": "9.9.9.9", @@ -1535,6 +1549,7 @@ "destination.bytes": 162, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 48.8582, "destination.geo.location.lon": 2.3387, "destination.ip": "9.9.9.9", @@ -1643,6 +1658,7 @@ "destination.bytes": 199, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1749,6 +1765,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1855,6 +1872,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1961,6 +1979,7 @@ "destination.bytes": 221, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -2066,6 +2085,7 @@ "destination.bytes": 131, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -2173,6 +2193,7 @@ "destination.bytes": 722, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index 3cef5df9a0fa..7490bc1ac57d 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -217,6 +217,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -321,6 +322,7 @@ "destination.bytes": 314, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -422,6 +424,7 @@ "destination.geo.city_name": "Frankfurt am Main", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 50.1188, "destination.geo.location.lon": 8.6843, "destination.geo.region_iso_code": "DE-HE", @@ -526,6 +529,7 @@ "destination.geo.city_name": "Frankfurt am Main", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 50.1188, "destination.geo.location.lon": 8.6843, "destination.geo.region_iso_code": "DE-HE", @@ -633,6 +637,7 @@ "destination.geo.city_name": "Magdeburg", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 52.1333, "destination.geo.location.lon": 11.6167, "destination.geo.region_iso_code": "DE-ST", @@ -736,6 +741,7 @@ "destination.geo.city_name": "Magdeburg", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 52.1333, "destination.geo.location.lon": 11.6167, "destination.geo.region_iso_code": "DE-ST", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json index 8ab3e55fc873..135a29792105 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json @@ -581,6 +581,7 @@ "destination.geo.city_name": "Magdeburg", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 52.1333, "destination.geo.location.lon": 11.6167, "destination.geo.region_iso_code": "DE-ST", @@ -763,6 +764,7 @@ "destination.geo.city_name": "Frankfurt am Main", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 50.1188, "destination.geo.location.lon": 8.6843, "destination.geo.region_iso_code": "DE-HE", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index 73ab6378da19..0b669eb5dffb 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -44,6 +44,7 @@ "destination.bytes": 246, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 48.8582, "destination.geo.location.lon": 2.3387, "destination.ip": "2.2.2.2", @@ -102,6 +103,7 @@ "source.geo.city_name": "Seattle", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 47.6348, "source.geo.location.lon": -122.3451, "source.geo.region_iso_code": "US-WA", diff --git a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json index 3485b3ff5836..0695d3730aac 100644 --- a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json +++ b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json @@ -331,6 +331,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", @@ -828,6 +829,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", @@ -1022,6 +1024,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", @@ -1122,6 +1125,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1210,6 +1214,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "8.8.8.8", @@ -1296,6 +1301,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", @@ -1537,6 +1543,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", diff --git a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json index beeffa9b5eb7..93b257059121 100644 --- a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json @@ -122,8 +122,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.155.236.240", - "10.112.46.169" + "10.112.46.169", + "10.155.236.240" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -345,8 +345,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.134.0.141", - "10.210.213.18" + "10.210.213.18", + "10.134.0.141" ], "rsa.internal.event_desc": "atquovosecurity_event iumto", "rsa.internal.messageid": "security_event", @@ -519,8 +519,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.85.10.165", - "10.53.150.119" + "10.53.150.119", + "10.85.10.165" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -623,8 +623,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.205.47.51", - "10.219.84.37" + "10.219.84.37", + "10.205.47.51" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -831,8 +831,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.31.77.157", - "10.12.182.70" + "10.12.182.70", + "10.31.77.157" ], "rsa.internal.event_desc": "uiac security_event epte", "rsa.internal.messageid": "security_event", @@ -896,8 +896,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.135.217.12", - "10.93.68.231" + "10.93.68.231", + "10.135.217.12" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -960,8 +960,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.247.30.212", - "10.66.89.5" + "10.66.89.5", + "10.247.30.212" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1064,8 +1064,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.54.37.86", - "10.58.64.108" + "10.58.64.108", + "10.54.37.86" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1142,8 +1142,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.183.44.198", - "10.0.200.27" + "10.0.200.27", + "10.183.44.198" ], "rsa.internal.event_desc": "uradi security_event tot", "rsa.internal.messageid": "security_event", @@ -1177,8 +1177,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.148.124.84", - "10.28.144.180" + "10.28.144.180", + "10.148.124.84" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -1215,8 +1215,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.98.194.212", - "10.204.230.166" + "10.204.230.166", + "10.98.194.212" ], "rsa.counters.dclass_r1": "enimadmi", "rsa.internal.messageid": "events", @@ -1312,8 +1312,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.150.245.88", - "10.242.77.170" + "10.242.77.170", + "10.150.245.88" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1447,8 +1447,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.230.6.127", - "10.111.157.56" + "10.111.157.56", + "10.230.6.127" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1486,8 +1486,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.179.40.170", - "10.193.219.34" + "10.193.219.34", + "10.179.40.170" ], "rsa.counters.dclass_r1": "emip", "rsa.internal.messageid": "events", @@ -1638,8 +1638,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.124.63.4", - "10.90.99.245" + "10.90.99.245", + "10.124.63.4" ], "rsa.internal.event_desc": "etconsec", "rsa.internal.messageid": "security_event", @@ -1733,8 +1733,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.196.96.162", - "10.81.234.34" + "10.81.234.34", + "10.196.96.162" ], "rsa.internal.event_desc": "Utenima security_event iqua", "rsa.internal.messageid": "security_event", @@ -1903,8 +1903,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.86.188.179", - "10.201.168.116" + "10.201.168.116", + "10.86.188.179" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2011,8 +2011,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.120.4.9", - "10.97.46.16" + "10.97.46.16", + "10.120.4.9" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2084,8 +2084,8 @@ "uames4985.mail.localdomain" ], "related.ip": [ - "10.150.163.151", - "10.144.57.239" + "10.144.57.239", + "10.150.163.151" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2126,8 +2126,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.54.44.231", - "10.52.202.158" + "10.52.202.158", + "10.54.44.231" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2252,8 +2252,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.2.110.73", - "10.103.49.129" + "10.103.49.129", + "10.2.110.73" ], "rsa.counters.dclass_r1": "orumS", "rsa.internal.messageid": "events", @@ -2292,8 +2292,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.132.176.96", - "10.158.61.228" + "10.158.61.228", + "10.132.176.96" ], "rsa.counters.dclass_r1": "eserun", "rsa.internal.messageid": "events", @@ -2333,8 +2333,8 @@ "lors2232.api.example" ], "related.ip": [ - "10.46.217.155", - "10.105.136.146" + "10.105.136.146", + "10.46.217.155" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2374,8 +2374,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.123.62.215", - "10.245.199.23" + "10.245.199.23", + "10.123.62.215" ], "rsa.db.index": "iusmodt", "rsa.internal.messageid": "flows", @@ -2480,8 +2480,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.246.152.72", - "10.34.62.190" + "10.34.62.190", + "10.246.152.72" ], "rsa.internal.event_desc": "Nem", "rsa.internal.messageid": "security_event", @@ -2758,8 +2758,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.65.0.157", - "10.17.111.91" + "10.17.111.91", + "10.65.0.157" ], "rsa.db.index": "nostrum", "rsa.internal.messageid": "flows", @@ -2893,8 +2893,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.199.103.185", - "10.51.121.223" + "10.51.121.223", + "10.199.103.185" ], "rsa.internal.event_desc": "dipi security_event ecatc", "rsa.internal.messageid": "security_event", @@ -2988,8 +2988,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.113.152.241", - "10.121.37.244" + "10.121.37.244", + "10.113.152.241" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -3067,8 +3067,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.200.98.243", - "10.101.13.122" + "10.101.13.122", + "10.200.98.243" ], "rsa.counters.dclass_r1": "uteirur", "rsa.internal.messageid": "events", @@ -3143,8 +3143,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.147.165.30", - "10.195.90.73" + "10.195.90.73", + "10.147.165.30" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -3206,8 +3206,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.162.202.14", - "10.137.166.97" + "10.137.166.97", + "10.162.202.14" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -3330,8 +3330,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.75.122.111", - "10.85.59.172" + "10.85.59.172", + "10.75.122.111" ], "rsa.counters.dclass_r1": "sequat", "rsa.internal.messageid": "events", diff --git a/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json b/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json index cb772d912684..837f7b744a71 100644 --- a/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json +++ b/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json @@ -101,8 +101,8 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.72.11.247", - "10.134.175.248" + "10.134.175.248", + "10.72.11.247" ], "rsa.counters.dclass_c1": 1279, "rsa.db.index": "antium", @@ -185,10 +185,10 @@ "observer.vendor": "Citrix", "related.ip": [ "10.96.119.12", + "10.156.210.168", "10.21.92.218", - "10.83.234.60", "10.109.68.21", - "10.156.210.168" + "10.83.234.60" ], "related.user": [ "picia" @@ -1332,11 +1332,11 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.45.114.111", - "10.180.83.140", - "10.243.226.122", "10.117.94.131", - "10.3.23.172" + "10.180.83.140", + "10.3.23.172", + "10.45.114.111", + "10.243.226.122" ], "related.user": [ "ehender" @@ -2085,8 +2085,8 @@ "observer.vendor": "Citrix", "related.ip": [ "10.225.146.5", - "10.41.65.89", - "10.80.5.101" + "10.80.5.101", + "10.41.65.89" ], "related.user": [ "picia" @@ -2209,8 +2209,8 @@ "observer.vendor": "Citrix", "related.ip": [ "10.33.231.173", - "10.183.26.222", - "10.22.34.206" + "10.22.34.206", + "10.183.26.222" ], "related.user": [ "abill" @@ -2585,10 +2585,10 @@ "observer.vendor": "Citrix", "related.ip": [ "10.148.244.55", + "10.76.129.136", "10.133.153.174", - "10.8.82.22", "10.113.135.78", - "10.76.129.136" + "10.8.82.22" ], "related.user": [ "asiar" @@ -2662,8 +2662,8 @@ "rsa.db.index": "aturE", "rsa.internal.messageid": "APPFW_REFERER_HEADER", "rsa.misc.action": [ - "remip", - "cancel" + "cancel", + "remip" ], "rsa.misc.policy_name": "oNemoeni", "rsa.misc.rule": "citation", @@ -2938,9 +2938,9 @@ "observer.vendor": "Citrix", "related.ip": [ "10.29.202.248", - "10.161.218.47", + "10.206.5.50", "10.247.251.223", - "10.206.5.50" + "10.161.218.47" ], "rsa.internal.event_desc": "A Server side and a Client side TCP connection is delinked. This is not tracked by Netscaler", "rsa.internal.messageid": "TCP_OTHERCONN_DELINK", @@ -3076,8 +3076,8 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.148.72.78", - "10.37.99.189" + "10.37.99.189", + "10.148.72.78" ], "rsa.crypto.cipher_src": "ritatis", "rsa.crypto.ssl_ver_src": "ugitsed", diff --git a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json index 2bf31b06a524..4056ed473ca0 100644 --- a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json @@ -20,9 +20,9 @@ "10.208.15.216" ], "related.user": [ - "quasiarc", "itv", - "utl" + "utl", + "quasiarc" ], "rsa.db.index": "nes", "rsa.internal.event_desc": "pexe", @@ -71,9 +71,9 @@ "10.175.75.18" ], "related.user": [ + "dolore", "nnumqu", - "orev", - "dolore" + "orev" ], "rsa.db.database": "umdo", "rsa.db.index": "vol", @@ -130,8 +130,8 @@ "anti4454.api.example" ], "related.ip": [ - "10.51.132.10", - "10.46.185.46" + "10.46.185.46", + "10.51.132.10" ], "related.user": [ "incid", @@ -197,9 +197,9 @@ "10.53.192.140" ], "related.user": [ - "psumquia", + "atcup", "ptass", - "atcup" + "psumquia" ], "rsa.db.database": "aperi", "rsa.db.index": "llumd", @@ -253,9 +253,9 @@ "10.81.199.122" ], "related.user": [ - "oremips", + "eos", "giatq", - "eos" + "oremips" ], "rsa.db.index": "tempo", "rsa.internal.event_desc": "uian", @@ -300,13 +300,13 @@ "temq1198.internal.example" ], "related.ip": [ - "10.139.186.201", - "10.172.14.142" + "10.172.14.142", + "10.139.186.201" ], "related.user": [ + "uam", "tcupida", - "aboris", - "uam" + "aboris" ], "rsa.db.database": "isiu", "rsa.db.index": "iatisu", @@ -363,13 +363,13 @@ "tenbyCic5882.api.home" ], "related.ip": [ - "10.104.111.129", - "10.47.76.251" + "10.47.76.251", + "10.104.111.129" ], "related.user": [ - "ele", "etconsec", - "ipis" + "ipis", + "ele" ], "rsa.db.database": "riat", "rsa.db.index": "umdolor", @@ -423,9 +423,9 @@ "10.116.120.216" ], "related.user": [ + "quiratio", "umdo", - "animi", - "quiratio" + "animi" ], "rsa.db.index": "oll", "rsa.internal.event_desc": "rumet", @@ -474,9 +474,9 @@ "10.62.54.220" ], "related.user": [ - "taevi", "psum", - "rnatura" + "rnatura", + "taevi" ], "rsa.db.database": "emeumfug", "rsa.db.index": "omn", @@ -530,9 +530,9 @@ "10.74.237.180" ], "related.user": [ - "tnon", "ema", - "cup" + "cup", + "tnon" ], "rsa.db.index": "remeumf", "rsa.internal.event_desc": "lup", @@ -574,8 +574,8 @@ "10.18.165.35" ], "related.user": [ - "modocons", "remeum", + "modocons", "lor" ], "rsa.db.index": "etM", @@ -618,9 +618,9 @@ "10.74.253.127" ], "related.user": [ + "onproide", "icab", - "tema", - "onproide" + "tema" ], "rsa.db.index": "mqui", "rsa.internal.event_desc": "eomnisis", @@ -664,8 +664,8 @@ "tlabo6088.www.localdomain" ], "related.ip": [ - "10.92.8.15", - "10.189.109.245" + "10.189.109.245", + "10.92.8.15" ], "related.user": [ "inima", @@ -722,9 +722,9 @@ "10.21.78.128" ], "related.user": [ - "upt", + "giatquov", "taut", - "giatquov" + "upt" ], "rsa.db.index": "iadese", "rsa.internal.event_desc": "deFinibu", @@ -766,9 +766,9 @@ "10.18.109.121" ], "related.user": [ - "pida", "hil", - "tatn" + "tatn", + "pida" ], "rsa.db.index": "quip", "rsa.internal.event_desc": "ecillu", @@ -813,13 +813,13 @@ "iavolu5352.localhost" ], "related.ip": [ - "10.63.37.192", - "10.225.115.13" + "10.225.115.13", + "10.63.37.192" ], "related.user": [ "iunt", - "reetd", - "equep" + "equep", + "reetd" ], "rsa.db.database": "aliqu", "rsa.db.index": "mipsumd", @@ -876,13 +876,13 @@ "estiae3750.api.corp" ], "related.ip": [ - "10.47.202.102", - "10.95.64.124" + "10.95.64.124", + "10.47.202.102" ], "related.user": [ "run", - "ice", - "ntor" + "ntor", + "ice" ], "rsa.db.database": "ite", "rsa.db.index": "iquipex", @@ -999,13 +999,13 @@ "etMalor4236.www5.host" ], "related.ip": [ - "10.53.168.235", - "10.125.160.129" + "10.125.160.129", + "10.53.168.235" ], "related.user": [ "abi", - "one", - "ione" + "ione", + "one" ], "rsa.db.database": "sperna", "rsa.db.index": "estia", @@ -1066,9 +1066,9 @@ "10.227.177.121" ], "related.user": [ - "iduntu", "liqui", - "tasuntex" + "tasuntex", + "iduntu" ], "rsa.db.database": "rvel", "rsa.db.index": "onsecte", @@ -1129,8 +1129,8 @@ "nsecte3304.mail.corp" ], "related.ip": [ - "10.98.182.220", - "10.167.85.181" + "10.167.85.181", + "10.98.182.220" ], "related.user": [ "fde", @@ -1189,9 +1189,9 @@ "10.89.208.95" ], "related.user": [ + "iciadese", "icabo", - "sintoc", - "iciadese" + "sintoc" ], "rsa.db.index": "eni", "rsa.internal.event_desc": "rcitati", @@ -1236,13 +1236,13 @@ "nevo4284.internal.local" ], "related.ip": [ - "10.72.148.32", - "10.214.191.180" + "10.214.191.180", + "10.72.148.32" ], "related.user": [ + "uteirure", "tDuisaut", - "luptatev", - "uteirure" + "luptatev" ], "rsa.db.database": "uamest", "rsa.db.index": "uae", @@ -1299,13 +1299,13 @@ "itas981.mail.domain" ], "related.ip": [ - "10.252.124.150", - "10.136.190.236" + "10.136.190.236", + "10.252.124.150" ], "related.user": [ - "ipsumd", + "com", "litessec", - "com" + "ipsumd" ], "rsa.db.database": "tasn", "rsa.db.index": "squirati", @@ -1424,12 +1424,12 @@ "rQuisau5300.www5.example" ], "related.ip": [ - "10.154.4.197", - "10.216.84.30" + "10.216.84.30", + "10.154.4.197" ], "related.user": [ - "untu", - "intoc" + "intoc", + "untu" ], "rsa.db.database": "oditem", "rsa.db.index": "borios", @@ -1529,13 +1529,13 @@ "uamei2389.internal.example" ], "related.ip": [ - "10.65.175.9", - "10.193.83.81" + "10.193.83.81", + "10.65.175.9" ], "related.user": [ - "umqu", "ritatise", - "essequam" + "essequam", + "umqu" ], "rsa.db.database": "ender", "rsa.db.index": "entorev", @@ -1589,9 +1589,9 @@ "10.205.72.243" ], "related.user": [ - "umdolo", "isiuta", - "tatn" + "tatn", + "umdolo" ], "rsa.db.index": "proide", "rsa.internal.event_desc": "ameiusm", @@ -1633,8 +1633,8 @@ "10.107.9.163" ], "related.user": [ - "mquisno", "sit", + "mquisno", "mac" ], "rsa.db.index": "sit", @@ -1677,9 +1677,9 @@ "10.80.101.72" ], "related.user": [ - "asiarc", + "umSe", "quidexea", - "umSe" + "asiarc" ], "rsa.db.index": "veli", "rsa.internal.event_desc": "quatu", @@ -1728,8 +1728,8 @@ "10.39.10.155" ], "related.user": [ - "aboreetd", "urExcept", + "aboreetd", "ptass" ], "rsa.db.database": "teirured", @@ -1828,9 +1828,9 @@ "10.71.238.250" ], "related.user": [ - "reseo", + "moenimi", "aec", - "moenimi" + "reseo" ], "rsa.db.index": "mac", "rsa.internal.event_desc": "quamest", @@ -1875,13 +1875,13 @@ "rum5798.home" ], "related.ip": [ - "10.226.101.180", - "10.226.20.199" + "10.226.20.199", + "10.226.101.180" ], "related.user": [ + "ritt", "rationev", - "veniamqu", - "ritt" + "veniamqu" ], "rsa.db.database": "conse", "rsa.db.index": "imveniam", @@ -1944,8 +1944,8 @@ ], "related.user": [ "quaUten", - "cab", - "utaliqu" + "utaliqu", + "cab" ], "rsa.db.database": "isciv", "rsa.db.index": "nofd", @@ -2002,9 +2002,9 @@ "10.70.147.120" ], "related.user": [ + "cidunt", "tten", - "emqu", - "cidunt" + "emqu" ], "rsa.db.index": "eaqu", "rsa.internal.event_desc": "quidol", @@ -2049,12 +2049,12 @@ "tesse1089.www.host" ], "related.ip": [ - "10.178.242.100", - "10.24.111.229" + "10.24.111.229", + "10.178.242.100" ], "related.user": [ - "loi", "dqu", + "loi", "idid" ], "rsa.db.database": "tenatuse", @@ -2110,8 +2110,8 @@ ], "related.user": [ "ritati", - "mmodoc", - "untincul" + "untincul", + "mmodoc" ], "rsa.db.index": "emvele", "rsa.internal.event_desc": "oluptas", @@ -2153,9 +2153,9 @@ "10.30.243.163" ], "related.user": [ + "illu", "mven", - "dolore", - "illu" + "dolore" ], "rsa.db.index": "idol", "rsa.internal.event_desc": "lore", @@ -2204,9 +2204,9 @@ "10.6.79.159" ], "related.user": [ - "midestl", + "amvo", "quid", - "amvo" + "midestl" ], "rsa.db.database": "urExce", "rsa.db.index": "ectiono", @@ -2263,13 +2263,13 @@ "aecatcup2241.www5.test" ], "related.ip": [ - "10.237.170.202", - "10.70.147.46" + "10.70.147.46", + "10.237.170.202" ], "related.user": [ "liquide", - "atDu", - "rcit" + "rcit", + "atDu" ], "rsa.db.database": "taedict", "rsa.db.index": "loremeu", @@ -2326,13 +2326,13 @@ "mad5185.www5.localhost" ], "related.ip": [ - "10.228.118.81", - "10.179.50.138" + "10.179.50.138", + "10.228.118.81" ], "related.user": [ "emoe", - "itasper", - "tatemU" + "tatemU", + "itasper" ], "rsa.db.database": "toditaut", "rsa.db.index": "ugit", @@ -2393,9 +2393,9 @@ "10.234.165.130" ], "related.user": [ + "henderit", "emip", - "iuntNequ", - "henderit" + "iuntNequ" ], "rsa.db.database": "veniamqu", "rsa.db.index": "atquo", @@ -2449,8 +2449,8 @@ "10.199.5.49" ], "related.user": [ - "turadipi", "emip", + "turadipi", "olorema" ], "rsa.db.index": "ataevi", @@ -2544,9 +2544,9 @@ "10.120.167.217" ], "related.user": [ - "animid", "dolorem", - "rsp" + "rsp", + "animid" ], "rsa.db.database": "tsuntinc", "rsa.db.index": "quovo", @@ -2603,13 +2603,13 @@ "mporainc2064.home" ], "related.ip": [ - "10.117.137.159", - "10.141.213.219" + "10.141.213.219", + "10.117.137.159" ], "related.user": [ "accusa", - "ate", - "atev" + "atev", + "ate" ], "rsa.db.database": "nibus", "rsa.db.index": "ser", @@ -2671,8 +2671,8 @@ ], "related.user": [ "eavol", - "rem", - "etconsec" + "etconsec", + "rem" ], "rsa.db.database": "oditempo", "rsa.db.index": "deF", @@ -2735,8 +2735,8 @@ "10.38.28.151" ], "related.user": [ - "tiumto", "incidid", + "tiumto", "mipsumqu" ], "rsa.db.database": "abor", @@ -2796,13 +2796,13 @@ "dolori6232.api.invalid" ], "related.ip": [ - "10.255.28.56", - "10.214.245.95" + "10.214.245.95", + "10.255.28.56" ], "related.user": [ "umdolors", - "uptatem", - "rerepre" + "rerepre", + "uptatem" ], "rsa.db.database": "odt", "rsa.db.index": "riosa", @@ -2856,8 +2856,8 @@ "10.45.35.180" ], "related.user": [ - "mip", "Utenima", + "mip", "qui" ], "rsa.db.index": "boree", @@ -2900,9 +2900,9 @@ "10.141.200.133" ], "related.user": [ - "enim", "iame", - "ess" + "ess", + "enim" ], "rsa.db.index": "nofdeFi", "rsa.internal.event_desc": "isnostru", @@ -2944,9 +2944,9 @@ "10.83.238.145" ], "related.user": [ - "ugi", + "runtmo", "illoi", - "runtmo" + "ugi" ], "rsa.db.index": "eetdo", "rsa.internal.event_desc": "quaer", @@ -2995,9 +2995,9 @@ "10.39.143.155" ], "related.user": [ + "sedquiac", "tem", - "tperspic", - "sedquiac" + "tperspic" ], "rsa.db.database": "radipis", "rsa.db.index": "nse", @@ -3059,8 +3059,8 @@ ], "related.user": [ "minim", - "unt", - "CSe" + "CSe", + "unt" ], "rsa.db.database": "atu", "rsa.db.index": "roi", @@ -3117,13 +3117,13 @@ "olu5333.www.domain" ], "related.ip": [ - "10.168.132.175", - "10.210.61.109" + "10.210.61.109", + "10.168.132.175" ], "related.user": [ + "eursinto", "giatquov", - "iamea", - "eursinto" + "iamea" ], "rsa.db.database": "ici", "rsa.db.index": "iquaUt", @@ -3223,8 +3223,8 @@ ], "related.user": [ "oeni", - "etquasia", - "xplic" + "xplic", + "etquasia" ], "rsa.db.index": "hend", "rsa.internal.event_desc": "piscivel", @@ -3271,8 +3271,8 @@ ], "related.user": [ "rsitvol", - "iati", - "Nemoenim" + "Nemoenim", + "iati" ], "rsa.db.index": "eFini", "rsa.internal.event_desc": "acom", @@ -3322,8 +3322,8 @@ ], "related.user": [ "orissu", - "eufug", - "ine" + "ine", + "eufug" ], "rsa.db.database": "stquidol", "rsa.db.index": "imadmini", @@ -3377,9 +3377,9 @@ "10.70.83.200" ], "related.user": [ - "ihilmole", + "metco", "riat", - "metco" + "ihilmole" ], "rsa.db.index": "urQuis", "rsa.internal.event_desc": "iutaliq", @@ -3491,9 +3491,9 @@ "10.52.150.104" ], "related.user": [ - "texplica", "eritq", - "oinBCSed" + "oinBCSed", + "texplica" ], "rsa.db.database": "lit", "rsa.db.index": "ritati", @@ -3554,9 +3554,9 @@ "10.61.175.217" ], "related.user": [ + "runtm", "ntexpl", - "tat", - "runtm" + "tat" ], "rsa.db.database": "rere", "rsa.db.index": "nonn", @@ -3610,9 +3610,9 @@ "10.150.30.95" ], "related.user": [ - "atnonpr", + "mini", "uisnos", - "mini" + "atnonpr" ], "rsa.db.index": "smod", "rsa.internal.event_desc": "isn", @@ -3654,8 +3654,8 @@ "10.98.71.45" ], "related.user": [ - "CSe", "fugitse", + "CSe", "onse" ], "rsa.db.index": "Dui", @@ -3698,9 +3698,9 @@ "10.252.251.143" ], "related.user": [ + "nonn", "remq", - "rspic", - "nonn" + "rspic" ], "rsa.db.index": "nre", "rsa.internal.event_desc": "tev", @@ -3742,8 +3742,8 @@ "10.197.203.167" ], "related.user": [ - "uta", "iumdo", + "uta", "eserun" ], "rsa.db.index": "smo", @@ -3786,9 +3786,9 @@ "10.187.170.23" ], "related.user": [ + "ibusBo", "sectetu", - "enima", - "ibusBo" + "enima" ], "rsa.db.index": "uido", "rsa.internal.event_desc": "lab", @@ -3833,13 +3833,13 @@ "involu1450.www.localhost" ], "related.ip": [ - "10.250.248.215", - "10.123.62.215" + "10.123.62.215", + "10.250.248.215" ], "related.user": [ "aevitaed", - "quaeratv", - "tinculpa" + "tinculpa", + "quaeratv" ], "rsa.db.database": "lica", "rsa.db.index": "uisnos", @@ -3997,9 +3997,9 @@ "10.154.172.82" ], "related.user": [ + "onnumqua", "nesci", - "tetura", - "onnumqua" + "tetura" ], "rsa.db.index": "oinBCSed", "rsa.internal.event_desc": "ntor", @@ -4041,9 +4041,9 @@ "10.47.63.70" ], "related.user": [ - "expl", "tpers", - "midestl" + "midestl", + "expl" ], "rsa.db.index": "olu", "rsa.internal.event_desc": "odocons", @@ -4085,9 +4085,9 @@ "10.178.160.245" ], "related.user": [ + "fdeFinib", "turQuis", - "olupta", - "fdeFinib" + "olupta" ], "rsa.db.index": "rsint", "rsa.internal.event_desc": "odico", @@ -4195,13 +4195,13 @@ "nimve2787.mail.test" ], "related.ip": [ - "10.222.32.183", - "10.65.207.234" + "10.65.207.234", + "10.222.32.183" ], "related.user": [ + "eve", "itame", - "eruntmo", - "eve" + "eruntmo" ], "rsa.db.database": "udexerc", "rsa.db.index": "volup", @@ -4255,8 +4255,8 @@ "10.16.181.60" ], "related.user": [ - "oinven", "gnama", + "oinven", "olore" ], "rsa.db.index": "uatu", @@ -4299,9 +4299,9 @@ "10.91.213.82" ], "related.user": [ - "illoin", "amnis", - "uianon" + "uianon", + "illoin" ], "rsa.db.index": "ons", "rsa.internal.event_desc": "temaccus", @@ -4343,9 +4343,9 @@ "10.204.214.98" ], "related.user": [ + "porissus", "tdolo", - "eprehe", - "porissus" + "eprehe" ], "rsa.db.index": "abo", "rsa.internal.event_desc": "ecte", @@ -4388,8 +4388,8 @@ ], "related.user": [ "etc", - "moenimip", - "evel" + "evel", + "moenimip" ], "rsa.db.index": "iarchit", "rsa.internal.event_desc": "apari", @@ -4434,13 +4434,13 @@ "ama6820.mail.example" ], "related.ip": [ - "10.26.33.181", - "10.26.137.126" + "10.26.137.126", + "10.26.33.181" ], "related.user": [ - "audant", + "taevit", "ati", - "taevit" + "audant" ], "rsa.db.database": "com", "rsa.db.index": "mveni", @@ -4497,13 +4497,13 @@ "olupt966.www5.corp" ], "related.ip": [ - "10.142.161.116", - "10.148.195.208" + "10.148.195.208", + "10.142.161.116" ], "related.user": [ - "mpori", "isi", - "quaerat" + "quaerat", + "mpori" ], "rsa.db.database": "squamest", "rsa.db.index": "pteu", @@ -4560,13 +4560,13 @@ "lit4112.www.localhost" ], "related.ip": [ - "10.10.174.253", - "10.107.24.54" + "10.107.24.54", + "10.10.174.253" ], "related.user": [ - "hend", + "itinvo", "uptasn", - "itinvo" + "hend" ], "rsa.db.database": "lup", "rsa.db.index": "isau", @@ -4621,8 +4621,8 @@ "10.87.92.17" ], "related.user": [ - "tamr", "luptate", + "tamr", "eeufug" ], "rsa.db.index": "oreeufug", @@ -4672,13 +4672,13 @@ "dictasun3408.internal.invalid" ], "related.ip": [ - "10.161.51.135", - "10.231.51.136" + "10.231.51.136", + "10.161.51.135" ], "related.user": [ "Finibus", - "asper", - "accus" + "accus", + "asper" ], "rsa.db.database": "litani", "rsa.db.index": "arch", @@ -4732,9 +4732,9 @@ "10.51.17.32" ], "related.user": [ + "itten", "mquido", - "llum", - "itten" + "llum" ], "rsa.db.index": "uscipit", "rsa.internal.event_desc": "llitani", @@ -4776,9 +4776,9 @@ "10.108.123.148" ], "related.user": [ - "cusa", + "ollita", "mmodicon", - "ollita" + "cusa" ], "rsa.db.index": "ercitati", "rsa.internal.event_desc": "pteurs", @@ -4828,8 +4828,8 @@ "10.198.187.144" ], "related.user": [ - "rsitamet", "equatD", + "rsitamet", "ons" ], "rsa.db.database": "periam", @@ -4888,9 +4888,9 @@ "10.61.140.120" ], "related.user": [ - "naaliq", "loru", - "equa" + "equa", + "naaliq" ], "rsa.db.index": "umfugiat", "rsa.internal.event_desc": "ora", @@ -4939,9 +4939,9 @@ "10.93.24.151" ], "related.user": [ - "sequamn", "ite", - "nven" + "nven", + "sequamn" ], "rsa.db.database": "fugi", "rsa.db.index": "nesciu", @@ -4995,9 +4995,9 @@ "10.101.45.225" ], "related.user": [ - "cipitla", "emi", - "uinesc" + "uinesc", + "cipitla" ], "rsa.db.index": "caecat", "rsa.internal.event_desc": "tsunt", @@ -5088,9 +5088,9 @@ "10.33.112.100" ], "related.user": [ - "ptatemse", "aliqu", - "enimad" + "enimad", + "ptatemse" ], "rsa.db.index": "Except", "rsa.internal.event_desc": "cons", @@ -5135,12 +5135,12 @@ "isno4595.local" ], "related.ip": [ - "10.151.110.250", - "10.94.152.238" + "10.94.152.238", + "10.151.110.250" ], "related.user": [ - "tla", "neavol", + "tla", "pidatatn" ], "rsa.db.database": "itaedict", @@ -5198,13 +5198,13 @@ "tatemse5403.home" ], "related.ip": [ - "10.146.61.5", - "10.77.9.17" + "10.77.9.17", + "10.146.61.5" ], "related.user": [ - "tevel", "umS", - "alorumwr" + "alorumwr", + "tevel" ], "rsa.db.database": "amremap", "rsa.db.index": "aqu", @@ -5305,8 +5305,8 @@ "reprehe650.www.corp" ], "related.ip": [ - "10.200.162.248", - "10.31.86.83" + "10.31.86.83", + "10.200.162.248" ], "related.user": [ "onnu", diff --git a/x-pack/filebeat/module/envoyproxy/log/test/envoy-json.log-expected.json b/x-pack/filebeat/module/envoyproxy/log/test/envoy-json.log-expected.json index e6ca9516ad0f..483625d8bea9 100644 --- a/x-pack/filebeat/module/envoyproxy/log/test/envoy-json.log-expected.json +++ b/x-pack/filebeat/module/envoyproxy/log/test/envoy-json.log-expected.json @@ -7,6 +7,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", diff --git a/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json b/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json index 1c9482cefdb6..703b5e977b38 100644 --- a/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json +++ b/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json @@ -140,6 +140,7 @@ "destination.as.organization.name": "Fastly", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "151.101.66.217", diff --git a/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json index d17290622826..13fe3560c057 100644 --- a/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json @@ -24,10 +24,10 @@ "tatemac3541.api.corp" ], "related.ip": [ + "10.208.121.85", "10.165.201.71", - "10.228.193.207", "10.11.196.142", - "10.208.121.85" + "10.228.193.207" ], "related.user": [ "billoi" @@ -93,9 +93,9 @@ ], "related.ip": [ "10.51.132.10", - "10.162.9.235", + "10.92.202.200", "10.94.67.230", - "10.92.202.200" + "10.162.9.235" ], "related.user": [ "byC" @@ -228,9 +228,9 @@ ], "related.ip": [ "10.12.44.169", - "10.202.66.28", + "10.131.233.27", "10.50.112.141", - "10.131.233.27" + "10.202.66.28" ], "related.user": [ "elits" @@ -296,9 +296,9 @@ ], "related.ip": [ "10.159.182.171", + "10.206.197.113", "10.151.111.38", - "10.96.35.212", - "10.206.197.113" + "10.96.35.212" ], "related.user": [ "mol" @@ -365,8 +365,8 @@ "related.ip": [ "10.126.177.162", "10.213.113.28", - "10.169.144.147", - "10.89.163.114" + "10.89.163.114", + "10.169.144.147" ], "related.user": [ "ist" @@ -430,10 +430,10 @@ "ittenbyC7838.api.localdomain" ], "related.ip": [ - "10.101.223.43", - "10.18.124.28", + "10.146.88.52", "10.103.107.47", - "10.146.88.52" + "10.101.223.43", + "10.18.124.28" ], "related.user": [ "rudexerc" @@ -498,8 +498,8 @@ "ume465.corp" ], "related.ip": [ - "10.150.220.75", "10.189.109.245", + "10.150.220.75", "10.69.57.206", "10.110.99.17" ], @@ -565,8 +565,8 @@ "iciatisu1463.www5.localdomain" ], "related.ip": [ - "10.199.34.241", "10.121.219.204", + "10.199.34.241", "10.153.136.222", "10.19.194.101" ], @@ -632,9 +632,9 @@ "aliqu6801.api.localdomain" ], "related.ip": [ - "10.57.103.192", "10.64.141.105", "10.46.27.57", + "10.57.103.192", "10.182.199.231" ], "related.user": [ @@ -699,10 +699,10 @@ "itame189.domain" ], "related.ip": [ - "10.32.67.231", - "10.3.134.237", + "10.164.6.207", "10.160.210.31", - "10.164.6.207" + "10.3.134.237", + "10.32.67.231" ], "related.user": [ "pic" @@ -768,8 +768,8 @@ ], "related.ip": [ "10.42.138.192", - "10.201.6.10", "10.235.101.253", + "10.201.6.10", "10.182.178.217" ], "related.user": [ @@ -835,9 +835,9 @@ "stlabo1228.mail.host" ], "related.ip": [ - "10.86.101.235", - "10.194.247.171", "10.151.161.70", + "10.194.247.171", + "10.86.101.235", "10.22.102.198" ], "related.user": [ @@ -904,9 +904,9 @@ ], "related.ip": [ "10.174.252.105", - "10.204.35.15", + "10.167.172.155", "10.107.168.60", - "10.167.172.155" + "10.204.35.15" ], "related.user": [ "mnisi" @@ -971,9 +971,9 @@ ], "related.ip": [ "10.99.249.210", + "10.214.249.164", "10.182.191.174", - "10.81.26.208", - "10.214.249.164" + "10.81.26.208" ], "related.user": [ "upta" @@ -1037,9 +1037,9 @@ "sauteiru4554.api.domain" ], "related.ip": [ + "10.220.5.143", "10.88.101.53", "10.201.238.90", - "10.220.5.143", "10.101.226.128" ], "related.user": [ @@ -1104,10 +1104,10 @@ "untut4046.internal.domain" ], "related.ip": [ - "10.243.218.215", - "10.217.150.196", + "10.30.133.66", "10.157.18.252", - "10.30.133.66" + "10.243.218.215", + "10.217.150.196" ], "related.user": [ "evit" @@ -1171,10 +1171,10 @@ "quid3147.mail.home" ], "related.ip": [ - "10.167.227.44", "10.181.133.187", "10.148.161.250", - "10.66.181.6" + "10.66.181.6", + "10.167.227.44" ], "related.user": [ "adipisc" @@ -1239,10 +1239,10 @@ "umdolo1029.mail.localhost" ], "related.ip": [ - "10.74.11.43", - "10.54.17.32", "10.84.163.178", - "10.107.9.163" + "10.107.9.163", + "10.54.17.32", + "10.74.11.43" ], "related.user": [ "mquisno" @@ -1307,9 +1307,9 @@ ], "related.ip": [ "10.230.129.252", - "10.184.73.211", + "10.112.32.213", "10.192.229.221", - "10.112.32.213" + "10.184.73.211" ], "related.user": [ "odi" @@ -1374,10 +1374,10 @@ "paquioff624.mail.invalid" ], "related.ip": [ - "10.161.148.64", + "10.198.213.189", "10.199.216.143", - "10.7.200.140", - "10.198.213.189" + "10.161.148.64", + "10.7.200.140" ], "related.user": [ "ccaeca" @@ -1441,10 +1441,10 @@ "mex2054.mail.corp" ], "related.ip": [ + "10.65.232.27", "10.206.96.56", - "10.22.187.69", "10.128.157.27", - "10.65.232.27" + "10.22.187.69" ], "related.user": [ "uaeab" @@ -1509,9 +1509,9 @@ ], "related.ip": [ "10.194.210.62", - "10.68.253.120", "10.183.130.225", - "10.71.114.14" + "10.71.114.14", + "10.68.253.120" ], "related.user": [ "admin" @@ -1576,10 +1576,10 @@ "loi7596.www5.home" ], "related.ip": [ - "10.47.255.237", - "10.45.253.103", "10.107.45.175", - "10.31.177.226" + "10.31.177.226", + "10.47.255.237", + "10.45.253.103" ], "related.user": [ "remagn" @@ -1644,10 +1644,10 @@ "nsequat1971.internal.invalid" ], "related.ip": [ + "10.225.212.189", "10.44.58.106", - "10.55.105.113", "10.213.94.135", - "10.225.212.189" + "10.55.105.113" ], "related.user": [ "dquia" @@ -1711,9 +1711,9 @@ "ectiono2241.lan" ], "related.ip": [ - "10.255.74.136", "10.69.161.78", "10.163.209.70", + "10.255.74.136", "10.2.114.9" ], "related.user": [ @@ -1778,10 +1778,10 @@ "umetMal1664.mail.lan" ], "related.ip": [ - "10.46.115.216", - "10.252.102.110", + "10.184.59.148", "10.12.129.137", - "10.184.59.148" + "10.46.115.216", + "10.252.102.110" ], "related.user": [ "perspici" @@ -1848,8 +1848,8 @@ "related.ip": [ "10.81.184.7", "10.199.194.79", - "10.155.204.243", - "10.105.52.140" + "10.105.52.140", + "10.155.204.243" ], "related.user": [ "eetd" @@ -1916,8 +1916,8 @@ "related.ip": [ "10.251.231.142", "10.177.238.45", - "10.18.226.72", - "10.110.2.166" + "10.110.2.166", + "10.18.226.72" ], "related.user": [ "taliqui" @@ -1982,10 +1982,10 @@ "iutali7297.www.domain" ], "related.ip": [ + "10.192.98.247", "10.99.202.229", - "10.100.199.226", "10.190.122.27", - "10.192.98.247" + "10.100.199.226" ], "related.user": [ "lloinven" @@ -2050,10 +2050,10 @@ "orumw5960.www5.home" ], "related.ip": [ + "10.172.154.97", "10.248.111.207", - "10.162.97.197", "10.37.193.70", - "10.172.154.97" + "10.162.97.197" ], "related.user": [ "culpaq" @@ -2117,10 +2117,10 @@ "oinv5493.internal.domain" ], "related.ip": [ + "10.36.63.31", "10.171.221.230", "10.222.165.250", - "10.45.35.180", - "10.36.63.31" + "10.45.35.180" ], "related.user": [ "otamr" @@ -2184,9 +2184,9 @@ "tnonproi195.api.home" ], "related.ip": [ - "10.1.171.61", - "10.199.127.211", "10.83.238.145", + "10.199.127.211", + "10.1.171.61", "10.238.4.219" ], "related.user": [ @@ -2252,9 +2252,9 @@ ], "related.ip": [ "10.170.252.219", - "10.65.141.244", + "10.44.226.104", "10.74.213.42", - "10.44.226.104" + "10.65.141.244" ], "related.user": [ "Nequepo" @@ -2385,10 +2385,10 @@ "redo6311.api.invalid" ], "related.ip": [ - "10.176.64.28", + "10.169.123.103", "10.97.138.181", "10.205.174.181", - "10.169.123.103" + "10.176.64.28" ], "related.user": [ "eseruntm" @@ -2453,10 +2453,10 @@ "dolorem1698.www.domain" ], "related.ip": [ + "10.204.4.40", "10.75.120.11", - "10.169.101.161", "10.53.101.131", - "10.204.4.40" + "10.169.101.161" ], "related.user": [ "tquo" @@ -2521,10 +2521,10 @@ "evitae7333.www.lan" ], "related.ip": [ - "10.156.117.169", "10.28.51.219", - "10.6.222.112", - "10.87.120.87" + "10.156.117.169", + "10.87.120.87", + "10.6.222.112" ], "related.user": [ "onsequu" @@ -2589,9 +2589,9 @@ ], "related.ip": [ "10.247.44.59", + "10.4.126.103", "10.57.89.155", - "10.253.167.17", - "10.4.126.103" + "10.253.167.17" ], "related.user": [ "ntorever" @@ -2655,10 +2655,10 @@ "olorsi2746.internal.localhost" ], "related.ip": [ - "10.36.69.125", "10.15.240.220", + "10.143.183.208", "10.248.206.210", - "10.143.183.208" + "10.36.69.125" ], "related.user": [ "met" @@ -2724,8 +2724,8 @@ ], "related.ip": [ "10.69.170.107", - "10.6.32.7", "10.34.133.2", + "10.6.32.7", "10.142.186.43" ], "related.user": [ @@ -2791,10 +2791,10 @@ "ender5647.www5.example" ], "related.ip": [ - "10.59.103.10", - "10.170.165.164", "10.121.153.197", - "10.142.22.24" + "10.142.22.24", + "10.59.103.10", + "10.170.165.164" ], "related.user": [ "borumSec" @@ -2859,9 +2859,9 @@ "sis3986.internal.lan" ], "related.ip": [ - "10.19.99.129", - "10.247.114.30", "10.176.83.7", + "10.247.114.30", + "10.19.99.129", "10.133.10.122" ], "related.user": [ @@ -2927,10 +2927,10 @@ "uatu2894.api.lan" ], "related.ip": [ + "10.64.139.17", "10.70.7.23", - "10.40.177.138", "10.8.29.219", - "10.64.139.17" + "10.40.177.138" ], "related.user": [ "rep" @@ -2996,8 +2996,8 @@ "related.ip": [ "10.2.189.20", "10.67.221.220", - "10.67.173.228", - "10.180.62.222" + "10.180.62.222", + "10.67.173.228" ], "related.user": [ "uptasnul" @@ -3062,10 +3062,10 @@ "uian521.www.example" ], "related.ip": [ - "10.147.127.181", + "10.196.176.243", "10.209.52.47", "10.56.134.118", - "10.196.176.243" + "10.147.127.181" ], "related.user": [ "tasu" @@ -3130,9 +3130,9 @@ ], "related.ip": [ "10.226.24.84", - "10.248.140.59", + "10.85.13.237", "10.231.18.90", - "10.85.13.237" + "10.248.140.59" ], "related.user": [ "Nem" @@ -3197,10 +3197,10 @@ "ntsunt4894.mail.domain" ], "related.ip": [ - "10.59.215.207", - "10.207.183.204", + "10.203.46.215", "10.8.224.72", - "10.203.46.215" + "10.207.183.204", + "10.59.215.207" ], "related.user": [ "eruntmo" @@ -3265,10 +3265,10 @@ "mexer3864.api.corp" ], "related.ip": [ - "10.98.154.146", "10.73.84.95", + "10.255.145.22", "10.230.38.148", - "10.255.145.22" + "10.98.154.146" ], "related.user": [ "sitam" @@ -3332,10 +3332,10 @@ "oluptat6960.www5.test" ], "related.ip": [ - "10.166.142.198", "10.105.120.162", - "10.175.181.138", - "10.211.29.187" + "10.211.29.187", + "10.166.142.198", + "10.175.181.138" ], "related.user": [ "tium" @@ -3400,10 +3400,10 @@ "fugiatnu2498.www.localhost" ], "related.ip": [ - "10.182.213.195", - "10.195.139.25", "10.122.133.162", - "10.220.202.102" + "10.220.202.102", + "10.182.213.195", + "10.195.139.25" ], "related.user": [ "aquae" @@ -3535,10 +3535,10 @@ "exer447.internal.localhost" ], "related.ip": [ - "10.241.143.145", - "10.35.190.164", "10.21.58.162", - "10.113.65.192" + "10.35.190.164", + "10.113.65.192", + "10.241.143.145" ], "related.user": [ "porin" @@ -3672,9 +3672,9 @@ ], "related.ip": [ "10.150.153.61", - "10.22.213.196", + "10.125.150.220", "10.120.50.13", - "10.125.150.220" + "10.22.213.196" ], "related.user": [ "inculpa" @@ -3739,10 +3739,10 @@ "edquiaco6562.api.lan" ], "related.ip": [ + "10.113.2.13", "10.85.52.249", - "10.229.155.171", "10.238.171.184", - "10.113.2.13" + "10.229.155.171" ], "related.user": [ "tatiset" @@ -3808,9 +3808,9 @@ ], "related.ip": [ "10.249.174.35", + "10.198.150.185", "10.51.245.225", - "10.220.1.249", - "10.198.150.185" + "10.220.1.249" ], "related.user": [ "quela" @@ -3875,8 +3875,8 @@ "eosqui3723.api.localdomain" ], "related.ip": [ - "10.38.185.31", "10.251.82.195", + "10.38.185.31", "10.190.96.181", "10.152.157.32" ], @@ -3942,10 +3942,10 @@ "itaedict199.mail.corp" ], "related.ip": [ - "10.103.102.242", - "10.190.247.194", "10.230.112.179", - "10.211.198.50" + "10.211.198.50", + "10.103.102.242", + "10.190.247.194" ], "related.user": [ "tDuisaut" @@ -4010,9 +4010,9 @@ ], "related.ip": [ "10.219.83.199", + "10.251.101.61", "10.47.223.155", - "10.101.13.122", - "10.251.101.61" + "10.101.13.122" ], "related.user": [ "ectetur" @@ -4077,10 +4077,10 @@ "saute7421.www.invalid" ], "related.ip": [ + "10.83.136.233", "10.31.86.83", - "10.21.30.43", "10.21.80.157", - "10.83.136.233" + "10.21.30.43" ], "related.user": [ "litsed" @@ -4145,9 +4145,9 @@ "oluptas1637.home" ], "related.ip": [ - "10.27.181.27", "10.45.152.205", "10.194.197.107", + "10.27.181.27", "10.195.90.73" ], "related.user": [ @@ -4213,10 +4213,10 @@ "ididu5505.api.localdomain" ], "related.ip": [ - "10.222.2.132", - "10.183.90.25", "10.43.239.97", - "10.129.161.18" + "10.129.161.18", + "10.183.90.25", + "10.222.2.132" ], "related.user": [ "aedicta" @@ -4280,10 +4280,10 @@ "mqui1099.api.corp" ], "related.ip": [ + "10.248.156.138", "10.67.129.100", - "10.231.167.171", "10.189.162.131", - "10.248.156.138" + "10.231.167.171" ], "related.user": [ "sedquia" @@ -4348,9 +4348,9 @@ "siuta2155.lan" ], "related.ip": [ + "10.63.103.30", "10.6.146.184", "10.185.107.27", - "10.63.103.30", "10.142.106.66" ], "related.user": [ @@ -4415,10 +4415,10 @@ "tatiset4191.localdomain" ], "related.ip": [ - "10.93.39.237", "10.119.179.182", + "10.214.93.200", "10.0.202.9", - "10.214.93.200" + "10.93.39.237" ], "related.user": [ "tionofd" @@ -4484,8 +4484,8 @@ ], "related.ip": [ "10.28.145.163", - "10.252.204.162", "10.123.154.140", + "10.252.204.162", "10.30.189.166" ], "related.user": [ @@ -4550,9 +4550,9 @@ "idolo6535.internal.example" ], "related.ip": [ + "10.46.162.198", "10.145.128.250", "10.79.49.3", - "10.46.162.198", "10.29.122.183" ], "related.user": [ @@ -4618,10 +4618,10 @@ "one7728.api.localdomain" ], "related.ip": [ - "10.166.169.167", - "10.65.174.196", + "10.142.235.217", "10.177.232.136", - "10.142.235.217" + "10.65.174.196", + "10.166.169.167" ], "related.user": [ "olors" @@ -4686,9 +4686,9 @@ "uptatem4446.internal.localhost" ], "related.ip": [ - "10.29.217.44", "10.215.184.154", "10.191.78.86", + "10.29.217.44", "10.53.188.140" ], "related.user": [ @@ -4754,8 +4754,8 @@ "emq2514.api.localhost" ], "related.ip": [ - "10.135.77.156", "10.46.222.149", + "10.135.77.156", "10.76.148.147", "10.74.74.129" ], @@ -4821,10 +4821,10 @@ "agna5654.www.corp" ], "related.ip": [ - "10.145.49.29", + "10.130.203.37", "10.96.200.223", - "10.11.146.253", - "10.130.203.37" + "10.145.49.29", + "10.11.146.253" ], "related.user": [ "mvele" @@ -4888,10 +4888,10 @@ "ipi4827.mail.lan" ], "related.ip": [ - "10.24.23.209", "10.162.78.48", - "10.48.75.140", - "10.162.2.180" + "10.162.2.180", + "10.24.23.209", + "10.48.75.140" ], "related.user": [ "rumwr" @@ -4955,10 +4955,10 @@ "sequatD163.internal.example" ], "related.ip": [ - "10.151.206.38", - "10.66.92.83", "10.119.12.186", - "10.97.105.115" + "10.97.105.115", + "10.151.206.38", + "10.66.92.83" ], "related.user": [ "nproide" @@ -5022,10 +5022,10 @@ "itamet1303.invalid" ], "related.ip": [ - "10.64.76.142", "10.169.139.250", "10.12.148.73", - "10.201.132.114" + "10.201.132.114", + "10.64.76.142" ], "related.user": [ "borisnis" @@ -5090,10 +5090,10 @@ "epr3512.internal.domain" ], "related.ip": [ - "10.111.128.11", - "10.9.236.18", "10.35.38.185", - "10.200.116.191" + "10.200.116.191", + "10.111.128.11", + "10.9.236.18" ], "related.user": [ "umfug" @@ -5157,10 +5157,10 @@ "uredol2174.home" ], "related.ip": [ - "10.134.238.8", "10.191.27.182", - "10.236.67.227", - "10.240.62.238" + "10.134.238.8", + "10.240.62.238", + "10.236.67.227" ], "related.user": [ "tlabo" @@ -5224,10 +5224,10 @@ "ididunt7607.mail.localhost" ], "related.ip": [ - "10.109.14.142", "10.22.231.91", - "10.65.35.64", - "10.165.66.92" + "10.165.66.92", + "10.109.14.142", + "10.65.35.64" ], "related.user": [ "perna" @@ -5292,9 +5292,9 @@ ], "related.ip": [ "10.64.161.215", + "10.29.230.203", "10.71.112.86", - "10.89.221.90", - "10.29.230.203" + "10.89.221.90" ], "related.user": [ "rnatur" @@ -5358,10 +5358,10 @@ "nonn1650.www.test" ], "related.ip": [ - "10.221.199.137", - "10.88.226.76", + "10.140.118.182", "10.79.208.135", - "10.140.118.182" + "10.221.199.137", + "10.88.226.76" ], "related.user": [ "erspic" @@ -5426,10 +5426,10 @@ "acons3940.api.lan" ], "related.ip": [ + "10.133.48.55", "10.35.73.208", - "10.126.61.230", "10.189.244.22", - "10.133.48.55" + "10.126.61.230" ], "related.user": [ "tia" @@ -5493,8 +5493,8 @@ "suscipit587.www.localhost" ], "related.ip": [ - "10.240.94.109", "10.239.194.105", + "10.240.94.109", "10.81.154.115", "10.35.65.72" ], @@ -5562,8 +5562,8 @@ ], "related.ip": [ "10.150.56.227", - "10.52.70.192", "10.248.72.104", + "10.52.70.192", "10.38.253.213" ], "related.user": [ @@ -5629,10 +5629,10 @@ "borios1067.www5.home" ], "related.ip": [ - "10.218.15.164", - "10.62.218.239", "10.73.172.186", - "10.203.193.134" + "10.203.193.134", + "10.218.15.164", + "10.62.218.239" ], "related.user": [ "reh" @@ -5696,9 +5696,9 @@ "msequ323.www.example" ], "related.ip": [ + "10.60.20.76", "10.10.46.43", "10.131.127.113", - "10.60.20.76", "10.136.211.234" ], "related.user": [ @@ -5764,10 +5764,10 @@ "tdolorem813.internal.host" ], "related.ip": [ + "10.50.177.151", "10.248.0.74", - "10.233.181.250", "10.187.237.220", - "10.50.177.151" + "10.233.181.250" ], "related.user": [ "ugiatq" @@ -5832,10 +5832,10 @@ "volupt4626.internal.test" ], "related.ip": [ - "10.96.223.46", - "10.80.129.81", + "10.248.248.120", "10.189.43.11", - "10.248.248.120" + "10.80.129.81", + "10.96.223.46" ], "related.user": [ "iatn" @@ -5900,9 +5900,9 @@ "ntium5103.www5.localhost" ], "related.ip": [ - "10.91.115.139", - "10.102.109.199", "10.173.114.63", + "10.102.109.199", + "10.91.115.139", "10.66.106.186" ], "related.user": [ @@ -5968,9 +5968,9 @@ "orpori3334.www.local" ], "related.ip": [ + "10.159.155.88", "10.0.175.17", "10.198.157.122", - "10.159.155.88", "10.221.223.127" ], "related.user": [ @@ -6035,10 +6035,10 @@ "equu7361.www5.localdomain" ], "related.ip": [ - "10.252.136.130", - "10.189.70.237", "10.30.20.187", - "10.7.212.201" + "10.7.212.201", + "10.189.70.237", + "10.252.136.130" ], "related.user": [ "ugiat" @@ -6103,10 +6103,10 @@ "tse2979.internal.localhost" ], "related.ip": [ - "10.60.224.93", - "10.242.121.165", "10.83.105.69", - "10.102.109.194" + "10.102.109.194", + "10.60.224.93", + "10.242.121.165" ], "related.user": [ "mni" @@ -6171,10 +6171,10 @@ "uisnostr2390.mail.domain" ], "related.ip": [ + "10.17.20.93", "10.219.174.45", - "10.181.134.69", "10.251.167.219", - "10.17.20.93" + "10.181.134.69" ], "related.user": [ "Uteni" @@ -6239,10 +6239,10 @@ "luptate4811.mail.example" ], "related.ip": [ - "10.28.233.253", - "10.37.14.20", + "10.223.99.90", "10.30.117.82", - "10.223.99.90" + "10.37.14.20", + "10.28.233.253" ], "related.user": [ "numqua" @@ -6307,10 +6307,10 @@ "lites1614.www.corp" ], "related.ip": [ - "10.57.85.113", - "10.8.32.17", + "10.125.20.22", "10.50.61.114", - "10.125.20.22" + "10.57.85.113", + "10.8.32.17" ], "related.user": [ "qua" @@ -6375,9 +6375,9 @@ "lorinrep7686.mail.corp" ], "related.ip": [ - "10.200.28.55", - "10.215.224.27", "10.113.78.101", + "10.215.224.27", + "10.200.28.55", "10.181.63.82" ], "related.user": [ @@ -6443,10 +6443,10 @@ "nderit6272.mail.example" ], "related.ip": [ - "10.243.43.168", + "10.169.95.128", "10.177.14.106", "10.139.20.223", - "10.169.95.128" + "10.243.43.168" ], "related.user": [ "ofd" @@ -6512,9 +6512,9 @@ ], "related.ip": [ "10.92.168.198", - "10.90.93.4", "10.39.100.88", - "10.18.176.44" + "10.18.176.44", + "10.90.93.4" ], "related.user": [ "adminima" @@ -6579,9 +6579,9 @@ "essequam1161.domain" ], "related.ip": [ - "10.163.203.191", "10.193.43.135", "10.49.68.8", + "10.163.203.191", "10.173.13.179" ], "related.user": [ @@ -6647,9 +6647,9 @@ ], "related.ip": [ "10.240.47.113", - "10.209.226.7", + "10.84.64.28", "10.31.147.51", - "10.84.64.28" + "10.209.226.7" ], "related.user": [ "ull" @@ -6714,9 +6714,9 @@ "item3647.home" ], "related.ip": [ + "10.52.13.192", "10.225.189.229", "10.86.1.244", - "10.52.13.192", "10.32.20.4" ], "related.user": [ diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json index fe5ce75e1829..81c2af5f702d 100644 --- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json @@ -367,8 +367,8 @@ "observer.vendor": "F5", "process.pid": 2289, "related.ip": [ - "10.204.123.107", - "10.225.160.182" + "10.225.160.182", + "10.204.123.107" ], "rsa.internal.messageid": "01490500", "rsa.misc.log_session_id": "eFinib", @@ -983,8 +983,8 @@ "observer.vendor": "F5", "process.pid": 4318, "related.ip": [ - "10.169.101.161", - "10.122.204.151" + "10.122.204.151", + "10.169.101.161" ], "rsa.internal.messageid": "01490500", "rsa.misc.log_session_id": "snulap", @@ -1565,8 +1565,8 @@ "observer.vendor": "F5", "process.pid": 1973, "related.ip": [ - "10.47.99.72", - "10.187.64.126" + "10.187.64.126", + "10.47.99.72" ], "rsa.internal.messageid": "01490500", "rsa.misc.category": "oremipsu", diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json index 69eab97fe352..2633519ac68d 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -25,8 +25,8 @@ "litesse6379.api.domain" ], "related.ip": [ - "10.150.92.220", - "10.102.123.34" + "10.102.123.34", + "10.150.92.220" ], "related.user": [ "sumdo" @@ -143,8 +143,8 @@ "quis1130.internal.corp" ], "related.ip": [ - "10.118.175.9", - "10.173.116.41" + "10.173.116.41", + "10.118.175.9" ], "related.user": [ "uame" @@ -261,8 +261,8 @@ "enimad2283.internal.domain" ], "related.ip": [ - "10.245.142.250", - "10.70.0.60" + "10.70.0.60", + "10.245.142.250" ], "related.user": [ "eos" @@ -379,8 +379,8 @@ "iutal13.api.localdomain" ], "related.ip": [ - "10.12.44.169", - "10.214.225.125" + "10.214.225.125", + "10.12.44.169" ], "related.user": [ "erep" @@ -438,8 +438,8 @@ "uovol492.www.localhost" ], "related.ip": [ - "10.198.136.50", - "10.66.108.11" + "10.66.108.11", + "10.198.136.50" ], "related.user": [ "uptatev" @@ -556,8 +556,8 @@ "eniam7007.api.invalid" ], "related.ip": [ - "10.54.231.100", - "10.203.5.162" + "10.203.5.162", + "10.54.231.100" ], "related.user": [ "umdolore" @@ -615,8 +615,8 @@ "snulapar3794.api.domain" ], "related.ip": [ - "10.65.83.160", - "10.136.252.240" + "10.136.252.240", + "10.65.83.160" ], "related.user": [ "ender" @@ -674,8 +674,8 @@ "liq5883.localdomain" ], "related.ip": [ - "10.210.213.18", - "10.57.40.29" + "10.57.40.29", + "10.210.213.18" ], "related.user": [ "onse" @@ -969,8 +969,8 @@ "tion1761.home" ], "related.ip": [ - "10.73.69.75", - "10.19.201.13" + "10.19.201.13", + "10.73.69.75" ], "related.user": [ "tat" @@ -1028,8 +1028,8 @@ "santium4235.api.local" ], "related.ip": [ - "10.84.105.75", - "10.78.151.178" + "10.78.151.178", + "10.84.105.75" ], "related.user": [ "iquaUten" @@ -1087,8 +1087,8 @@ "CSed2857.www5.example" ], "related.ip": [ - "10.25.192.202", - "10.135.233.146" + "10.135.233.146", + "10.25.192.202" ], "related.user": [ "emeumfu" @@ -1146,8 +1146,8 @@ "equep5085.mail.domain" ], "related.ip": [ - "10.104.134.200", - "10.121.219.204" + "10.121.219.204", + "10.104.134.200" ], "related.user": [ "uptat" @@ -1205,8 +1205,8 @@ "conseq557.mail.lan" ], "related.ip": [ - "10.225.160.182", - "10.191.105.82" + "10.191.105.82", + "10.225.160.182" ], "related.user": [ "eirure" @@ -1323,8 +1323,8 @@ "lit5929.test" ], "related.ip": [ - "10.153.111.103", - "10.6.167.7" + "10.6.167.7", + "10.153.111.103" ], "related.user": [ "eumfug" @@ -1618,8 +1618,8 @@ "xeacomm6855.api.corp" ], "related.ip": [ - "10.168.90.81", - "10.101.57.120" + "10.101.57.120", + "10.168.90.81" ], "related.user": [ "eporr" @@ -1913,8 +1913,8 @@ "eprehen3224.www5.localdomain" ], "related.ip": [ - "10.195.2.130", - "10.75.99.127" + "10.75.99.127", + "10.195.2.130" ], "related.user": [ "inibusB" @@ -1972,8 +1972,8 @@ "ptasn6599.www.localhost" ], "related.ip": [ - "10.201.238.90", - "10.245.104.182" + "10.245.104.182", + "10.201.238.90" ], "related.user": [ "ovol" @@ -2090,8 +2090,8 @@ "gitsedqu2649.mail.lan" ], "related.ip": [ - "10.184.18.202", - "10.4.157.1" + "10.4.157.1", + "10.184.18.202" ], "related.user": [ "oditem" @@ -2208,8 +2208,8 @@ "tut2703.www.host" ], "related.ip": [ - "10.27.16.118", - "10.83.177.2" + "10.83.177.2", + "10.27.16.118" ], "related.user": [ "borios" @@ -2385,8 +2385,8 @@ "tot5313.mail.invalid" ], "related.ip": [ - "10.9.18.237", - "10.9.12.248" + "10.9.12.248", + "10.9.18.237" ], "related.user": [ "uradi" @@ -2444,8 +2444,8 @@ "rumet3801.internal.domain" ], "related.ip": [ - "10.41.123.102", - "10.83.130.226" + "10.83.130.226", + "10.41.123.102" ], "related.user": [ "tenim" @@ -2562,8 +2562,8 @@ "sequat7273.api.host" ], "related.ip": [ - "10.134.18.114", - "10.142.25.100" + "10.142.25.100", + "10.134.18.114" ], "related.user": [ "osqui" @@ -2621,8 +2621,8 @@ "uidol4575.localhost" ], "related.ip": [ - "10.28.118.160", - "10.223.119.218" + "10.223.119.218", + "10.28.118.160" ], "related.user": [ "ntsunt" @@ -2916,8 +2916,8 @@ "iosamnis1047.internal.localdomain" ], "related.ip": [ - "10.210.89.183", - "10.150.245.88" + "10.150.245.88", + "10.210.89.183" ], "related.user": [ "sequa" @@ -2975,8 +2975,8 @@ "orroq6677.internal.example" ], "related.ip": [ - "10.85.185.13", - "10.180.195.43" + "10.180.195.43", + "10.85.185.13" ], "related.user": [ "voluptas" @@ -3093,8 +3093,8 @@ "itaedict7233.mail.localdomain" ], "related.ip": [ - "10.86.11.48", - "10.248.165.185" + "10.248.165.185", + "10.86.11.48" ], "related.user": [ "dquiac" @@ -3152,8 +3152,8 @@ "numquam5869.internal.example" ], "related.ip": [ - "10.118.6.177", - "10.47.125.38" + "10.47.125.38", + "10.118.6.177" ], "related.user": [ "quunt" @@ -3211,8 +3211,8 @@ "onu6137.api.home" ], "related.ip": [ - "10.60.142.127", - "10.50.233.155" + "10.50.233.155", + "10.60.142.127" ], "related.user": [ "atv" @@ -3270,8 +3270,8 @@ "aecatcup2241.www5.test" ], "related.ip": [ - "10.28.82.189", - "10.120.10.211" + "10.120.10.211", + "10.28.82.189" ], "related.user": [ "rcit" @@ -3388,8 +3388,8 @@ "mveleum4322.www5.host" ], "related.ip": [ - "10.226.5.189", - "10.125.165.144" + "10.125.165.144", + "10.226.5.189" ], "related.user": [ "mvolu" @@ -3565,8 +3565,8 @@ "nreprehe715.api.home" ], "related.ip": [ - "10.17.87.79", - "10.123.199.198" + "10.123.199.198", + "10.17.87.79" ], "related.user": [ "ratvolu" @@ -3624,8 +3624,8 @@ "unte893.internal.host" ], "related.ip": [ - "10.38.86.177", - "10.115.68.40" + "10.115.68.40", + "10.38.86.177" ], "related.user": [ "mpo" @@ -4096,8 +4096,8 @@ "squira4455.api.domain" ], "related.ip": [ - "10.196.96.162", - "10.34.131.224" + "10.34.131.224", + "10.196.96.162" ], "related.user": [ "tnonproi" @@ -4804,8 +4804,8 @@ "lamcola4879.www5.localdomain" ], "related.ip": [ - "10.14.204.36", - "10.85.104.146" + "10.85.104.146", + "10.14.204.36" ], "related.user": [ "emp" @@ -4863,8 +4863,8 @@ "edquian330.mail.local" ], "related.ip": [ - "10.208.18.210", - "10.30.246.132" + "10.30.246.132", + "10.208.18.210" ], "related.user": [ "veniam" @@ -4922,8 +4922,8 @@ "santi837.api.domain" ], "related.ip": [ - "10.19.119.17", - "10.106.249.91" + "10.106.249.91", + "10.19.119.17" ], "related.user": [ "lit" @@ -5040,8 +5040,8 @@ "nonn4478.host" ], "related.ip": [ - "10.164.207.42", - "10.164.120.197" + "10.164.120.197", + "10.164.207.42" ], "related.user": [ "pta" @@ -5099,8 +5099,8 @@ "amquaer3985.www5.example" ], "related.ip": [ - "10.183.189.133", - "10.154.191.225" + "10.154.191.225", + "10.183.189.133" ], "related.user": [ "ita" @@ -5276,8 +5276,8 @@ "orumS757.www5.corp" ], "related.ip": [ - "10.91.2.135", - "10.126.245.73" + "10.126.245.73", + "10.91.2.135" ], "related.user": [ "olore" @@ -5335,8 +5335,8 @@ "emi4534.www.localdomain" ], "related.ip": [ - "10.137.85.123", - "10.183.243.246" + "10.183.243.246", + "10.137.85.123" ], "related.user": [ "cid" @@ -5453,8 +5453,8 @@ "aturQu7083.mail.host" ], "related.ip": [ - "10.79.73.195", - "10.125.143.153" + "10.125.143.153", + "10.79.73.195" ], "related.user": [ "emip" @@ -5571,8 +5571,8 @@ "siarc6339.internal.corp" ], "related.ip": [ - "10.222.245.80", - "10.87.90.49" + "10.87.90.49", + "10.222.245.80" ], "related.user": [ "ptatemse" @@ -5689,8 +5689,8 @@ "byC5766.internal.home" ], "related.ip": [ - "10.105.97.134", - "10.204.178.19" + "10.204.178.19", + "10.105.97.134" ], "related.user": [ "mexercit" @@ -5866,8 +5866,8 @@ "porissu1470.domain" ], "related.ip": [ - "10.180.90.112", - "10.116.153.19" + "10.116.153.19", + "10.180.90.112" ], "related.user": [ "itessequ" diff --git a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json index 367d81f9868a..1bc7032f6d25 100644 --- a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json +++ b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json @@ -6,6 +6,7 @@ "destination.bytes": 1130, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -81,6 +82,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -151,6 +153,7 @@ "destination.bytes": 6812, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -225,6 +228,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -299,6 +303,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -373,6 +378,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -442,6 +448,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -512,6 +519,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -585,6 +593,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -654,6 +663,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -714,6 +724,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.4.4", @@ -825,6 +836,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.4.4", @@ -874,6 +886,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "8.8.8.8", @@ -889,6 +902,7 @@ "destination.as.organization.name": "Level 3 Parent, LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.4.5.4", @@ -942,6 +956,7 @@ "source.as.organization.name": "Quad9", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "FR", + "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, "source.ip": "9.9.9.9", @@ -1049,6 +1064,7 @@ "destination.as.organization.name": "Level 3 Parent, LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.5.4", @@ -1100,6 +1116,7 @@ "service.type": "fortinet", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "7.6.3.4", @@ -1186,6 +1203,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.6", @@ -1235,6 +1253,7 @@ "destination.as.organization.name": "Level 3 Parent, LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.5.4", @@ -1396,6 +1415,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1465,6 +1485,7 @@ "destination.bytes": 65446, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.6.4.7", @@ -1532,6 +1553,7 @@ "source.geo.city_name": "Beijing", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 39.9288, "source.geo.location.lon": 116.3889, "source.geo.region_iso_code": "CN-BJ", @@ -1553,6 +1575,7 @@ "destination.bytes": 20, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "2001:4860:4860::8888", @@ -1613,6 +1636,7 @@ "source.bytes": 3014, "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "2001:4860:4860::8888", @@ -1629,6 +1653,7 @@ "destination.bytes": 10, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1689,6 +1714,7 @@ "source.bytes": 0, "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "9.7.7.7", @@ -1772,6 +1798,7 @@ "destination.bytes": 77654, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1857,6 +1884,7 @@ "source.geo.city_name": "Ashburn", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 39.0481, "source.geo.location.lon": -77.4728, "source.geo.region_iso_code": "US-VA", @@ -1879,6 +1907,7 @@ "destination.as.organization.name": "Dailymotion S.A.", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 48.8582, "destination.geo.location.lon": 2.3387, "destination.ip": "195.8.215.136", diff --git a/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json index e3803f80ef3e..0f8cf25378a0 100644 --- a/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json @@ -994,8 +994,8 @@ "observer.type": "Firewall", "observer.vendor": "Fortinet", "related.ip": [ - "10.68.246.187", - "10.140.7.83" + "10.140.7.83", + "10.68.246.187" ], "rsa.email.email_dst": "gna", "rsa.email.email_src": "icabo", @@ -1248,8 +1248,8 @@ "atise3421.www5.localdomain" ], "related.ip": [ - "10.179.210.218", - "10.73.207.70" + "10.73.207.70", + "10.179.210.218" ], "rsa.email.email_dst": "rumSecti", "rsa.email.email_src": "taut", @@ -3094,8 +3094,8 @@ "taevitae6868.www.corp" ], "related.ip": [ - "10.60.164.100", - "10.161.1.146" + "10.161.1.146", + "10.60.164.100" ], "rsa.email.email_dst": "nproiden", "rsa.email.email_src": "etconse", @@ -3194,8 +3194,8 @@ "tetura7106.www5.corp" ], "related.ip": [ - "10.93.239.216", - "10.44.35.57" + "10.44.35.57", + "10.93.239.216" ], "rsa.email.email_dst": "ciun", "rsa.email.email_src": "vento", @@ -3794,8 +3794,8 @@ "observer.type": "Firewall", "observer.vendor": "Fortinet", "related.ip": [ - "10.251.183.113", - "10.201.105.58" + "10.201.105.58", + "10.251.183.113" ], "rsa.email.email_dst": "ionemu", "rsa.email.email_src": "ent", @@ -3838,8 +3838,8 @@ "observer.type": "Firewall", "observer.vendor": "Fortinet", "related.ip": [ - "10.209.203.156", - "10.132.139.98" + "10.132.139.98", + "10.209.203.156" ], "rsa.email.email_dst": "borisnis", "rsa.email.email_src": "pariat", diff --git a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json index 78030aa2c531..ee8c3414d5e1 100644 --- a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json @@ -26,8 +26,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.44.173.44", - "10.20.234.169", - "10.189.58.145" + "10.189.58.145", + "10.20.234.169" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -244,8 +244,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.131.233.27", "10.27.88.95", + "10.131.233.27", "10.50.112.141" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -314,8 +314,8 @@ "olo7148.mail.home" ], "related.ip": [ - "10.87.212.179", - "10.157.213.15" + "10.157.213.15", + "10.87.212.179" ], "related.user": [ "rveli" @@ -405,8 +405,8 @@ "agna7678.internal.host" ], "related.ip": [ - "10.76.73.140", - "10.114.150.67" + "10.114.150.67", + "10.76.73.140" ], "related.user": [ "aperia" @@ -507,8 +507,8 @@ "rsa.investigations.event_vcat": "quae", "rsa.misc.OS": "qui", "rsa.misc.action": [ - "accept", - "iadese" + "iadese", + "accept" ], "rsa.misc.category": "aturve", "rsa.misc.client": "utei", @@ -582,9 +582,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.114.16.155", + "10.186.85.3", "10.176.216.90", - "10.186.85.3" + "10.114.16.155" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -828,9 +828,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.58.214.16", "10.238.164.74", - "10.106.162.153", - "10.58.214.16" + "10.106.162.153" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -972,8 +972,8 @@ "rsa.investigations.event_vcat": "xer", "rsa.misc.OS": "fugi", "rsa.misc.action": [ - "umdolo", - "deny" + "deny", + "umdolo" ], "rsa.misc.category": "conseq", "rsa.misc.client": "cusant", @@ -1127,8 +1127,8 @@ "rsa.investigations.event_vcat": "psumqu", "rsa.misc.OS": "oraincid", "rsa.misc.action": [ - "ritt", - "deny" + "deny", + "ritt" ], "rsa.misc.category": "idunt", "rsa.misc.client": "siu", @@ -1202,9 +1202,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.98.194.212", "10.51.213.42", - "10.233.120.207" + "10.233.120.207", + "10.98.194.212" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -1266,9 +1266,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.245.187.229", "10.67.132.242", - "10.241.132.176", - "10.245.187.229" + "10.241.132.176" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -1335,8 +1335,8 @@ "tore7088.www.invalid" ], "related.ip": [ - "10.199.47.220", - "10.212.214.4" + "10.212.214.4", + "10.199.47.220" ], "related.user": [ "atv" @@ -1437,8 +1437,8 @@ "rsa.investigations.event_vcat": "metcons", "rsa.misc.OS": "ehende", "rsa.misc.action": [ - "deny", - "umf" + "umf", + "deny" ], "rsa.misc.category": "emUte", "rsa.misc.client": "archite", @@ -1517,8 +1517,8 @@ "eturad6143.www.home" ], "related.ip": [ - "10.128.46.70", - "10.95.117.134" + "10.95.117.134", + "10.128.46.70" ], "related.user": [ "enim" @@ -1608,8 +1608,8 @@ "orinrep5386.www.corp" ], "related.ip": [ - "10.253.228.140", - "10.208.21.135" + "10.208.21.135", + "10.253.228.140" ], "related.user": [ "inculp" @@ -1619,8 +1619,8 @@ "rsa.investigations.event_vcat": "emagn", "rsa.misc.OS": "oditempo", "rsa.misc.action": [ - "ugitse", - "cancel" + "cancel", + "ugitse" ], "rsa.misc.category": "magnid", "rsa.misc.client": "sci", @@ -1699,8 +1699,8 @@ "henderi724.www5.home" ], "related.ip": [ - "10.3.23.172", - "10.243.226.122" + "10.243.226.122", + "10.3.23.172" ], "related.user": [ "olorem" @@ -1710,8 +1710,8 @@ "rsa.investigations.event_vcat": "ess", "rsa.misc.OS": "equatDu", "rsa.misc.action": [ - "cancel", - "emullamc" + "emullamc", + "cancel" ], "rsa.misc.category": "niamquis", "rsa.misc.client": "tutlabo", @@ -1801,8 +1801,8 @@ "rsa.investigations.event_vcat": "snostrum", "rsa.misc.OS": "tiaecon", "rsa.misc.action": [ - "cancel", - "atiset" + "atiset", + "cancel" ], "rsa.misc.category": "ehende", "rsa.misc.client": "umquam", @@ -1878,8 +1878,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.117.63.181", - "10.247.53.179", - "10.168.20.20" + "10.168.20.20", + "10.247.53.179" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -1947,8 +1947,8 @@ "tasnul4179.internal.host" ], "related.ip": [ - "10.141.156.217", - "10.53.168.187" + "10.53.168.187", + "10.141.156.217" ], "related.user": [ "amqu" @@ -1958,8 +1958,8 @@ "rsa.investigations.event_vcat": "illumq", "rsa.misc.OS": "idata", "rsa.misc.action": [ - "emacc", - "block" + "block", + "emacc" ], "rsa.misc.category": "ueporro", "rsa.misc.client": "veli", @@ -2050,8 +2050,8 @@ "rsa.investigations.event_vcat": "eturadip", "rsa.misc.OS": "turadip", "rsa.misc.action": [ - "accept", - "odoc" + "odoc", + "accept" ], "rsa.misc.category": "volup", "rsa.misc.client": "tur", @@ -2232,8 +2232,8 @@ "rsa.investigations.event_vcat": "uatu", "rsa.misc.OS": "tnulapar", "rsa.misc.action": [ - "deny", - "odic" + "odic", + "deny" ], "rsa.misc.category": "deri", "rsa.misc.client": "scivelit", @@ -2307,8 +2307,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.37.161.101", "10.111.182.212", + "10.37.161.101", "10.17.209.252" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -2371,9 +2371,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.170.196.181", + "10.153.166.133", "10.158.175.98", - "10.153.166.133" + "10.170.196.181" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2526,9 +2526,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.174.17.46", + "10.38.168.190", "10.77.105.81", - "10.38.168.190" + "10.174.17.46" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2654,9 +2654,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.214.156.161", + "10.66.90.225", "10.145.194.12", - "10.66.90.225" + "10.214.156.161" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2719,8 +2719,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.156.208.5", - "10.163.36.101", - "10.6.242.108" + "10.6.242.108", + "10.163.36.101" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2787,8 +2787,8 @@ "remeum2641.www5.corp" ], "related.ip": [ - "10.68.233.163", - "10.220.148.127" + "10.220.148.127", + "10.68.233.163" ], "related.user": [ "estiaec" @@ -2798,8 +2798,8 @@ "rsa.investigations.event_vcat": "olore", "rsa.misc.OS": "tatem", "rsa.misc.action": [ - "allow", - "itanimi" + "itanimi", + "allow" ], "rsa.misc.category": "psa", "rsa.misc.client": "ugits", @@ -2889,8 +2889,8 @@ "rsa.investigations.event_vcat": "ihi", "rsa.misc.OS": "amquaera", "rsa.misc.action": [ - "allow", - "nimides" + "nimides", + "allow" ], "rsa.misc.category": "mve", "rsa.misc.client": "plica", @@ -2970,8 +2970,8 @@ "mea6298.api.example" ], "related.ip": [ - "10.113.152.241", - "10.115.121.243" + "10.115.121.243", + "10.113.152.241" ], "related.user": [ "norumetM" @@ -3061,8 +3061,8 @@ "iqu7510.internal.corp" ], "related.ip": [ - "10.49.82.45", - "10.179.153.97" + "10.179.153.97", + "10.49.82.45" ], "related.user": [ "dictasun" @@ -3072,8 +3072,8 @@ "rsa.investigations.event_vcat": "tatemse", "rsa.misc.OS": "eturadi", "rsa.misc.action": [ - "ade", - "accept" + "accept", + "ade" ], "rsa.misc.category": "laboreet", "rsa.misc.client": "ano", @@ -3147,8 +3147,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.205.83.138", "10.98.52.184", + "10.205.83.138", "10.99.55.115" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -3211,8 +3211,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.197.128.162", "10.228.11.50", + "10.197.128.162", "10.90.189.248" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -3320,8 +3320,8 @@ "deFinibu3940.internal.lan" ], "related.ip": [ - "10.22.248.52", - "10.124.71.88" + "10.124.71.88", + "10.22.248.52" ], "related.user": [ "tcons" @@ -3331,8 +3331,8 @@ "rsa.investigations.event_vcat": "uiratio", "rsa.misc.OS": "xce", "rsa.misc.action": [ - "cancel", - "cons" + "cons", + "cancel" ], "rsa.misc.category": "ciun", "rsa.misc.client": "amquisn", @@ -3411,8 +3411,8 @@ "tatiset4191.localdomain" ], "related.ip": [ - "10.26.58.20", - "10.185.37.176" + "10.185.37.176", + "10.26.58.20" ], "related.user": [ "eumiure" @@ -3422,8 +3422,8 @@ "rsa.investigations.event_vcat": "iae", "rsa.misc.OS": "evelite", "rsa.misc.action": [ - "essequam", - "block" + "block", + "essequam" ], "rsa.misc.category": "tmollita", "rsa.misc.client": "uiinea", @@ -3497,8 +3497,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.14.145.107", "10.200.12.126", + "10.14.145.107", "10.250.231.196" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -3561,9 +3561,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.225.34.176", "10.21.203.112", - "10.103.36.192" + "10.103.36.192", + "10.225.34.176" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -3625,9 +3625,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.5.67.140", + "10.140.59.161", "10.118.111.183", - "10.140.59.161" + "10.5.67.140" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -3694,8 +3694,8 @@ "nimadmi4084.api.home" ], "related.ip": [ - "10.7.70.169", - "10.28.212.191" + "10.28.212.191", + "10.7.70.169" ], "related.user": [ "itsed" @@ -3705,8 +3705,8 @@ "rsa.investigations.event_vcat": "Loremips", "rsa.misc.OS": "eritquii", "rsa.misc.action": [ - "accept", - "nostru" + "nostru", + "accept" ], "rsa.misc.category": "amnisiu", "rsa.misc.client": "rcita", @@ -3796,8 +3796,8 @@ "rsa.investigations.event_vcat": "uep", "rsa.misc.OS": "iatisund", "rsa.misc.action": [ - "block", - "nvo" + "nvo", + "block" ], "rsa.misc.category": "tenima", "rsa.misc.client": "iuntNe", @@ -4277,8 +4277,8 @@ "ntex5135.corp" ], "related.ip": [ - "10.239.194.105", - "10.234.171.117" + "10.234.171.117", + "10.239.194.105" ], "related.user": [ "tat" @@ -4288,8 +4288,8 @@ "rsa.investigations.event_vcat": "uia", "rsa.misc.OS": "mquae", "rsa.misc.action": [ - "deny", - "tenatus" + "tenatus", + "deny" ], "rsa.misc.category": "abo", "rsa.misc.client": "umtota", @@ -4743,8 +4743,8 @@ "spici5547.internal.test" ], "related.ip": [ - "10.112.242.68", - "10.216.49.112" + "10.216.49.112", + "10.112.242.68" ], "related.user": [ "urmag" @@ -4920,9 +4920,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.246.41.77", "10.228.61.5", - "10.157.22.21" + "10.157.22.21", + "10.246.41.77" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -4984,9 +4984,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.188.131.18", "10.242.119.111", - "10.239.231.168", - "10.188.131.18" + "10.239.231.168" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -5064,8 +5064,8 @@ "rsa.investigations.event_vcat": "amnihil", "rsa.misc.OS": "tten", "rsa.misc.action": [ - "inea", - "accept" + "accept", + "inea" ], "rsa.misc.category": "quam", "rsa.misc.client": "oreseo", @@ -5184,8 +5184,8 @@ "riaturE1644.www5.example" ], "related.ip": [ - "10.215.144.167", - "10.162.114.52" + "10.162.114.52", + "10.215.144.167" ], "related.user": [ "erspici" @@ -5195,8 +5195,8 @@ "rsa.investigations.event_vcat": "empori", "rsa.misc.OS": "ostru", "rsa.misc.action": [ - "quepor", - "allow" + "allow", + "quepor" ], "rsa.misc.category": "cipitla", "rsa.misc.client": "exeacomm", @@ -5361,9 +5361,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.75.198.93", + "10.51.106.43", "10.137.36.151", - "10.51.106.43" + "10.75.198.93" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -5425,9 +5425,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.7.230.206", "10.154.151.111", - "10.249.93.150" + "10.249.93.150", + "10.7.230.206" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -5505,8 +5505,8 @@ "rsa.investigations.event_vcat": "santiumd", "rsa.misc.OS": "oris", "rsa.misc.action": [ - "deny", - "rsitame" + "rsitame", + "deny" ], "rsa.misc.category": "agnaal", "rsa.misc.client": "urmagn", @@ -5585,8 +5585,8 @@ "dquiac6194.api.lan" ], "related.ip": [ - "10.241.140.241", - "10.180.162.174" + "10.180.162.174", + "10.241.140.241" ], "related.user": [ "nulapar" @@ -5596,8 +5596,8 @@ "rsa.investigations.event_vcat": "luptatev", "rsa.misc.OS": "emipsu", "rsa.misc.action": [ - "ido", - "accept" + "accept", + "ido" ], "rsa.misc.category": "litse", "rsa.misc.client": "evita", @@ -5687,8 +5687,8 @@ "rsa.investigations.event_vcat": "atvolupt", "rsa.misc.OS": "riosam", "rsa.misc.action": [ - "ssitasp", - "deny" + "deny", + "ssitasp" ], "rsa.misc.category": "enimadmi", "rsa.misc.client": "uatDui", @@ -5767,8 +5767,8 @@ "dicta7226.mail.example" ], "related.ip": [ - "10.53.50.77", - "10.4.244.115" + "10.4.244.115", + "10.53.50.77" ], "related.user": [ "idolo" @@ -5853,9 +5853,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.236.211.111", "10.120.212.78", - "10.221.100.157" + "10.221.100.157", + "10.236.211.111" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -5933,8 +5933,8 @@ "rsa.investigations.event_vcat": "lauda", "rsa.misc.OS": "enatuser", "rsa.misc.action": [ - "accept", - "rios" + "rios", + "accept" ], "rsa.misc.category": "aUte", "rsa.misc.client": "iusm", @@ -6009,8 +6009,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.123.59.69", - "10.226.255.3", - "10.53.251.202" + "10.53.251.202", + "10.226.255.3" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6072,9 +6072,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.212.56.26", "10.3.85.176", - "10.29.141.252" + "10.29.141.252", + "10.212.56.26" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6227,9 +6227,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.11.150.136", + "10.83.98.220", "10.171.60.173", - "10.83.98.220" + "10.11.150.136" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6291,9 +6291,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.74.88.209", "10.92.3.166", - "10.238.49.73", - "10.74.88.209" + "10.238.49.73" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6355,9 +6355,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.84.200.121", "10.119.248.36", - "10.187.107.47", - "10.84.200.121" + "10.187.107.47" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6419,9 +6419,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.135.213.17", + "10.30.239.222", "10.167.128.229", - "10.30.239.222" + "10.135.213.17" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6488,8 +6488,8 @@ "rspic5637.api.local" ], "related.ip": [ - "10.169.133.219", - "10.115.166.48" + "10.115.166.48", + "10.169.133.219" ], "related.user": [ "emq" @@ -6499,8 +6499,8 @@ "rsa.investigations.event_vcat": "iumdol", "rsa.misc.OS": "min", "rsa.misc.action": [ - "eleumiur", - "block" + "block", + "eleumiur" ], "rsa.misc.category": "ero", "rsa.misc.client": "gia", @@ -6579,8 +6579,8 @@ "rror3870.www5.local" ], "related.ip": [ - "10.146.255.40", - "10.226.39.82" + "10.226.39.82", + "10.146.255.40" ], "related.user": [ "caecatcu" @@ -6729,8 +6729,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.66.149.234", "10.186.253.240", + "10.66.149.234", "10.233.128.7" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -6793,9 +6793,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.227.133.134", "10.46.11.114", - "10.173.140.201" + "10.173.140.201", + "10.227.133.134" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6926,8 +6926,8 @@ "velill3821.mail.invalid" ], "related.ip": [ - "10.97.254.192", - "10.124.34.251" + "10.124.34.251", + "10.97.254.192" ], "related.user": [ "epor" @@ -7012,9 +7012,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.9.41.221", + "10.204.98.238", "10.81.58.91", - "10.204.98.238" + "10.9.41.221" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7117,8 +7117,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.35.84.125", - "10.212.208.70", - "10.37.120.29" + "10.37.120.29", + "10.212.208.70" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7180,9 +7180,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.199.201.26", "10.207.207.106", - "10.143.65.84" + "10.143.65.84", + "10.199.201.26" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7244,8 +7244,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.41.61.88", "10.204.27.48", + "10.41.61.88", "10.163.236.253" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -7308,8 +7308,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.246.81.164", "10.53.110.111", + "10.246.81.164", "10.185.44.26" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -7378,8 +7378,8 @@ "cupida6106.www5.local" ], "related.ip": [ - "10.146.77.206", - "10.109.172.90" + "10.109.172.90", + "10.146.77.206" ], "related.user": [ "aquaeab" @@ -7469,8 +7469,8 @@ "unt2122.internal.local" ], "related.ip": [ - "10.202.250.141", - "10.38.18.72" + "10.38.18.72", + "10.202.250.141" ], "related.user": [ "maperia" @@ -7662,8 +7662,8 @@ "rsa.investigations.event_vcat": "olupt", "rsa.misc.OS": "rumw", "rsa.misc.action": [ - "block", - "tali" + "tali", + "block" ], "rsa.misc.category": "itsedq", "rsa.misc.client": "esciu", diff --git a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json index 2d1832bc54af..d8efe2892a51 100644 --- a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json @@ -282,6 +282,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", @@ -327,6 +328,7 @@ "source.geo.city_name": "Clermont-Ferrand", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "FR", + "source.geo.country_name": "France", "source.geo.location.lat": 45.7838, "source.geo.location.lon": 3.0966, "source.geo.region_iso_code": "FR-63", diff --git a/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json b/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json index c8b16376e8ff..73f9e79c29aa 100644 --- a/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json @@ -6,6 +6,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -801,6 +802,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -866,6 +868,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json index 7c44c612d138..a38404366721 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_APPLICATION_SETTING", "event.category": [ "iam" @@ -42,6 +41,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -56,7 +56,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_APPLICATION_SETTING", "event.category": [ "iam" @@ -97,6 +96,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -111,7 +111,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_APPLICATION_SETTING", "event.category": [ "iam" @@ -152,6 +151,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -166,7 +166,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REORDER_GROUP_BASED_POLICIES_EVENT", "event.category": [ "iam" @@ -206,6 +205,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -220,7 +220,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GPLUS_PREMIUM_FEATURES", "event.category": [ "iam" @@ -255,6 +254,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -269,7 +269,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_MANAGED_CONFIGURATION", "event.category": [ "iam" @@ -304,6 +303,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -318,7 +318,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_MANAGED_CONFIGURATION", "event.category": [ "iam" @@ -353,6 +352,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -367,7 +367,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_MANAGED_CONFIGURATION", "event.category": [ "iam" @@ -402,6 +401,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -416,7 +416,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", "event.category": [ "iam" @@ -450,6 +449,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json index 88580177907f..2a8eb8eb3fe4 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_BUILDING", "event.category": [ "iam" @@ -35,6 +34,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -49,7 +49,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_BUILDING", "event.category": [ "iam" @@ -84,6 +83,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -98,7 +98,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_BUILDING", "event.category": [ "iam" @@ -136,6 +135,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -150,7 +150,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_CALENDAR_RESOURCE", "event.category": [ "iam" @@ -185,6 +184,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -199,7 +199,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_CALENDAR_RESOURCE", "event.category": [ "iam" @@ -234,6 +233,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -248,7 +248,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_CALENDAR_RESOURCE_FEATURE", "event.category": [ "iam" @@ -283,6 +282,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -297,7 +297,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_CALENDAR_RESOURCE_FEATURE", "event.category": [ "iam" @@ -332,6 +331,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -346,7 +346,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_CALENDAR_RESOURCE_FEATURE", "event.category": [ "iam" @@ -384,6 +383,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -398,7 +398,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RENAME_CALENDAR_RESOURCE", "event.category": [ "iam" @@ -434,6 +433,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -448,7 +448,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_CALENDAR_RESOURCE", "event.category": [ "iam" @@ -486,6 +485,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -500,7 +500,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CALENDAR_SETTING", "event.category": [ "iam" @@ -541,6 +540,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -555,7 +555,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CANCEL_CALENDAR_EVENTS", "event.category": [ "iam" @@ -590,6 +589,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -604,7 +604,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RELEASE_CALENDAR_RESOURCES", "event.category": [ "iam" @@ -639,6 +638,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json index 70de8368e2c4..4736114f4272 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MEET_INTEROP_CREATE_GATEWAY", "event.category": [ "iam" @@ -34,6 +33,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -48,7 +48,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MEET_INTEROP_DELETE_GATEWAY", "event.category": [ "iam" @@ -82,6 +81,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -96,7 +96,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MEET_INTEROP_MODIFY_GATEWAY", "event.category": [ "iam" @@ -130,6 +129,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -144,7 +144,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHAT_SETTING", "event.category": [ "iam" @@ -185,6 +184,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json index 4ce27e5aff27..00f51c0bc794 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING", "event.category": [ "iam" @@ -42,6 +41,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -56,7 +56,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DEVICE_STATE", "event.category": [ "iam" @@ -93,6 +92,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -107,7 +107,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_APPLICATION_SETTING", "event.category": [ "iam" @@ -149,6 +148,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -163,7 +163,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "SEND_CHROME_OS_DEVICE_COMMAND", "event.category": [ "iam" @@ -198,6 +197,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -212,7 +212,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_DEVICE_ANNOTATION", "event.category": [ "iam" @@ -246,6 +245,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -260,7 +260,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_DEVICE_SETTING", "event.category": [ "iam" @@ -297,6 +296,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -311,7 +311,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_DEVICE_STATE", "event.category": [ "iam" @@ -348,6 +347,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -362,7 +362,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", "event.category": [ "iam" @@ -399,6 +398,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -413,7 +413,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "INSERT_CHROME_OS_PRINT_SERVER", "event.category": [ "iam" @@ -447,6 +446,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -461,7 +461,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_CHROME_OS_PRINT_SERVER", "event.category": [ "iam" @@ -495,6 +494,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -509,7 +509,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_CHROME_OS_PRINT_SERVER", "event.category": [ "iam" @@ -545,6 +544,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -559,7 +559,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "INSERT_CHROME_OS_PRINTER", "event.category": [ "iam" @@ -593,6 +592,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -607,7 +607,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_CHROME_OS_PRINTER", "event.category": [ "iam" @@ -641,6 +640,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -655,7 +655,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_CHROME_OS_PRINTER", "event.category": [ "iam" @@ -691,6 +690,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -705,7 +705,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_SETTING", "event.category": [ "iam" @@ -742,6 +741,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -756,7 +756,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_USER_SETTING", "event.category": [ "iam" @@ -793,6 +792,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -807,7 +807,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ISSUE_DEVICE_COMMAND", "event.category": [ "iam" @@ -846,6 +845,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -860,7 +860,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOVE_DEVICE_TO_ORG_UNIT_DETAILED", "event.category": [ "iam" @@ -897,6 +896,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -911,7 +911,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_CHROME_OS_APPLICATION_SETTINGS", "event.category": [ "iam" @@ -945,6 +944,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -959,7 +959,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_DEVICE", "event.category": [ "iam" @@ -994,6 +993,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1008,7 +1008,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CONTACTS_SETTING", "event.category": [ "iam" @@ -1046,6 +1045,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json index ed54f20525a2..dee1917e48d9 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CONTACTS_SETTING", "event.category": [ "iam" @@ -38,6 +37,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json index c43835104fa8..b5c6d47d8b3b 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ASSIGN_ROLE", "event.category": [ "iam" @@ -37,6 +36,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -51,7 +51,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_ROLE", "event.category": [ "iam" @@ -86,6 +85,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -100,7 +100,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_ROLE", "event.category": [ "iam" @@ -135,6 +134,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -149,7 +149,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_PRIVILEGE", "event.category": [ "iam" @@ -185,6 +184,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -199,7 +199,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_PRIVILEGE", "event.category": [ "iam" @@ -235,6 +234,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -249,7 +249,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RENAME_ROLE", "event.category": [ "iam" @@ -284,6 +283,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -298,7 +298,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_ROLE", "event.category": [ "iam" @@ -333,6 +332,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -347,7 +347,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNASSIGN_ROLE", "event.category": [ "iam" @@ -384,6 +383,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json index 4fb31027b62a..e0f00e254435 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TRANSFER_DOCUMENT_OWNERSHIP", "event.category": [ "iam" @@ -37,6 +36,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -51,7 +51,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DRIVE_DATA_RESTORE", "event.category": [ "iam" @@ -89,6 +88,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -103,7 +103,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DOCS_SETTING", "event.category": [ "iam" @@ -144,6 +143,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -157,4 +157,4 @@ "forwarded" ] } -] +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json index a8d965c7c8d1..a349010fdb40 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_ACCOUNT_AUTO_RENEWAL", "event.category": [ "iam" @@ -35,6 +34,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -49,7 +49,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_APPLICATION", "event.category": [ "iam" @@ -85,6 +84,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -99,7 +99,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_APPLICATION_TO_WHITELIST", "event.category": [ "iam" @@ -134,6 +133,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -148,7 +148,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_ADVERTISEMENT_OPTION", "event.category": [ "iam" @@ -184,6 +183,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -198,7 +198,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_ALERT", "event.category": [ "iam" @@ -232,6 +231,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -246,7 +246,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_ALERT_CRITERIA", "event.category": [ "iam" @@ -280,6 +279,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -294,7 +294,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_ALERT", "event.category": [ "iam" @@ -328,6 +327,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -342,7 +342,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ALERT_RECEIVERS_CHANGED", "event.category": [ "iam" @@ -378,6 +377,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -392,7 +392,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RENAME_ALERT", "event.category": [ "iam" @@ -427,6 +426,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -441,7 +441,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ALERT_STATUS_CHANGED", "event.category": [ "iam" @@ -477,6 +476,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -491,7 +491,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_DOMAIN_ALIAS", "event.category": [ "iam" @@ -526,6 +525,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -540,7 +540,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_DOMAIN_ALIAS", "event.category": [ "iam" @@ -575,6 +574,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -589,7 +589,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "SKIP_DOMAIN_ALIAS_MX", "event.category": [ "iam" @@ -624,6 +623,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -638,7 +638,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "VERIFY_DOMAIN_ALIAS_MX", "event.category": [ "iam" @@ -673,6 +672,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -687,7 +687,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "VERIFY_DOMAIN_ALIAS", "event.category": [ "iam" @@ -723,6 +722,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -737,7 +737,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS", "event.category": [ "iam" @@ -772,6 +771,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -786,7 +786,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET", "event.category": [ "iam" @@ -821,6 +820,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -835,7 +835,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_API_ACCESS", "event.category": [ "iam" @@ -871,6 +870,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -885,7 +885,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "AUTHORIZE_API_CLIENT_ACCESS", "event.category": [ "iam" @@ -924,6 +923,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -938,7 +938,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_API_CLIENT_ACCESS", "event.category": [ "iam" @@ -973,6 +972,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -987,7 +987,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHROME_LICENSES_REDEEMED", "event.category": [ "iam" @@ -1023,6 +1022,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1037,7 +1037,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_AUTO_ADD_NEW_SERVICE", "event.category": [ "iam" @@ -1072,6 +1071,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1086,7 +1086,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_PRIMARY_DOMAIN", "event.category": [ "iam" @@ -1121,6 +1120,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1135,7 +1135,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_WHITELIST_SETTING", "event.category": [ "iam" @@ -1171,6 +1170,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1185,7 +1185,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "COMMUNICATION_PREFERENCES_SETTING_CHANGE", "event.category": [ "iam" @@ -1222,6 +1221,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1236,7 +1236,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CONFLICT_ACCOUNT_ACTION", "event.category": [ "iam" @@ -1272,6 +1271,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1286,7 +1286,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_FEEDBACK_SOLICITATION", "event.category": [ "iam" @@ -1322,6 +1321,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1336,7 +1336,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_CONTACT_SHARING", "event.category": [ "iam" @@ -1371,6 +1370,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1385,7 +1385,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_PLAY_FOR_WORK_TOKEN", "event.category": [ "iam" @@ -1419,6 +1418,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1433,7 +1433,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_USE_CUSTOM_LOGO", "event.category": [ "iam" @@ -1468,6 +1467,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1482,7 +1482,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CUSTOM_LOGO", "event.category": [ "iam" @@ -1516,6 +1515,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1530,7 +1530,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", "event.category": [ "iam" @@ -1566,6 +1565,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1580,7 +1580,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DATA_LOCALIZATION_SETTING", "event.category": [ "iam" @@ -1616,6 +1615,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1630,7 +1630,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO", "event.category": [ "iam" @@ -1666,6 +1665,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1680,7 +1680,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_PLAY_FOR_WORK_TOKEN", "event.category": [ "iam" @@ -1714,6 +1713,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1728,7 +1728,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "VIEW_DNS_LOGIN_DETAILS", "event.category": [ "iam" @@ -1762,6 +1761,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1776,7 +1776,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DOMAIN_DEFAULT_LOCALE", "event.category": [ "iam" @@ -1812,6 +1811,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1826,7 +1826,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DOMAIN_DEFAULT_TIMEZONE", "event.category": [ "iam" @@ -1862,6 +1861,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1876,7 +1876,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DOMAIN_NAME", "event.category": [ "iam" @@ -1911,6 +1910,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1925,7 +1925,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_ENABLE_PRE_RELEASE_FEATURES", "event.category": [ "iam" @@ -1960,6 +1959,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1974,7 +1974,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DOMAIN_SUPPORT_MESSAGE", "event.category": [ "iam" @@ -2010,6 +2009,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2024,7 +2024,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_TRUSTED_DOMAINS", "event.category": [ "iam" @@ -2058,6 +2057,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2072,7 +2072,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_TRUSTED_DOMAINS", "event.category": [ "iam" @@ -2106,6 +2105,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2120,7 +2120,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_EDU_TYPE", "event.category": [ "iam" @@ -2156,6 +2155,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2170,7 +2170,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY", "event.category": [ "iam" @@ -2205,6 +2204,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2219,7 +2219,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_SSO_ENABLED", "event.category": [ "iam" @@ -2254,6 +2253,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2268,7 +2268,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_SSL", "event.category": [ "iam" @@ -2303,6 +2302,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2317,7 +2317,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO", "event.category": [ "iam" @@ -2353,6 +2352,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2367,7 +2367,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GENERATE_TRANSFER_TOKEN", "event.category": [ "iam" @@ -2400,6 +2399,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2414,7 +2414,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_LOGIN_BACKGROUND_COLOR", "event.category": [ "iam" @@ -2450,6 +2449,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2464,7 +2464,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_LOGIN_BORDER_COLOR", "event.category": [ "iam" @@ -2500,6 +2499,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2514,7 +2514,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_LOGIN_ACTIVITY_TRACE", "event.category": [ "iam" @@ -2550,6 +2549,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2564,7 +2564,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "PLAY_FOR_WORK_ENROLL", "event.category": [ "iam" @@ -2599,6 +2598,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2613,7 +2613,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "PLAY_FOR_WORK_UNENROLL", "event.category": [ "iam" @@ -2647,6 +2646,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2661,7 +2661,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MX_RECORD_VERIFICATION_CLAIM", "event.category": [ "iam" @@ -2697,6 +2696,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2711,7 +2711,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_NEW_APP_FEATURES", "event.category": [ "iam" @@ -2746,6 +2745,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2760,7 +2760,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL", "event.category": [ "iam" @@ -2795,6 +2794,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2809,7 +2809,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPLOAD_OAUTH_CERTIFICATE", "event.category": [ "iam" @@ -2843,6 +2842,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2857,7 +2857,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REGENERATE_OAUTH_CONSUMER_SECRET", "event.category": [ "iam" @@ -2891,6 +2890,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2905,7 +2905,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_OPEN_ID_ENABLED", "event.category": [ "iam" @@ -2940,6 +2939,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2954,7 +2954,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_ORGANIZATION_NAME", "event.category": [ "iam" @@ -2990,6 +2989,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3004,7 +3004,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_OUTBOUND_RELAY", "event.category": [ "iam" @@ -3041,6 +3040,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3055,7 +3055,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_PASSWORD_MAX_LENGTH", "event.category": [ "iam" @@ -3091,6 +3090,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3105,7 +3105,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_PASSWORD_MIN_LENGTH", "event.category": [ "iam" @@ -3141,6 +3140,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3155,7 +3155,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL", "event.category": [ "iam" @@ -3191,6 +3190,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3205,7 +3205,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS", "event.category": [ "iam" @@ -3241,6 +3240,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3255,7 +3255,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_APPLICATION", "event.category": [ "iam" @@ -3290,6 +3289,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3304,7 +3304,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_APPLICATION_FROM_WHITELIST", "event.category": [ "iam" @@ -3339,6 +3338,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3353,7 +3353,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_RENEW_DOMAIN_REGISTRATION", "event.category": [ "iam" @@ -3389,6 +3388,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3403,7 +3403,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_RESELLER_ACCESS", "event.category": [ "iam" @@ -3438,6 +3437,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3452,7 +3452,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RULE_ACTIONS_CHANGED", "event.category": [ "iam" @@ -3486,6 +3485,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3500,7 +3500,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_RULE", "event.category": [ "iam" @@ -3534,6 +3533,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3548,7 +3548,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_RULE_CRITERIA", "event.category": [ "iam" @@ -3582,6 +3581,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3596,7 +3596,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_RULE", "event.category": [ "iam" @@ -3630,6 +3629,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3644,7 +3644,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RENAME_RULE", "event.category": [ "iam" @@ -3679,6 +3678,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3693,7 +3693,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RULE_STATUS_CHANGED", "event.category": [ "iam" @@ -3729,6 +3728,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3743,7 +3743,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_SECONDARY_DOMAIN", "event.category": [ "iam" @@ -3778,6 +3777,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3792,7 +3792,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_SECONDARY_DOMAIN", "event.category": [ "iam" @@ -3827,6 +3826,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3841,7 +3841,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "SKIP_SECONDARY_DOMAIN_MX", "event.category": [ "iam" @@ -3876,6 +3875,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3890,7 +3890,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "VERIFY_SECONDARY_DOMAIN_MX", "event.category": [ "iam" @@ -3925,6 +3924,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3939,7 +3939,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "VERIFY_SECONDARY_DOMAIN", "event.category": [ "iam" @@ -3974,6 +3973,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3988,7 +3988,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_DOMAIN_SECONDARY_EMAIL", "event.category": [ "iam" @@ -4024,6 +4023,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -4038,7 +4038,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_SSO_SETTINGS", "event.category": [ "iam" @@ -4072,6 +4071,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -4086,7 +4086,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GENERATE_PIN", "event.category": [ "iam" @@ -4119,6 +4118,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -4133,7 +4133,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_RULE", "event.category": [ "iam" @@ -4167,6 +4166,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json index bdb57f64b88a..f62dad33200c 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DROP_FROM_QUARANTINE", "event.category": [ "iam" @@ -35,6 +34,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -49,7 +49,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "EMAIL_LOG_SEARCH", "event.category": [ "iam" @@ -89,6 +88,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -103,7 +103,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "EMAIL_UNDELETE", "event.category": [ "iam" @@ -141,6 +140,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -155,7 +155,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_EMAIL_SETTING", "event.category": [ "iam" @@ -196,6 +195,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -210,7 +210,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_GMAIL_SETTING", "event.category": [ "iam" @@ -247,6 +246,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -261,7 +261,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_GMAIL_SETTING", "event.category": [ "iam" @@ -298,6 +297,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -312,7 +312,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_GMAIL_SETTING", "event.category": [ "iam" @@ -349,6 +348,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -363,7 +363,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REJECT_FROM_QUARANTINE", "event.category": [ "iam" @@ -398,6 +397,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -412,7 +412,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RELEASE_FROM_QUARANTINE", "event.category": [ "iam" @@ -447,6 +446,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -460,4 +460,4 @@ "forwarded" ] } -] +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json index 42a9699094ca..ff894cd6c054 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_GROUP", "event.category": [ "iam" @@ -37,6 +36,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -51,7 +51,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_GROUP", "event.category": [ "iam" @@ -88,6 +87,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -102,7 +102,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_GROUP_DESCRIPTION", "event.category": [ "iam" @@ -139,6 +138,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -153,7 +153,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GROUP_LIST_DOWNLOAD", "event.category": [ "iam" @@ -187,6 +186,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -201,7 +201,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_GROUP_MEMBER", "event.category": [ "iam" @@ -240,6 +239,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -254,7 +254,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_GROUP_MEMBER", "event.category": [ "iam" @@ -293,6 +292,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -307,7 +307,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_GROUP_MEMBER", "event.category": [ "iam" @@ -348,6 +347,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -362,7 +362,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS", "event.category": [ "iam" @@ -403,6 +402,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -417,7 +417,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE", "event.category": [ "iam" @@ -458,6 +457,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -472,7 +472,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GROUP_MEMBER_BULK_UPLOAD", "event.category": [ "iam" @@ -508,6 +507,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -522,7 +522,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GROUP_MEMBERS_DOWNLOAD", "event.category": [ "iam" @@ -556,6 +555,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -570,7 +570,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_GROUP_NAME", "event.category": [ "iam" @@ -608,6 +607,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -622,7 +622,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_GROUP_SETTING", "event.category": [ "iam" @@ -662,6 +661,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -676,7 +676,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "WHITELISTED_GROUPS_UPDATED", "event.category": [ "iam" @@ -715,6 +714,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json index d51d602ae7b6..1fd3a0da6e23 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ORG_USERS_LICENSE_ASSIGNMENT", "event.category": [ "iam" @@ -36,6 +35,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -50,7 +50,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ORG_ALL_USERS_LICENSE_ASSIGNMENT", "event.category": [ "iam" @@ -86,6 +85,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -100,7 +100,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USER_LICENSE_ASSIGNMENT", "event.category": [ "iam" @@ -137,6 +136,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -151,7 +151,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_LICENSE_AUTO_ASSIGN", "event.category": [ "iam" @@ -187,6 +186,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -201,7 +201,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USER_LICENSE_REASSIGNMENT", "event.category": [ "iam" @@ -239,6 +238,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -253,7 +253,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ORG_LICENSE_REVOKE", "event.category": [ "iam" @@ -289,6 +288,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -303,7 +303,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USER_LICENSE_REVOKE", "event.category": [ "iam" @@ -340,6 +339,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -354,7 +354,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_DYNAMIC_LICENSE", "event.category": [ "iam" @@ -391,6 +390,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json index 8e2f2896bdb3..99bea4702c38 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ACTION_CANCELLED", "event.category": [ "iam" @@ -40,6 +39,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -54,7 +54,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ACTION_REQUESTED", "event.category": [ "iam" @@ -94,6 +93,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -108,7 +108,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_MOBILE_CERTIFICATE", "event.category": [ "iam" @@ -144,6 +143,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -158,7 +158,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "COMPANY_DEVICES_BULK_CREATION", "event.category": [ "iam" @@ -192,6 +191,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -206,7 +206,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "COMPANY_OWNED_DEVICE_BLOCKED", "event.category": [ "iam" @@ -241,6 +240,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -255,7 +255,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "COMPANY_DEVICE_DELETION", "event.category": [ "iam" @@ -290,6 +289,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -304,7 +304,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "COMPANY_OWNED_DEVICE_UNBLOCKED", "event.category": [ "iam" @@ -339,6 +338,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -353,7 +353,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "COMPANY_OWNED_DEVICE_WIPED", "event.category": [ "iam" @@ -388,6 +387,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -402,7 +402,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT", "event.category": [ "iam" @@ -442,6 +441,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -456,7 +456,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER", "event.category": [ "iam" @@ -491,6 +490,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -505,7 +505,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST", "event.category": [ "iam" @@ -542,6 +541,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -556,7 +556,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_APPLICATION_SETTINGS", "event.category": [ "iam" @@ -596,6 +595,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -610,7 +610,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_MOBILE_APPLICATION_TO_WHITELIST", "event.category": [ "iam" @@ -647,6 +646,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -661,7 +661,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOBILE_DEVICE_APPROVE", "event.category": [ "iam" @@ -699,6 +698,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -713,7 +713,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOBILE_DEVICE_BLOCK", "event.category": [ "iam" @@ -751,6 +750,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -765,7 +765,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOBILE_DEVICE_DELETE", "event.category": [ "iam" @@ -803,6 +802,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -817,7 +817,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOBILE_DEVICE_WIPE", "event.category": [ "iam" @@ -855,6 +854,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -869,7 +869,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_SETTING", "event.category": [ "iam" @@ -907,6 +906,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -921,7 +921,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_ADMIN_RESTRICTIONS_PIN", "event.category": [ "iam" @@ -956,6 +955,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -970,7 +970,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK", "event.category": [ "iam" @@ -1006,6 +1005,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1020,7 +1020,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_MOBILE_WIRELESS_NETWORK", "event.category": [ "iam" @@ -1056,6 +1055,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1070,7 +1070,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_MOBILE_WIRELESS_NETWORK", "event.category": [ "iam" @@ -1106,6 +1105,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1120,7 +1120,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD", "event.category": [ "iam" @@ -1156,6 +1155,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1170,7 +1170,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_MOBILE_CERTIFICATE", "event.category": [ "iam" @@ -1206,6 +1205,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1220,7 +1220,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT", "event.category": [ "iam" @@ -1253,6 +1252,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1267,7 +1267,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT", "event.category": [ "iam" @@ -1300,6 +1299,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1314,7 +1314,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS", "event.category": [ "iam" @@ -1347,6 +1346,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1361,7 +1361,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS", "event.category": [ "iam" @@ -1394,6 +1393,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1408,7 +1408,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOBILE_ACCOUNT_WIPE", "event.category": [ "iam" @@ -1446,6 +1445,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1460,7 +1460,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE", "event.category": [ "iam" @@ -1498,6 +1497,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1512,7 +1512,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK", "event.category": [ "iam" @@ -1550,6 +1549,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json index b2a88d67fe87..b4cdd02f0bde 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHROME_LICENSES_ENABLED", "event.category": [ "iam" @@ -36,6 +35,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -50,7 +50,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED", "event.category": [ "iam" @@ -87,6 +86,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -101,7 +101,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED", "event.category": [ "iam" @@ -137,6 +136,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -151,7 +151,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED", "event.category": [ "iam" @@ -189,6 +188,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -203,7 +203,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_DEVICE_ENROLLMENT_TOKEN", "event.category": [ "iam" @@ -237,6 +236,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -251,7 +251,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ASSIGN_CUSTOM_LOGO", "event.category": [ "iam" @@ -285,6 +284,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -299,7 +299,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNASSIGN_CUSTOM_LOGO", "event.category": [ "iam" @@ -333,6 +332,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -347,7 +347,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_ENROLLMENT_TOKEN", "event.category": [ "iam" @@ -381,6 +380,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -395,7 +395,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REVOKE_ENROLLMENT_TOKEN", "event.category": [ "iam" @@ -429,6 +428,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -443,7 +443,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHROME_LICENSES_ALLOWED", "event.category": [ "iam" @@ -479,6 +478,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -493,7 +493,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_ORG_UNIT", "event.category": [ "iam" @@ -527,6 +526,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -541,7 +541,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_ORG_UNIT", "event.category": [ "iam" @@ -575,6 +574,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -589,7 +589,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "EDIT_ORG_UNIT_DESCRIPTION", "event.category": [ "iam" @@ -623,6 +622,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -637,7 +637,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOVE_ORG_UNIT", "event.category": [ "iam" @@ -672,6 +671,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -686,7 +686,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "EDIT_ORG_UNIT_NAME", "event.category": [ "iam" @@ -721,6 +720,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -735,7 +735,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REVOKE_DEVICE_ENROLLMENT_TOKEN", "event.category": [ "iam" @@ -769,6 +768,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -783,7 +783,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_SERVICE_ENABLED", "event.category": [ "iam" @@ -823,6 +822,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json index 65321e3842ad..ccfe0f5b3ed5 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ALLOW_STRONG_AUTHENTICATION", "event.category": [ "iam" @@ -36,6 +35,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -50,7 +50,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ALLOW_SERVICE_FOR_OAUTH2_ACCESS", "event.category": [ "iam" @@ -85,6 +84,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -99,7 +99,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS", "event.category": [ "iam" @@ -134,6 +133,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -148,7 +148,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID", "event.category": [ "iam" @@ -186,6 +185,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -200,7 +200,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_TO_TRUSTED_OAUTH2_APPS", "event.category": [ "iam" @@ -237,6 +236,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -251,7 +251,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_FROM_TRUSTED_OAUTH2_APPS", "event.category": [ "iam" @@ -288,6 +287,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -302,7 +302,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "BLOCK_ON_DEVICE_ACCESS", "event.category": [ "iam" @@ -337,6 +336,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -351,7 +351,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", "event.category": [ "iam" @@ -390,6 +389,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -404,7 +404,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", "event.category": [ "iam" @@ -443,6 +442,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -457,7 +457,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION", "event.category": [ "iam" @@ -496,6 +495,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -510,7 +510,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_TWO_STEP_VERIFICATION_START_DATE", "event.category": [ "iam" @@ -549,6 +548,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -563,7 +563,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", "event.category": [ "iam" @@ -601,6 +600,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -615,7 +615,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_CAA_ENABLEMENT", "event.category": [ "iam" @@ -649,6 +648,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -663,7 +663,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CAA_ERROR_MESSAGE", "event.category": [ "iam" @@ -698,6 +697,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -712,7 +712,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CAA_APP_ASSIGNMENTS", "event.category": [ "iam" @@ -750,6 +749,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -764,7 +764,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS", "event.category": [ "iam" @@ -798,6 +797,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -812,7 +812,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TRUST_DOMAIN_OWNED_OAUTH2_APPS", "event.category": [ "iam" @@ -846,6 +845,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -860,7 +860,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY", "event.category": [ "iam" @@ -899,6 +898,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -913,7 +913,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENFORCE_STRONG_AUTHENTICATION", "event.category": [ "iam" @@ -954,6 +953,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -968,7 +968,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS", "event.category": [ "iam" @@ -1004,6 +1003,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1018,7 +1018,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", "event.category": [ "iam" @@ -1057,6 +1056,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1071,7 +1071,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "SESSION_CONTROL_SETTINGS_CHANGE", "event.category": [ "iam" @@ -1108,6 +1107,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1122,7 +1122,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_SESSION_LENGTH", "event.category": [ "iam" @@ -1157,6 +1156,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1171,7 +1171,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNBLOCK_ON_DEVICE_ACCESS", "event.category": [ "iam" @@ -1206,6 +1205,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json index b5afcff1ea35..272f4fb77e7a 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_WEB_ADDRESS", "event.category": [ "iam" @@ -37,6 +36,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -53,7 +53,6 @@ "url.path": "/path/in/url" }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_WEB_ADDRESS", "event.category": [ "iam" @@ -90,6 +89,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -106,7 +106,6 @@ "url.path": "/path/in/url" }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_SITES_SETTING", "event.category": [ "iam" @@ -144,6 +143,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -158,7 +158,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", "event.category": [ "iam" @@ -192,6 +191,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -208,7 +208,6 @@ "url.path": "/path/in/url" }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "VIEW_SITE_DETAILS", "event.category": [ "iam" @@ -242,6 +241,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json index f6220f7fcbdf..b3be5557b035 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_2SV_SCRATCH_CODES", "event.category": [ "iam" @@ -36,6 +35,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -50,7 +50,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GENERATE_2SV_SCRATCH_CODES", "event.category": [ "iam" @@ -86,6 +85,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -100,7 +100,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REVOKE_3LO_DEVICE_TOKENS", "event.category": [ "iam" @@ -138,6 +137,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -152,7 +152,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REVOKE_3LO_TOKEN", "event.category": [ "iam" @@ -189,6 +188,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -203,7 +203,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_RECOVERY_EMAIL", "event.category": [ "iam" @@ -239,6 +238,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -253,7 +253,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_RECOVERY_PHONE", "event.category": [ "iam" @@ -289,6 +288,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -303,7 +303,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GRANT_ADMIN_PRIVILEGE", "event.category": [ "iam" @@ -339,6 +338,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -353,7 +353,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REVOKE_ADMIN_PRIVILEGE", "event.category": [ "iam" @@ -389,6 +388,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -403,7 +403,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REVOKE_ASP", "event.category": [ "iam" @@ -440,6 +439,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -454,7 +454,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_AUTOMATIC_CONTACT_SHARING", "event.category": [ "iam" @@ -491,6 +490,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -505,7 +505,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "BULK_UPLOAD", "event.category": [ "iam" @@ -541,6 +540,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -555,7 +555,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "BULK_UPLOAD_NOTIFICATION_SENT", "event.category": [ "iam" @@ -592,6 +591,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -606,7 +606,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CANCEL_USER_INVITE", "event.category": [ "iam" @@ -643,6 +642,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -657,7 +657,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_CUSTOM_FIELD", "event.category": [ "iam" @@ -696,6 +695,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -710,7 +710,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_EXTERNAL_ID", "event.category": [ "iam" @@ -748,6 +747,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -762,7 +762,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_GENDER", "event.category": [ "iam" @@ -800,6 +799,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -814,7 +814,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_IM", "event.category": [ "iam" @@ -852,6 +851,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -866,7 +866,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_USER_IP_WHITELIST", "event.category": [ "iam" @@ -904,6 +903,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -918,7 +918,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_KEYWORD", "event.category": [ "iam" @@ -956,6 +955,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -970,7 +970,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_LANGUAGE", "event.category": [ "iam" @@ -1008,6 +1007,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1022,7 +1022,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_LOCATION", "event.category": [ "iam" @@ -1060,6 +1059,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1074,7 +1074,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_ORGANIZATION", "event.category": [ "iam" @@ -1112,6 +1111,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1126,7 +1126,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_PHONE_NUMBER", "event.category": [ "iam" @@ -1164,6 +1163,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1178,7 +1178,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_RECOVERY_EMAIL", "event.category": [ "iam" @@ -1214,6 +1213,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1228,7 +1228,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_RECOVERY_PHONE", "event.category": [ "iam" @@ -1264,6 +1263,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1278,7 +1278,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_RELATION", "event.category": [ "iam" @@ -1316,6 +1315,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1330,7 +1330,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_ADDRESS", "event.category": [ "iam" @@ -1368,6 +1367,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1382,7 +1382,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_EMAIL_MONITOR", "event.category": [ "iam" @@ -1426,6 +1425,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1440,7 +1440,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_DATA_TRANSFER_REQUEST", "event.category": [ "iam" @@ -1478,6 +1477,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1492,7 +1492,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GRANT_DELEGATED_ADMIN_PRIVILEGES", "event.category": [ "iam" @@ -1529,6 +1528,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1543,7 +1543,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_ACCOUNT_INFO_DUMP", "event.category": [ "iam" @@ -1580,6 +1579,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1594,7 +1594,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_EMAIL_MONITOR", "event.category": [ "iam" @@ -1631,6 +1630,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1645,7 +1645,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_MAILBOX_DUMP", "event.category": [ "iam" @@ -1682,6 +1681,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1696,7 +1696,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_FIRST_NAME", "event.category": [ "iam" @@ -1734,6 +1733,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1748,7 +1748,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GMAIL_RESET_USER", "event.category": [ "iam" @@ -1785,6 +1784,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1799,7 +1799,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_LAST_NAME", "event.category": [ "iam" @@ -1837,6 +1836,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1851,7 +1851,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MAIL_ROUTING_DESTINATION_ADDED", "event.category": [ "iam" @@ -1888,6 +1887,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1902,7 +1902,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MAIL_ROUTING_DESTINATION_REMOVED", "event.category": [ "iam" @@ -1939,6 +1938,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1953,7 +1953,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_NICKNAME", "event.category": [ "iam" @@ -1990,6 +1989,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2004,7 +2004,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_NICKNAME", "event.category": [ "iam" @@ -2041,6 +2040,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2055,7 +2055,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_PASSWORD", "event.category": [ "iam" @@ -2091,6 +2090,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2105,7 +2105,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_PASSWORD_ON_NEXT_LOGIN", "event.category": [ "iam" @@ -2143,6 +2142,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2157,7 +2157,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DOWNLOAD_PENDING_INVITES_LIST", "event.category": [ "iam" @@ -2190,6 +2189,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2204,7 +2204,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_RECOVERY_EMAIL", "event.category": [ "iam" @@ -2240,6 +2239,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2254,7 +2254,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_RECOVERY_PHONE", "event.category": [ "iam" @@ -2290,6 +2289,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2304,7 +2304,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REQUEST_ACCOUNT_INFO", "event.category": [ "iam" @@ -2340,6 +2339,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2354,7 +2354,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REQUEST_MAILBOX_DUMP", "event.category": [ "iam" @@ -2396,6 +2395,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2410,7 +2410,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RESEND_USER_INVITE", "event.category": [ "iam" @@ -2447,6 +2446,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2461,7 +2461,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RESET_SIGNIN_COOKIES", "event.category": [ "iam" @@ -2497,6 +2496,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2511,7 +2511,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "SECURITY_KEY_REGISTERED_FOR_USER", "event.category": [ "iam" @@ -2547,6 +2546,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2561,7 +2561,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REVOKE_SECURITY_KEY", "event.category": [ "iam" @@ -2597,6 +2596,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2611,7 +2611,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USER_INVITE", "event.category": [ "iam" @@ -2648,6 +2647,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2662,7 +2662,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "VIEW_TEMP_PASSWORD", "event.category": [ "iam" @@ -2699,6 +2698,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2713,7 +2713,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TURN_OFF_2_STEP_VERIFICATION", "event.category": [ "iam" @@ -2749,6 +2748,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2763,7 +2763,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNBLOCK_USER_SESSION", "event.category": [ "iam" @@ -2799,6 +2798,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2813,7 +2813,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNENROLL_USER_FROM_TITANIUM", "event.category": [ "iam" @@ -2849,6 +2848,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2863,7 +2863,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ARCHIVE_USER", "event.category": [ "iam" @@ -2899,6 +2898,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2913,7 +2913,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_BIRTHDATE", "event.category": [ "iam" @@ -2950,6 +2949,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2964,7 +2964,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_USER", "event.category": [ "iam" @@ -3000,6 +2999,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3014,7 +3014,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_USER", "event.category": [ "iam" @@ -3050,6 +3049,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3064,7 +3064,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DOWNGRADE_USER_FROM_GPLUS", "event.category": [ "iam" @@ -3100,6 +3099,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3114,7 +3114,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USER_ENROLLED_IN_TWO_STEP_VERIFICATION", "event.category": [ "iam" @@ -3150,6 +3149,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3164,7 +3164,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DOWNLOAD_USERLIST_CSV", "event.category": [ "iam" @@ -3197,6 +3196,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3211,7 +3211,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOVE_USER_TO_ORG_UNIT", "event.category": [ "iam" @@ -3249,6 +3248,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3263,7 +3263,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD", "event.category": [ "iam" @@ -3300,6 +3299,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3314,7 +3314,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RENAME_USER", "event.category": [ "iam" @@ -3351,6 +3350,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3365,7 +3365,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNENROLL_USER_FROM_STRONG_AUTH", "event.category": [ "iam" @@ -3401,6 +3400,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3415,7 +3415,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "SUSPEND_USER", "event.category": [ "iam" @@ -3451,6 +3450,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3465,7 +3465,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNARCHIVE_USER", "event.category": [ "iam" @@ -3501,6 +3500,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3515,7 +3515,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNDELETE_USER", "event.category": [ "iam" @@ -3551,6 +3550,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3565,7 +3565,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNSUSPEND_USER", "event.category": [ "iam" @@ -3601,6 +3600,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3615,7 +3615,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPGRADE_USER_TO_GPLUS", "event.category": [ "iam" @@ -3651,6 +3650,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3665,7 +3665,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USERS_BULK_UPLOAD", "event.category": [ "iam" @@ -3700,6 +3699,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3714,7 +3714,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USERS_BULK_UPLOAD_NOTIFICATION_SENT", "event.category": [ "iam" @@ -3750,6 +3749,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3763,4 +3763,4 @@ "forwarded" ] } -] +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json index 3d75fea232dd..9ffde6ce107d 100644 --- a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "add_to_folder", "event.category": [ "file" @@ -47,6 +46,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -61,7 +61,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "approval_canceled", "event.category": [ "file", @@ -107,6 +106,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -121,7 +121,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "approval_comment_added", "event.category": [ "file", @@ -167,6 +166,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -181,7 +181,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "approval_requested", "event.category": [ "file", @@ -227,6 +226,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -241,7 +241,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "approval_reviewer_responded", "event.category": [ "file", @@ -287,6 +286,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -301,7 +301,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "create", "event.category": [ "file" @@ -346,6 +345,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -360,7 +360,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "delete", "event.category": [ "file" @@ -405,6 +404,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -419,7 +419,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "download", "event.category": [ "file" @@ -464,6 +463,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -478,7 +478,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "edit", "event.category": [ "file" @@ -523,6 +522,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -537,7 +537,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "add_lock", "event.category": [ "file" @@ -582,6 +581,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -596,7 +596,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "move", "event.category": [ "file" @@ -645,6 +644,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -659,7 +659,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "preview", "event.category": [ "file" @@ -704,6 +703,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -718,7 +718,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "print", "event.category": [ "file" @@ -763,6 +762,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -777,7 +777,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "remove_from_folder", "event.category": [ "file" @@ -824,6 +823,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -838,7 +838,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "rename", "event.category": [ "file" @@ -885,6 +884,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -899,7 +899,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "untrash", "event.category": [ "file" @@ -944,6 +943,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -958,7 +958,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "sheets_import_range", "event.category": [ "file" @@ -1003,6 +1002,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1017,7 +1017,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "trash", "event.category": [ "file" @@ -1062,6 +1061,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1076,7 +1076,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "remove_lock", "event.category": [ "file" @@ -1121,6 +1120,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1135,7 +1135,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "upload", "event.category": [ "file" @@ -1180,6 +1179,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1194,7 +1194,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "view", "event.category": [ "file" @@ -1240,6 +1239,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1254,7 +1254,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_acl_editors", "event.category": [ "file", @@ -1304,6 +1303,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1318,7 +1318,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_document_access_scope", "event.category": [ "file", @@ -1369,6 +1368,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1383,7 +1383,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_document_visibility", "event.category": [ "file", @@ -1434,6 +1433,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1448,7 +1448,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "shared_drive_membership_change", "event.category": [ "file", @@ -1499,6 +1498,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1513,7 +1513,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "shared_drive_settings_change", "event.category": [ "file", @@ -1564,6 +1563,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1578,7 +1578,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "sheets_import_range_access_change", "event.category": [ "file", @@ -1624,6 +1623,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1638,7 +1638,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_user_access", "event.category": [ "file", @@ -1690,6 +1689,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json index 8944e12d5e79..f62ef0391c08 100644 --- a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_acl_permission", "event.category": [ "iam" @@ -45,6 +44,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -59,7 +59,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "accept_invitation", "event.category": [ "iam" @@ -97,6 +96,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -111,7 +111,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "approve_join_request", "event.category": [ "iam" @@ -151,6 +150,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -165,7 +165,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "join", "event.category": [ "iam" @@ -203,6 +202,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -217,7 +217,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "request_to_join", "event.category": [ "iam" @@ -255,6 +254,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -269,7 +269,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_basic_setting", "event.category": [ "iam" @@ -309,6 +308,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -323,7 +323,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "create_group", "event.category": [ "iam" @@ -360,6 +359,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -374,7 +374,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "delete_group", "event.category": [ "iam" @@ -411,6 +410,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -425,7 +425,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_identity_setting", "event.category": [ "iam" @@ -465,6 +464,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -479,7 +479,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "add_info_setting", "event.category": [ "iam" @@ -518,6 +517,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -532,7 +532,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_info_setting", "event.category": [ "iam" @@ -572,6 +571,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -586,7 +586,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "remove_info_setting", "event.category": [ "iam" @@ -625,6 +624,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -639,7 +639,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_new_members_restrictions_setting", "event.category": [ "iam" @@ -679,6 +678,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -693,7 +693,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_post_replies_setting", "event.category": [ "iam" @@ -733,6 +732,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -747,7 +747,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_spam_moderation_setting", "event.category": [ "iam" @@ -787,6 +786,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -801,7 +801,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_topic_setting", "event.category": [ "iam" @@ -841,6 +840,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -855,7 +855,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "moderate_message", "event.category": [ "iam" @@ -896,6 +895,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -910,7 +910,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "always_post_from_user", "event.category": [ "iam" @@ -951,6 +950,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -965,7 +965,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "add_user", "event.category": [ "iam" @@ -1006,6 +1005,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1020,7 +1020,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ban_user_with_moderation", "event.category": [ "iam" @@ -1061,6 +1060,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1075,7 +1075,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "revoke_invitation", "event.category": [ "iam" @@ -1115,6 +1114,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1129,7 +1129,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "invite_user", "event.category": [ "iam" @@ -1169,6 +1168,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1183,7 +1183,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "reject_join_request", "event.category": [ "iam" @@ -1223,6 +1222,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1237,7 +1237,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "reinvite_user", "event.category": [ "iam" @@ -1277,6 +1276,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1291,7 +1291,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "remove_user", "event.category": [ "iam" @@ -1331,6 +1330,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json index 00731f235f32..287e6245a25e 100644 --- a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "account_disabled_password_leak", "event.category": [ "authentication" @@ -35,6 +34,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -49,7 +49,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "account_disabled_generic", "event.category": [ "authentication" @@ -84,6 +83,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -98,7 +98,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "account_disabled_spamming_through_relay", "event.category": [ "authentication" @@ -133,6 +132,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -147,7 +147,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "account_disabled_spamming", "event.category": [ "authentication" @@ -182,6 +181,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -196,7 +196,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "gov_attack_warning", "event.category": [ "authentication" @@ -229,6 +228,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -243,7 +243,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "login_failure", "event.category": [ "authentication" @@ -280,6 +279,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -294,7 +294,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "login_challenge", "event.category": [ "authentication" @@ -330,6 +329,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -344,7 +344,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "login_verification", "event.category": [ "authentication" @@ -381,6 +380,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -395,7 +395,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "logout", "event.category": [ "authentication" @@ -429,6 +428,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -443,7 +443,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "login_success", "event.category": [ "authentication" @@ -480,6 +479,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json index 36dec3bfb618..6dd2d0216b05 100644 --- a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "login_failure", "event.category": [ "authentication" @@ -40,6 +39,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -54,7 +54,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:01.000Z", "event.action": "login_success", "event.category": [ "authentication" @@ -92,6 +91,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json index 47aba59e1dad..689aad5cde25 100644 --- a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "2sv_disable", "event.category": [ "iam" @@ -34,6 +33,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -48,7 +48,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "2sv_enroll", "event.category": [ "iam" @@ -82,6 +81,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -96,7 +96,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "password_edit", "event.category": [ "iam" @@ -130,6 +129,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -144,7 +144,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "recovery_email_edit", "event.category": [ "iam" @@ -178,6 +177,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -192,7 +192,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "recovery_phone_edit", "event.category": [ "iam" @@ -226,6 +225,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -240,7 +240,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "recovery_secret_qa_edit", "event.category": [ "iam" @@ -274,6 +273,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -288,7 +288,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "titanium_enroll", "event.category": [ "iam" @@ -322,6 +321,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -336,7 +336,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "titanium_unenroll", "event.category": [ "iam" @@ -370,6 +369,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json index 7894d6ff3172..9aee12937a0e 100644 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -112,13 +112,13 @@ "ccusan7572.api.home" ], "related.ip": [ - "10.58.116.231", - "10.159.182.171" + "10.159.182.171", + "10.58.116.231" ], "related.user": [ - "temUten", + "qua", "uradi", - "qua" + "temUten" ], "rsa.counters.dclass_c1": 3626, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -174,9 +174,9 @@ "10.18.124.28" ], "related.user": [ - "modocons", + "mquidol", "lapariat", - "mquidol" + "modocons" ], "rsa.counters.dclass_c1": 6564, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -239,8 +239,8 @@ ], "related.user": [ "oluptas", - "occae", - "intoc" + "intoc", + "occae" ], "rsa.counters.event_counter": 7243, "rsa.db.database": "tNequepo", @@ -374,9 +374,9 @@ "10.211.105.204" ], "related.user": [ + "orema", "eveli", - "labor", - "orema" + "labor" ], "rsa.counters.dclass_c1": 6855, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -432,13 +432,13 @@ "pora6854.www5.home" ], "related.ip": [ - "10.214.191.180", - "10.112.250.193" + "10.112.250.193", + "10.214.191.180" ], "related.user": [ - "Exc", + "ipsumdol", "ide", - "ipsumdol" + "Exc" ], "rsa.counters.dclass_c1": 6852, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -493,12 +493,12 @@ "ptasn6599.www.localhost" ], "related.ip": [ - "10.192.34.76", - "10.251.20.13" + "10.251.20.13", + "10.192.34.76" ], "related.user": [ - "iquipe", "tnonpro", + "iquipe", "ovol" ], "rsa.counters.dclass_c1": 3645, @@ -556,8 +556,8 @@ ], "related.user": [ "idunt", - "archite", - "boree" + "boree", + "archite" ], "rsa.counters.dclass_c1": 248, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -617,8 +617,8 @@ "10.168.159.13" ], "related.user": [ - "atemq", "inci", + "atemq", "isnostr" ], "rsa.counters.dclass_c1": 6135, @@ -679,9 +679,9 @@ "10.49.167.57" ], "related.user": [ + "tali", "ccaeca", - "sau", - "tali" + "sau" ], "rsa.counters.dclass_c1": 6818, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -743,17 +743,17 @@ "10.216.125.252" ], "related.user": [ + "lorsita", "dolore", - "llamco", - "lorsita" + "llamco" ], "rsa.counters.event_counter": 4603, "rsa.db.database": "uptate", "rsa.internal.event_desc": "aquae", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "accept", - "quasia" + "quasia", + "accept" ], "rsa.misc.category": "boreetdo", "rsa.misc.disposition": "aturve", @@ -809,8 +809,8 @@ "umdolor4389.api.home" ], "related.ip": [ - "10.52.125.9", - "10.204.128.215" + "10.204.128.215", + "10.52.125.9" ], "related.user": [ "nci", @@ -875,8 +875,8 @@ "rationev6444.localhost" ], "related.ip": [ - "10.34.148.166", - "10.200.68.129" + "10.200.68.129", + "10.34.148.166" ], "related.user": [ "icabo", @@ -938,8 +938,8 @@ ], "related.user": [ "siu", - "conse", - "licabo" + "licabo", + "conse" ], "rsa.counters.dclass_c1": 6356, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -995,13 +995,13 @@ "spernatu5539.domain" ], "related.ip": [ - "10.30.98.10", - "10.126.26.131" + "10.126.26.131", + "10.30.98.10" ], "related.user": [ - "dipisci", + "velite", "olori", - "velite" + "dipisci" ], "rsa.counters.dclass_c1": 7717, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1061,9 +1061,9 @@ "10.190.10.219" ], "related.user": [ - "item", + "accusant", "quamnih", - "accusant" + "item" ], "rsa.counters.dclass_c1": 3278, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1147,12 +1147,12 @@ "maliquam2147.internal.home" ], "related.ip": [ - "10.100.98.56", - "10.248.184.200" + "10.248.184.200", + "10.100.98.56" ], "related.user": [ - "ritati", "proident", + "ritati", "boru" ], "rsa.counters.dclass_c1": 5923, @@ -1209,13 +1209,13 @@ "olabor2983.internal.localhost" ], "related.ip": [ - "10.197.6.245", - "10.82.28.220" + "10.82.28.220", + "10.197.6.245" ], "related.user": [ - "oluptat", "dtempo", - "aecatcup" + "aecatcup", + "oluptat" ], "rsa.counters.dclass_c1": 3071, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1276,8 +1276,8 @@ ], "related.user": [ "redol", - "asnu", - "ationul" + "ationul", + "asnu" ], "rsa.counters.dclass_c1": 6606, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1339,17 +1339,17 @@ "10.88.45.111" ], "related.user": [ + "undeomni", "lmole", - "iameaque", - "undeomni" + "iameaque" ], "rsa.counters.event_counter": 6344, "rsa.db.database": "nderi", "rsa.internal.event_desc": "iae", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "illu", - "deny" + "deny", + "illu" ], "rsa.misc.category": "quido", "rsa.misc.disposition": "emip", @@ -1407,8 +1407,8 @@ "10.214.3.140" ], "related.user": [ - "edolorin", "scipitl", + "edolorin", "taliqui" ], "rsa.counters.dclass_c1": 5140, @@ -1472,8 +1472,8 @@ ], "related.user": [ "caboNem", - "pta", - "etconsec" + "etconsec", + "pta" ], "rsa.counters.event_counter": 5347, "rsa.db.database": "urExcept", @@ -1535,13 +1535,13 @@ "nder347.www.corp" ], "related.ip": [ - "10.105.190.170", - "10.182.152.242" + "10.182.152.242", + "10.105.190.170" ], "related.user": [ + "doeiu", "litan", - "mquisn", - "doeiu" + "mquisn" ], "rsa.counters.dclass_c1": 3474, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1604,8 +1604,8 @@ ], "related.user": [ "emUte", - "liquam", - "min" + "min", + "liquam" ], "rsa.counters.event_counter": 7102, "rsa.db.database": "oluptat", @@ -1666,13 +1666,13 @@ "ectob4634.mail.localhost" ], "related.ip": [ - "10.72.75.207", - "10.201.168.116" + "10.201.168.116", + "10.72.75.207" ], "related.user": [ + "urau", "eFini", - "eufug", - "urau" + "eufug" ], "rsa.counters.dclass_c1": 3348, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1728,13 +1728,13 @@ "snu6436.www.local" ], "related.ip": [ - "10.9.46.123", - "10.58.133.175" + "10.58.133.175", + "10.9.46.123" ], "related.user": [ + "nde", "oco", - "mfu", - "nde" + "mfu" ], "rsa.counters.dclass_c1": 3795, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1794,8 +1794,8 @@ "10.70.29.203" ], "related.user": [ - "mquisnos", "veniamq", + "mquisnos", "pta" ], "rsa.counters.dclass_c1": 2358, @@ -1856,8 +1856,8 @@ "10.165.182.111" ], "related.user": [ - "ames", "Bonorum", + "ames", "sis" ], "rsa.counters.dclass_c1": 6401, @@ -1944,8 +1944,8 @@ "upt6017.api.localdomain" ], "related.ip": [ - "10.64.184.196", - "10.173.178.109" + "10.173.178.109", + "10.64.184.196" ], "related.user": [ "tam", @@ -1957,8 +1957,8 @@ "rsa.internal.event_desc": "orin", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "block", - "lamco" + "lamco", + "block" ], "rsa.misc.category": "enia", "rsa.misc.disposition": "iavol", @@ -2012,13 +2012,13 @@ "turQuis4046.api.test" ], "related.ip": [ - "10.90.50.149", - "10.168.225.209" + "10.168.225.209", + "10.90.50.149" ], "related.user": [ "aUtenima", - "olupta", - "olu" + "olu", + "olupta" ], "rsa.counters.dclass_c1": 1127, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2079,8 +2079,8 @@ ], "related.user": [ "mtota", - "luptat", - "qua" + "qua", + "luptat" ], "rsa.counters.dclass_c1": 6112, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2163,13 +2163,13 @@ "tatnonp1371.www.invalid" ], "related.ip": [ - "10.151.240.35", - "10.228.229.144" + "10.228.229.144", + "10.151.240.35" ], "related.user": [ + "lam", "ametcons", - "ama", - "lam" + "ama" ], "rsa.counters.dclass_c1": 4325, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2289,17 +2289,17 @@ "10.254.10.98" ], "related.user": [ - "civeli", "eufugia", - "ttenb" + "ttenb", + "civeli" ], "rsa.counters.event_counter": 7365, "rsa.db.database": "utlabore", "rsa.internal.event_desc": "culpaq", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "uptasn" + "uptasn", + "cancel" ], "rsa.misc.category": "quamq", "rsa.misc.disposition": "usan", @@ -2383,13 +2383,13 @@ "ihi7294.www5.localhost" ], "related.ip": [ - "10.169.28.157", - "10.116.1.130" + "10.116.1.130", + "10.169.28.157" ], "related.user": [ - "reseo", + "eturadip", "amco", - "eturadip" + "reseo" ], "rsa.counters.event_counter": 1295, "rsa.db.database": "ons", @@ -2451,13 +2451,13 @@ "caecat4920.api.host" ], "related.ip": [ - "10.29.138.31", - "10.45.69.152" + "10.45.69.152", + "10.29.138.31" ], "related.user": [ - "volupta", "umq", - "tsunt" + "tsunt", + "volupta" ], "rsa.counters.dclass_c1": 744, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2513,13 +2513,13 @@ "setquas6188.internal.local" ], "related.ip": [ - "10.100.113.11", - "10.152.213.228" + "10.152.213.228", + "10.100.113.11" ], "related.user": [ - "ptatev", "itationu", - "velillum" + "velillum", + "ptatev" ], "rsa.counters.dclass_c1": 7245, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2603,13 +2603,13 @@ "nibusBo3674.www5.localhost" ], "related.ip": [ - "10.208.33.55", - "10.248.102.129" + "10.248.102.129", + "10.208.33.55" ], "related.user": [ + "ulapari", "mremaper", - "inimv", - "ulapari" + "inimv" ], "rsa.counters.dclass_c1": 6433, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2669,8 +2669,8 @@ "10.109.230.216" ], "related.user": [ - "mporin", "ectobea", + "mporin", "ibus" ], "rsa.counters.dclass_c1": 547, @@ -2731,9 +2731,9 @@ "10.117.81.75" ], "related.user": [ - "iconsequ", + "dol", "exeac", - "dol" + "iconsequ" ], "rsa.counters.dclass_c1": 484, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2793,8 +2793,8 @@ "10.45.152.205" ], "related.user": [ - "eriti", "utlabo", + "eriti", "imav" ], "rsa.counters.dclass_c1": 922, @@ -2856,17 +2856,17 @@ "10.60.164.100" ], "related.user": [ - "hite", + "adipis", "ugi", - "adipis" + "hite" ], "rsa.counters.event_counter": 508, "rsa.db.database": "abo", "rsa.internal.event_desc": "epteurs", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "taevitae", - "allow" + "allow", + "taevitae" ], "rsa.misc.category": "itse", "rsa.misc.disposition": "rever", @@ -2919,13 +2919,13 @@ "aliquip7229.mail.domain" ], "related.ip": [ - "10.248.244.203", - "10.146.228.234" + "10.146.228.234", + "10.248.244.203" ], "related.user": [ "mquamei", - "eiusm", - "sum" + "sum", + "eiusm" ], "rsa.counters.dclass_c1": 3058, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2981,8 +2981,8 @@ "10.86.121.152" ], "related.user": [ - "ine", "consecte", + "ine", "nimv" ], "rsa.counters.dclass_c1": 2771, @@ -3039,13 +3039,13 @@ "agnama5013.internal.example" ], "related.ip": [ - "10.201.223.119", - "10.204.223.184" + "10.204.223.184", + "10.201.223.119" ], "related.user": [ + "tuserror", "rcit", - "teni", - "tuserror" + "teni" ], "rsa.counters.dclass_c1": 4113, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3106,8 +3106,8 @@ ], "related.user": [ "magnido", - "Nequepo", - "elitsedd" + "elitsedd", + "Nequepo" ], "rsa.counters.dclass_c1": 3243, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3169,17 +3169,17 @@ "10.65.225.101" ], "related.user": [ - "tuserror", "citation", - "emquel" + "emquel", + "tuserror" ], "rsa.counters.event_counter": 2513, "rsa.db.database": "rspiciat", "rsa.internal.event_desc": "atuse", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "eruntmol", - "cancel" + "cancel", + "eruntmol" ], "rsa.misc.category": "imad", "rsa.misc.disposition": "tura", @@ -3236,9 +3236,9 @@ "10.191.184.105" ], "related.user": [ + "uta", "iin", - "tione", - "uta" + "tione" ], "rsa.counters.dclass_c1": 5836, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3296,8 +3296,8 @@ "10.224.148.48" ], "related.user": [ - "equepor", "niam", + "equepor", "iosamn" ], "rsa.counters.event_counter": 7468, @@ -3360,12 +3360,12 @@ "amcorp7299.api.example" ], "related.ip": [ - "10.21.208.103", - "10.21.61.134" + "10.21.61.134", + "10.21.208.103" ], "related.user": [ - "ostr", "imidest", + "ostr", "mipsa" ], "rsa.counters.dclass_c1": 7766, @@ -3426,8 +3426,8 @@ "10.221.192.116" ], "related.user": [ - "iarchit", "iamquisn", + "iarchit", "tevelite" ], "rsa.counters.dclass_c1": 639, @@ -3486,8 +3486,8 @@ "tionevol3157.mail.invalid" ], "related.ip": [ - "10.191.142.143", - "10.240.62.238" + "10.240.62.238", + "10.191.142.143" ], "related.user": [ "nofde", @@ -3555,21 +3555,21 @@ "mquis319.api.local" ], "related.ip": [ - "10.178.79.217", - "10.111.22.134" + "10.111.22.134", + "10.178.79.217" ], "related.user": [ - "ccusan", + "tqui", "inibusBo", - "tqui" + "ccusan" ], "rsa.counters.event_counter": 3538, "rsa.db.database": "sequun", "rsa.internal.event_desc": "adeseru", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "deny", - "orisnis" + "orisnis", + "deny" ], "rsa.misc.category": "sitas", "rsa.misc.disposition": "eni", @@ -3622,13 +3622,13 @@ "urad5712.api.host" ], "related.ip": [ - "10.161.225.172", - "10.77.86.215" + "10.77.86.215", + "10.161.225.172" ], "related.user": [ - "xerc", + "rcit", "meaqu", - "rcit" + "xerc" ], "rsa.counters.dclass_c1": 7286, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3687,9 +3687,9 @@ "10.211.161.187" ], "related.user": [ - "boriosa", "sci", - "acons" + "acons", + "boriosa" ], "rsa.counters.dclass_c1": 1578, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3740,13 +3740,13 @@ "inBCSed5308.api.corp" ], "related.ip": [ - "10.254.198.47", - "10.160.147.230" + "10.160.147.230", + "10.254.198.47" ], "related.user": [ - "nimvenia", "ndeomnis", - "illoin" + "illoin", + "nimvenia" ], "rsa.counters.dclass_c1": 5988, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3802,9 +3802,9 @@ "10.40.24.93" ], "related.user": [ - "exerci", + "orisnis", "mSecti", - "orisnis" + "exerci" ], "rsa.counters.dclass_c1": 4129, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3860,13 +3860,13 @@ "itte6905.mail.invalid" ], "related.ip": [ - "10.249.13.159", - "10.108.130.106" + "10.108.130.106", + "10.249.13.159" ], "related.user": [ + "colab", "uisautei", - "exeacomm", - "colab" + "exeacomm" ], "rsa.counters.dclass_c1": 1044, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3924,13 +3924,13 @@ "caboNemo274.www.host" ], "related.ip": [ - "10.39.244.49", - "10.64.94.174" + "10.64.94.174", + "10.39.244.49" ], "related.user": [ + "estiae", "iunt", - "Sedut", - "estiae" + "Sedut" ], "rsa.counters.event_counter": 7128, "rsa.db.database": "eFinibu", @@ -4047,13 +4047,13 @@ "qui5978.api.test" ], "related.ip": [ - "10.115.203.143", - "10.134.135.22" + "10.134.135.22", + "10.115.203.143" ], "related.user": [ + "utoditau", "involu", - "orpori", - "utoditau" + "orpori" ], "rsa.counters.dclass_c1": 7868, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4203,9 +4203,9 @@ "10.20.231.188" ], "related.user": [ - "tesseq", + "mqu", "uatDuisa", - "mqu" + "tesseq" ], "rsa.counters.dclass_c1": 1623, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4289,13 +4289,13 @@ "abor3266.mail.home" ], "related.ip": [ - "10.225.11.197", - "10.231.77.26" + "10.231.77.26", + "10.225.11.197" ], "related.user": [ + "rehe", "ineavol", - "volu", - "rehe" + "volu" ], "rsa.counters.dclass_c1": 3064, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4349,13 +4349,13 @@ "eprehe2455.www.home" ], "related.ip": [ - "10.148.3.197", - "10.106.166.105" + "10.106.166.105", + "10.148.3.197" ], "related.user": [ - "olupt", "usa", - "avolup" + "avolup", + "olupt" ], "rsa.counters.dclass_c1": 2658, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4411,9 +4411,9 @@ "10.172.121.239" ], "related.user": [ - "ipsu", + "ctas", "iuta", - "ctas" + "ipsu" ], "rsa.counters.dclass_c1": 392, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4469,13 +4469,13 @@ "exerc3694.api.home" ], "related.ip": [ - "10.129.234.200", - "10.42.218.103" + "10.42.218.103", + "10.129.234.200" ], "related.user": [ - "tevelit", "tisundeo", - "dquia" + "dquia", + "tevelit" ], "rsa.counters.dclass_c1": 6709, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4535,9 +4535,9 @@ "10.111.132.221" ], "related.user": [ - "oloremi", + "ali", "scive", - "ali" + "oloremi" ], "rsa.counters.dclass_c1": 6155, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4593,13 +4593,13 @@ "boriosa7066.www.corp" ], "related.ip": [ - "10.195.8.141", - "10.17.214.21" + "10.17.214.21", + "10.195.8.141" ], "related.user": [ "dolo", - "ota", - "enimip" + "enimip", + "ota" ], "rsa.counters.dclass_c1": 469, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4659,8 +4659,8 @@ "10.173.13.179" ], "related.user": [ - "apar", "ptasn", + "apar", "isn" ], "rsa.counters.dclass_c1": 758, @@ -4717,13 +4717,13 @@ "iatisund424.mail.localdomain" ], "related.ip": [ - "10.178.190.123", - "10.42.135.34" + "10.42.135.34", + "10.178.190.123" ], "related.user": [ - "tiset", "orsi", - "ore" + "ore", + "tiset" ], "rsa.counters.dclass_c1": 2290, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4872,9 +4872,9 @@ "10.206.221.180" ], "related.user": [ - "oNe", + "nseq", "litesseq", - "nseq" + "oNe" ], "rsa.counters.dclass_c1": 3218, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4930,9 +4930,9 @@ "10.86.180.150" ], "related.user": [ - "mnisis", + "etconsec", "itasper", - "etconsec" + "mnisis" ], "rsa.counters.dclass_c1": 4564, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4994,8 +4994,8 @@ "10.158.161.5" ], "related.user": [ - "rrors", - "dolo" + "dolo", + "rrors" ], "rsa.counters.event_counter": 4098, "rsa.db.database": "tsed", @@ -5084,12 +5084,12 @@ "nisiutal4437.www.example" ], "related.ip": [ - "10.150.27.144", - "10.248.16.82" + "10.248.16.82", + "10.150.27.144" ], "related.user": [ - "res", "ditautf", + "res", "tuserror" ], "rsa.counters.dclass_c1": 4367, @@ -5211,9 +5211,9 @@ "10.69.5.227" ], "related.user": [ - "rumw", "ntocc", - "doloreme" + "doloreme", + "rumw" ], "rsa.counters.dclass_c1": 5201, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5269,9 +5269,9 @@ "10.253.175.129" ], "related.user": [ + "epteurs", "nrep", - "ate", - "epteurs" + "ate" ], "rsa.counters.dclass_c1": 6260, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5333,8 +5333,8 @@ "10.89.26.170" ], "related.user": [ - "atus", "aboris", + "atus", "orumetMa" ], "rsa.counters.event_counter": 5863, @@ -5398,8 +5398,8 @@ "gitse6744.api.local" ], "related.ip": [ - "10.81.108.232", - "10.52.106.68" + "10.52.106.68", + "10.81.108.232" ], "related.user": [ "uaturve", @@ -5411,8 +5411,8 @@ "rsa.internal.event_desc": "pis", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "allow", - "Quisaut" + "Quisaut", + "allow" ], "rsa.misc.category": "idol", "rsa.misc.disposition": "mmodico", @@ -5472,9 +5472,9 @@ "10.223.10.28" ], "related.user": [ - "erit", "untex", - "usmodte" + "usmodte", + "erit" ], "rsa.counters.event_counter": 4029, "rsa.db.database": "ommodi", @@ -5541,8 +5541,8 @@ ], "related.user": [ "sequamn", - "res", - "tasnul" + "tasnul", + "res" ], "rsa.counters.dclass_c1": 4846, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5600,12 +5600,12 @@ "labo3477.www5.domain" ], "related.ip": [ - "10.226.75.20", - "10.247.108.144" + "10.247.108.144", + "10.226.75.20" ], "related.user": [ - "maccusan", "tema", + "maccusan", "fugia" ], "rsa.counters.event_counter": 3711, @@ -5667,13 +5667,13 @@ "itseddo2209.mail.domain" ], "related.ip": [ - "10.97.22.61", - "10.192.15.65" + "10.192.15.65", + "10.97.22.61" ], "related.user": [ - "illumd", "rExcep", - "nimides" + "nimides", + "illumd" ], "rsa.counters.dclass_c1": 4173, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5798,9 +5798,9 @@ "10.28.77.79" ], "related.user": [ + "utlab", "rspic", - "upta", - "utlab" + "upta" ], "rsa.counters.dclass_c1": 4810, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5855,13 +5855,13 @@ "tsunti1164.www.example" ], "related.ip": [ - "10.18.15.43", - "10.248.177.182" + "10.248.177.182", + "10.18.15.43" ], "related.user": [ - "quei", "caecat", - "quaturve" + "quaturve", + "quei" ], "rsa.counters.dclass_c1": 983, "rsa.counters.dclass_c1_str": "Affected Rows", diff --git a/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json b/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json index 40bbac9e3f53..73f2a49fabcf 100644 --- a/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json @@ -55,6 +55,7 @@ "source.as.organization.name": "Consorci de Serveis Universitaris de Catalunya", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "158.109.0.1", diff --git a/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json b/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json index a33eb424fddd..fb4fca25df2a 100644 --- a/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json +++ b/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json @@ -1353,8 +1353,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.142.21.251", - "10.154.16.147" + "10.154.16.147", + "10.142.21.251" ], "rsa.internal.messageid": "00625", "rsa.misc.hardware_id": "ute", @@ -1387,8 +1387,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.105.212.51", - "10.119.53.68" + "10.119.53.68", + "10.105.212.51" ], "rsa.db.index": "giatqu", "rsa.internal.messageid": "00042", @@ -1852,8 +1852,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.51.161.245", - "10.193.80.21" + "10.193.80.21", + "10.51.161.245" ], "rsa.internal.messageid": "00625", "rsa.misc.hardware_id": "modi", @@ -2318,8 +2318,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.185.50.112", - "10.126.150.15" + "10.126.150.15", + "10.185.50.112" ], "rsa.internal.messageid": "00625", "rsa.misc.hardware_id": "tot", @@ -2479,8 +2479,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.96.165.147", - "10.96.218.99" + "10.96.218.99", + "10.96.165.147" ], "related.user": [ "utla" diff --git a/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json b/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json index a4b6019bc5d7..163acbfd5448 100644 --- a/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json +++ b/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json @@ -4,6 +4,7 @@ "destination.geo.city_name": "State College", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 40.7957, "destination.geo.location.lon": -77.8618, "destination.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json index 530aa6f4cc11..2ac0d3443e7a 100644 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json @@ -317,8 +317,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.66.171.247", - "10.155.162.162" + "10.155.162.162", + "10.66.171.247" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -396,8 +396,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.179.26.34", - "10.38.77.13" + "10.38.77.13", + "10.179.26.34" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -1101,8 +1101,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.97.164.220", - "10.128.31.83" + "10.128.31.83", + "10.97.164.220" ], "rsa.internal.messageid": "anomaly", "rsa.misc.category": "aera", @@ -1816,8 +1816,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.98.209.10", - "10.31.177.226" + "10.31.177.226", + "10.98.209.10" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -1848,8 +1848,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.44.47.27", - "10.179.210.218" + "10.179.210.218", + "10.44.47.27" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -2129,8 +2129,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.151.129.181", - "10.55.156.64" + "10.55.156.64", + "10.151.129.181" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -2236,8 +2236,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.166.90.130", - "10.73.89.189" + "10.73.89.189", + "10.166.90.130" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", diff --git a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json index 56a4f778e7f4..12d780947fb0 100644 --- a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json @@ -48,6 +48,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -116,6 +117,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -184,6 +186,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -252,6 +255,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", diff --git a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json index b5c79d506d1f..6f54a5ce22f5 100644 --- a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json @@ -55,6 +55,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -131,6 +132,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -207,6 +209,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -283,6 +286,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -360,6 +364,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -436,6 +441,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -512,6 +518,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -589,6 +596,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -665,6 +673,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -741,6 +750,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -817,6 +827,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", diff --git a/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json b/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json index cea77b1153fa..78cfca3dbfb4 100644 --- a/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json @@ -130,6 +130,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -273,6 +274,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -416,6 +418,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -570,6 +573,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -724,6 +728,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -885,6 +890,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1046,6 +1052,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1207,6 +1214,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1368,6 +1376,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1529,6 +1538,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1690,6 +1700,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1851,6 +1862,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2012,6 +2024,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2173,6 +2186,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2334,6 +2348,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2495,6 +2510,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2656,6 +2672,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2817,6 +2834,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2960,6 +2978,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3103,6 +3122,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3257,6 +3277,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3400,6 +3421,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3543,6 +3565,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3686,6 +3709,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3840,6 +3864,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4001,6 +4026,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4162,6 +4188,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4323,6 +4350,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4484,6 +4512,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4645,6 +4674,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4806,6 +4836,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4967,6 +4998,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5128,6 +5160,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5290,6 +5323,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5452,6 +5486,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5742,6 +5777,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5903,6 +5939,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6064,6 +6101,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6225,6 +6263,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6386,6 +6425,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6547,6 +6587,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6708,6 +6749,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6869,6 +6911,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -7030,6 +7073,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -7191,6 +7235,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -7352,6 +7397,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -7513,6 +7559,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -7674,6 +7721,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -7835,6 +7883,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -7996,6 +8045,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -8158,6 +8208,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -8320,6 +8371,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -8481,6 +8533,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -8642,6 +8695,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -8803,6 +8857,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -8964,6 +9019,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -9125,6 +9181,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -9286,6 +9343,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -9447,6 +9505,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -9608,6 +9667,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -9769,6 +9829,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -9912,6 +9973,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -10055,6 +10117,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -10198,6 +10261,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -10341,6 +10405,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -10494,6 +10559,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -10648,6 +10714,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -10802,6 +10869,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -10956,6 +11024,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -11110,6 +11179,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -11251,6 +11321,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -11394,6 +11465,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -11537,6 +11609,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -11691,6 +11764,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -11845,6 +11919,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -11999,6 +12074,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -12142,6 +12218,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -12285,6 +12362,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -12428,6 +12506,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -12582,6 +12661,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -12736,6 +12816,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -12890,6 +12971,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -13051,6 +13133,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -13212,6 +13295,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -13373,6 +13457,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -13534,6 +13619,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -13695,6 +13781,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -13856,6 +13943,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -14017,6 +14105,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -14178,6 +14267,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -14339,6 +14429,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -14500,6 +14591,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -14661,6 +14753,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -14823,6 +14916,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -14985,6 +15079,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -15147,6 +15242,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -15306,6 +15402,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -15465,6 +15562,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -15624,6 +15722,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", diff --git a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json index cc096b3acc25..97cb1f5bb013 100644 --- a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json @@ -305,6 +305,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -379,6 +380,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -454,6 +456,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -529,6 +532,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -604,6 +608,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", diff --git a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json index 60c77401b355..5470038d6b87 100644 --- a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json @@ -77,6 +77,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -174,6 +175,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -271,6 +273,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -368,6 +371,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -465,6 +469,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -562,6 +567,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -659,6 +665,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -756,6 +763,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -853,6 +861,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -950,6 +959,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1047,6 +1057,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1144,6 +1155,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1241,6 +1253,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1338,6 +1351,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1434,6 +1448,7 @@ "source.as.organization.name": "XFERA Moviles S.A.", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", @@ -1529,6 +1544,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1626,6 +1642,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1722,6 +1739,7 @@ "source.as.organization.name": "XFERA Moviles S.A.", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", @@ -1817,6 +1835,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1914,6 +1933,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2011,6 +2031,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2108,6 +2129,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2205,6 +2227,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2302,6 +2325,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2399,6 +2423,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2496,6 +2521,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2593,6 +2619,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2690,6 +2717,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2787,6 +2815,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2883,6 +2912,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2981,6 +3011,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3067,6 +3098,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3162,6 +3194,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3248,6 +3281,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3344,6 +3378,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3430,6 +3465,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3526,6 +3562,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3623,6 +3660,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3720,6 +3758,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3806,6 +3845,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3902,6 +3942,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3998,6 +4039,7 @@ "source.as.organization.name": "XFERA Moviles S.A.", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", @@ -4093,6 +4135,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4190,6 +4233,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4276,6 +4320,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4371,6 +4416,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4468,6 +4514,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4565,6 +4612,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4662,6 +4710,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4759,6 +4808,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4856,6 +4906,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4953,6 +5004,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5050,6 +5102,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5147,6 +5200,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5244,6 +5298,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5341,6 +5396,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5438,6 +5494,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5535,6 +5592,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5631,6 +5689,7 @@ "source.as.organization.name": "XFERA Moviles S.A.", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", @@ -5726,6 +5785,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5823,6 +5883,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5920,6 +5981,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6017,6 +6079,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6114,6 +6177,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6211,6 +6275,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6308,6 +6373,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6405,6 +6471,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6502,6 +6569,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6599,6 +6667,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", diff --git a/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json b/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json index 4bd20443e074..e6326bf27b14 100644 --- a/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json @@ -48,6 +48,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", diff --git a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json index 437a7ea5627a..39d002441853 100644 --- a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json +++ b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json @@ -55,6 +55,7 @@ "source.geo.city_name": "Dublin", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.7201, "source.geo.location.lon": -121.919, "source.geo.region_iso_code": "US-CA", @@ -130,6 +131,7 @@ "source.geo.city_name": "Dublin", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.7201, "source.geo.location.lon": -121.919, "source.geo.region_iso_code": "US-CA", @@ -220,6 +222,7 @@ "source.geo.city_name": "Dublin", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.7201, "source.geo.location.lon": -121.919, "source.geo.region_iso_code": "US-CA", diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json index 96530ab70f37..54a45d4465e7 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json @@ -739,6 +739,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json index 37735ccfce01..8e5df2e94e41 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json @@ -10,6 +10,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -104,6 +105,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -198,6 +200,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -292,6 +295,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -386,6 +390,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -480,6 +485,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -574,6 +580,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -668,6 +675,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -762,6 +770,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -856,6 +865,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -950,6 +960,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1044,6 +1055,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1138,6 +1150,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1232,6 +1245,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1325,6 +1339,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1419,6 +1434,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1512,6 +1528,7 @@ "destination.as.organization.name": "Leaseweb Deutschland GmbH", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 51.2993, "destination.geo.location.lon": 9.491, "destination.geo.name": "Germany", @@ -1603,6 +1620,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1697,6 +1715,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1791,6 +1810,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1885,6 +1905,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1979,6 +2000,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2073,6 +2095,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2167,6 +2190,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2261,6 +2285,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2355,6 +2380,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2449,6 +2475,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2543,6 +2570,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2637,6 +2665,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2731,6 +2760,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2825,6 +2855,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2919,6 +2950,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -3013,6 +3045,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -3106,6 +3139,7 @@ "destination.as.organization.name": "Castle Access Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3196,6 +3230,7 @@ "destination.as.organization.name": "INAMES", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "KR", + "destination.geo.country_name": "South Korea", "destination.geo.location.lat": 37.5112, "destination.geo.location.lon": 126.9741, "destination.geo.name": "Korea Republic Of", @@ -3286,6 +3321,7 @@ "destination.as.organization.name": "CJSC Registrar R01", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7386, "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", @@ -3377,6 +3413,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -3469,6 +3506,7 @@ "destination.as.organization.name": "Confluence Networks Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3559,6 +3597,7 @@ "destination.as.organization.name": "Confluence Networks Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3650,6 +3689,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -3742,6 +3782,7 @@ "destination.as.organization.name": "Confluence Networks Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3832,6 +3873,7 @@ "destination.as.organization.name": "Domain names registrar REG.RU, Ltd", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7386, "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", @@ -3922,6 +3964,7 @@ "destination.as.organization.name": "Domain names registrar REG.RU, Ltd", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7386, "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", @@ -4079,6 +4122,7 @@ "source.geo.city_name": "Fort Lauderdale", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 26.1792, "source.geo.location.lon": -80.1749, "source.geo.name": "United States", @@ -4103,6 +4147,7 @@ "destination.geo.city_name": "Kitchener", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "CA", + "destination.geo.country_name": "Canada", "destination.geo.location.lat": 43.4419, "destination.geo.location.lon": -80.4216, "destination.geo.name": "Canada", @@ -4195,6 +4240,7 @@ "destination.as.organization.name": "Castle Access Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -4285,6 +4331,7 @@ "destination.as.organization.name": "Confluence Networks Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "VG", + "destination.geo.country_name": "British Virgin Islands", "destination.geo.location.lat": 18.5, "destination.geo.location.lon": -64.5, "destination.geo.name": "Virgin Islands British", @@ -4375,6 +4422,7 @@ "destination.as.organization.name": "Confluence Networks Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -4466,6 +4514,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -4559,6 +4608,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -4652,6 +4702,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -4745,6 +4796,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -4838,6 +4890,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -5000,6 +5053,7 @@ "source.geo.city_name": "Brea", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 33.9339, "source.geo.location.lon": -117.8854, "source.geo.name": "United States", @@ -5024,6 +5078,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -5186,6 +5241,7 @@ "source.geo.city_name": "Montreal", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "CA", + "source.geo.country_name": "Canada", "source.geo.location.lat": 45.4995, "source.geo.location.lon": -73.5848, "source.geo.name": "European Union", @@ -5278,6 +5334,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 30.294, "source.geo.location.lon": 120.1619, "source.geo.name": "China", @@ -5302,6 +5359,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -5463,6 +5521,7 @@ "source.as.organization.name": "NForce Entertainment B.V.", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "NL", + "source.geo.country_name": "Netherlands", "source.geo.location.lat": 52.3824, "source.geo.location.lon": 4.8995, "source.geo.name": "Netherlands", @@ -5554,6 +5613,7 @@ "source.geo.city_name": "Montreal", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "CA", + "source.geo.country_name": "Canada", "source.geo.location.lat": 45.4995, "source.geo.location.lon": -73.5848, "source.geo.name": "European Union", @@ -5577,6 +5637,7 @@ "destination.as.organization.name": "YANDEX LLC", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7386, "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", @@ -5667,6 +5728,7 @@ "destination.as.organization.name": "YANDEX LLC", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7386, "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", @@ -5757,6 +5819,7 @@ "destination.as.organization.name": "YANDEX LLC", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7386, "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", @@ -5917,6 +5980,7 @@ "source.geo.city_name": "Brea", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 33.9339, "source.geo.location.lon": -117.8854, "source.geo.name": "United States", @@ -5941,6 +6005,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -6034,6 +6099,7 @@ "destination.geo.city_name": "Central", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "HK", + "destination.geo.country_name": "Hong Kong", "destination.geo.location.lat": 22.2909, "destination.geo.location.lon": 114.15, "destination.geo.name": "United States", @@ -6196,6 +6262,7 @@ "source.geo.city_name": "Redmond", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 47.6722, "source.geo.location.lon": -122.1257, "source.geo.name": "United States", @@ -6289,6 +6356,7 @@ "source.geo.city_name": "Redmond", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 47.6722, "source.geo.location.lon": -122.1257, "source.geo.name": "United States", @@ -6313,6 +6381,7 @@ "destination.geo.city_name": "Los Angeles", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 34.0544, "destination.geo.location.lon": -118.244, "destination.geo.name": "United States", @@ -6474,6 +6543,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -6495,6 +6565,7 @@ "destination.as.organization.name": "Pandora Media, Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -6654,6 +6725,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -6745,6 +6817,7 @@ "source.geo.city_name": "Oliva", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 38.9197, "source.geo.location.lon": -0.1193, "source.geo.name": "Ukraine", @@ -6837,6 +6910,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -6927,6 +7001,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7017,6 +7092,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7107,6 +7183,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7128,6 +7205,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -7287,6 +7365,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7377,6 +7456,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7467,6 +7547,7 @@ "source.as.organization.name": "Wikimedia Foundation Inc.", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7557,6 +7638,7 @@ "source.as.organization.name": "Wikimedia Foundation Inc.", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7648,6 +7730,7 @@ "source.geo.city_name": "Los Angeles", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 34.0544, "source.geo.location.lon": -118.244, "source.geo.name": "United States", @@ -7740,6 +7823,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7830,6 +7914,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7921,6 +8006,7 @@ "source.geo.city_name": "Liberal", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.0438, "source.geo.location.lon": -100.9286, "source.geo.name": "United States", @@ -8013,6 +8099,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -8103,6 +8190,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -8194,6 +8282,7 @@ "source.geo.city_name": "Albany", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 42.7008, "source.geo.location.lon": -73.8601, "source.geo.name": "United States", @@ -8286,6 +8375,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -8307,6 +8397,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -8466,6 +8557,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -8556,6 +8648,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -8577,6 +8670,7 @@ "destination.as.organization.name": "Pandora Media, Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -8736,6 +8830,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -8826,6 +8921,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -8916,6 +9012,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -9006,6 +9103,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -9096,6 +9194,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -9186,6 +9285,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json index 587b481636f0..44f7a7790abc 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json @@ -13,6 +13,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -113,6 +114,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -211,6 +213,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -310,6 +313,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -411,6 +415,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -511,6 +516,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -609,6 +615,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -708,6 +715,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -809,6 +817,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -910,6 +919,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1011,6 +1021,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1112,6 +1123,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1213,6 +1225,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1314,6 +1327,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1415,6 +1429,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1516,6 +1531,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1617,6 +1633,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1718,6 +1735,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1819,6 +1837,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1919,6 +1938,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -2017,6 +2037,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -2116,6 +2137,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -2216,6 +2238,7 @@ "destination.bytes": 98, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -2315,6 +2338,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -2416,6 +2440,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -2517,6 +2542,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -2617,6 +2643,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -2715,6 +2742,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -2814,6 +2842,7 @@ "destination.geo.city_name": "Westminster", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 33.7518, "destination.geo.location.lon": -117.9932, "destination.geo.region_iso_code": "US-CA", @@ -2915,6 +2944,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -3015,6 +3045,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -3114,6 +3145,7 @@ "destination.geo.city_name": "Assago", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 45.4087, "destination.geo.location.lon": 9.1225, "destination.geo.region_iso_code": "IT-MI", @@ -3215,6 +3247,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -3315,6 +3348,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -3413,6 +3447,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -3512,6 +3547,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -3613,6 +3649,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -3713,6 +3750,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -3811,6 +3849,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -3908,6 +3947,7 @@ "destination.bytes": 111, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -4000,6 +4040,7 @@ "destination.bytes": 906, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", @@ -4098,6 +4139,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -4193,6 +4235,7 @@ "destination.geo.city_name": "Washington", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.7095, "destination.geo.location.lon": -78.1539, "destination.geo.region_iso_code": "US-VA", @@ -4294,6 +4337,7 @@ "destination.geo.city_name": "Washington", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.7095, "destination.geo.location.lon": -78.1539, "destination.geo.region_iso_code": "US-VA", @@ -4393,6 +4437,7 @@ "destination.bytes": 141, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -4486,6 +4531,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -4586,6 +4632,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -4685,6 +4732,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -4785,6 +4833,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -4883,6 +4932,7 @@ "destination.bytes": 316, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -4981,6 +5031,7 @@ "destination.bytes": 121, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -5079,6 +5130,7 @@ "destination.bytes": 169, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -5177,6 +5229,7 @@ "destination.bytes": 954, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", @@ -5276,6 +5329,7 @@ "destination.geo.city_name": "Assago", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 45.4087, "destination.geo.location.lon": 9.1225, "destination.geo.region_iso_code": "IT-MI", @@ -5377,6 +5431,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -5477,6 +5532,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -5576,6 +5632,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -5676,6 +5733,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -5774,6 +5832,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -5873,6 +5932,7 @@ "destination.geo.city_name": "Washington", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.7095, "destination.geo.location.lon": -78.1539, "destination.geo.region_iso_code": "US-VA", @@ -5974,6 +6034,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -6074,6 +6135,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -6172,6 +6234,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -6270,6 +6333,7 @@ "destination.bytes": 906, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", @@ -6368,6 +6432,7 @@ "destination.bytes": 163, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -6466,6 +6531,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -6564,6 +6630,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -6663,6 +6730,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -6763,6 +6831,7 @@ "destination.bytes": 922, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", @@ -6862,6 +6931,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -6962,6 +7032,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -7060,6 +7131,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -7159,6 +7231,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -7259,6 +7332,7 @@ "destination.bytes": 26786, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.5.1.1", @@ -7357,6 +7431,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -7455,6 +7530,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -7554,6 +7630,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -7747,6 +7824,7 @@ "destination.geo.city_name": "Assago", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 45.4087, "destination.geo.location.lon": 9.1225, "destination.geo.region_iso_code": "IT-MI", @@ -7848,6 +7926,7 @@ "destination.geo.city_name": "Assago", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 45.4087, "destination.geo.location.lon": 9.1225, "destination.geo.region_iso_code": "IT-MI", @@ -8133,6 +8212,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -8233,6 +8313,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -8331,6 +8412,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -8430,6 +8512,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -8530,6 +8613,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -8720,6 +8804,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -8819,6 +8904,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -8919,6 +9005,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -9017,6 +9104,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -9115,6 +9203,7 @@ "destination.bytes": 906, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", @@ -9214,6 +9303,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -9315,6 +9405,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -9416,6 +9507,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -9609,6 +9701,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -9710,6 +9803,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -9811,6 +9905,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", diff --git a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json index 93fe08f75d9b..de6c83a2fa14 100644 --- a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json @@ -10,6 +10,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -111,6 +112,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -212,6 +214,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -313,6 +316,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -414,6 +418,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -515,6 +520,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -616,6 +622,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -717,6 +724,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -818,6 +826,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -919,6 +928,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1020,6 +1030,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1121,6 +1132,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1222,6 +1234,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1323,6 +1336,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1424,6 +1438,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1525,6 +1540,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1626,6 +1642,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1727,6 +1744,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1828,6 +1846,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1929,6 +1948,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2030,6 +2050,7 @@ "destination.as.organization.name": "Akamai International B.V.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2131,6 +2152,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2232,6 +2254,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2333,6 +2356,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2434,6 +2458,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2535,6 +2560,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2636,6 +2662,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2737,6 +2764,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2838,6 +2866,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2939,6 +2968,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3040,6 +3070,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3141,6 +3172,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3242,6 +3274,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3343,6 +3376,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3444,6 +3478,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3545,6 +3580,7 @@ "destination.as.organization.name": "Fastly", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3647,6 +3683,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6109, "destination.geo.location.lon": -122.3303, "destination.geo.name": "United States", @@ -3751,6 +3788,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -3855,6 +3893,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -3959,6 +3998,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4063,6 +4103,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4167,6 +4208,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4271,6 +4313,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4375,6 +4418,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4479,6 +4523,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4583,6 +4628,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4687,6 +4733,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4791,6 +4838,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4895,6 +4943,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4999,6 +5048,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.3861, "destination.geo.location.lon": -122.0839, "destination.geo.name": "United States", @@ -5102,6 +5152,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5203,6 +5254,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5304,6 +5356,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5405,6 +5458,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5506,6 +5560,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5607,6 +5662,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5708,6 +5764,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5809,6 +5866,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5910,6 +5968,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -6011,6 +6070,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -6113,6 +6173,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6217,6 +6278,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6321,6 +6383,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6425,6 +6488,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6529,6 +6593,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6633,6 +6698,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6737,6 +6803,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6841,6 +6908,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6945,6 +7013,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -7049,6 +7118,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -7153,6 +7223,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -7257,6 +7328,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -7361,6 +7433,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -7465,6 +7538,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -7569,6 +7643,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -7673,6 +7748,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", diff --git a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json index 5f979092c4b4..200e02370d3d 100644 --- a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json @@ -13,6 +13,7 @@ "destination.bytes": 5976, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "184.51.253.152", @@ -122,6 +123,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -232,6 +234,7 @@ "destination.geo.city_name": "Dallas", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 32.7787, "destination.geo.location.lon": -96.8217, "destination.geo.region_iso_code": "US-TX", @@ -343,6 +346,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -453,6 +457,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.3861, "destination.geo.location.lon": -122.0839, "destination.geo.region_iso_code": "US-CA", @@ -564,6 +569,7 @@ "destination.bytes": 21111, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "209.234.224.22", @@ -673,6 +679,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -782,6 +789,7 @@ "destination.bytes": 3732, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.2.238", @@ -891,6 +899,7 @@ "destination.bytes": 221, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1000,6 +1009,7 @@ "destination.bytes": 221, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1109,6 +1119,7 @@ "destination.bytes": 5469, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "17.249.60.78", @@ -1218,6 +1229,7 @@ "destination.bytes": 224, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1327,6 +1339,7 @@ "destination.bytes": 117, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1436,6 +1449,7 @@ "destination.bytes": 307, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1545,6 +1559,7 @@ "destination.bytes": 365, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1654,6 +1669,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1763,6 +1779,7 @@ "destination.bytes": 161, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1872,6 +1889,7 @@ "destination.bytes": 7805, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "98.138.49.44", @@ -1981,6 +1999,7 @@ "destination.bytes": 6106, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "72.30.3.43", @@ -2090,6 +2109,7 @@ "destination.bytes": 196, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -2199,6 +2219,7 @@ "destination.bytes": 3245, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.9.142", @@ -2308,6 +2329,7 @@ "destination.bytes": 179, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -2418,6 +2440,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -2528,6 +2551,7 @@ "destination.geo.city_name": "Sunnyvale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.386, "destination.geo.location.lon": -122.0144, "destination.geo.region_iso_code": "US-CA", @@ -2639,6 +2663,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -2748,6 +2773,7 @@ "destination.bytes": 130, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -2853,6 +2879,7 @@ "destination.bytes": 1991, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.9.142", @@ -2959,6 +2986,7 @@ "destination.bytes": 523, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "151.101.2.2", @@ -3069,6 +3097,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.3861, "destination.geo.location.lon": -122.0839, "destination.geo.region_iso_code": "US-CA", @@ -3180,6 +3209,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -3289,6 +3319,7 @@ "destination.bytes": 196, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -3398,6 +3429,7 @@ "destination.bytes": 5003, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "184.51.253.193", @@ -3507,6 +3539,7 @@ "destination.bytes": 171, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -3615,6 +3648,7 @@ "destination.geo.city_name": "Sunnyvale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.386, "destination.geo.location.lon": -122.0144, "destination.geo.region_iso_code": "US-CA", @@ -3727,6 +3761,7 @@ "destination.geo.city_name": "Sunnyvale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.386, "destination.geo.location.lon": -122.0144, "destination.geo.region_iso_code": "US-CA", @@ -3839,6 +3874,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -3950,6 +3986,7 @@ "destination.bytes": 244, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -4059,6 +4096,7 @@ "destination.bytes": 205, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -4169,6 +4207,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.4043, "destination.geo.location.lon": -122.0748, "destination.geo.region_iso_code": "US-CA", @@ -4389,6 +4428,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -4500,6 +4540,7 @@ "destination.bytes": 661, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "184.51.252.247", @@ -4610,6 +4651,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.4043, "destination.geo.location.lon": -122.0748, "destination.geo.region_iso_code": "US-CA", @@ -4722,6 +4764,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.4043, "destination.geo.location.lon": -122.0748, "destination.geo.region_iso_code": "US-CA", @@ -4833,6 +4876,7 @@ "destination.bytes": 182, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -4942,6 +4986,7 @@ "destination.bytes": 90, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -5052,6 +5097,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -5163,6 +5209,7 @@ "destination.bytes": 661, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "184.51.252.247", @@ -5380,6 +5427,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -5485,6 +5533,7 @@ "destination.bytes": 144, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -5594,6 +5643,7 @@ "destination.bytes": 206, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -5703,6 +5753,7 @@ "destination.bytes": 206, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -5812,6 +5863,7 @@ "destination.bytes": 169, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -5921,6 +5973,7 @@ "destination.bytes": 132, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6030,6 +6083,7 @@ "destination.bytes": 127, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6139,6 +6193,7 @@ "destination.bytes": 105, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6248,6 +6303,7 @@ "destination.bytes": 172, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6357,6 +6413,7 @@ "destination.bytes": 134, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6466,6 +6523,7 @@ "destination.bytes": 179, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6575,6 +6633,7 @@ "destination.bytes": 218, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6684,6 +6743,7 @@ "destination.bytes": 172, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6793,6 +6853,7 @@ "destination.bytes": 305, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6903,6 +6964,7 @@ "destination.geo.city_name": "Lanham", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9705, "destination.geo.location.lon": -76.8388, "destination.geo.region_iso_code": "US-MD", @@ -7014,6 +7076,7 @@ "destination.bytes": 153, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -7123,6 +7186,7 @@ "destination.bytes": 169, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -7232,6 +7296,7 @@ "destination.bytes": 128, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -7341,6 +7406,7 @@ "destination.bytes": 181, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -7450,6 +7516,7 @@ "destination.bytes": 121, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -7560,6 +7627,7 @@ "destination.geo.city_name": "San Antonio", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 29.4551, "destination.geo.location.lon": -98.6498, "destination.geo.region_iso_code": "US-TX", @@ -7671,6 +7739,7 @@ "destination.bytes": 315, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -7780,6 +7849,7 @@ "destination.bytes": 130, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -7890,6 +7960,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.54, "destination.geo.location.lon": -122.3032, "destination.geo.region_iso_code": "US-WA", @@ -8001,6 +8072,7 @@ "destination.bytes": 149, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -8110,6 +8182,7 @@ "destination.bytes": 202, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -8219,6 +8292,7 @@ "destination.bytes": 195, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -8328,6 +8402,7 @@ "destination.bytes": 90, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "208.83.246.20", @@ -8437,6 +8512,7 @@ "destination.bytes": 192, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -8545,6 +8621,7 @@ "destination.bytes": 208, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -8653,6 +8730,7 @@ "destination.bytes": 100, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -8761,6 +8839,7 @@ "destination.bytes": 7237, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.6583, "destination.geo.location.lon": -77.2481, "destination.geo.region_iso_code": "US-VA", @@ -8871,6 +8950,7 @@ "destination.bytes": 109, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -8980,6 +9060,7 @@ "destination.bytes": 116, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -9089,6 +9170,7 @@ "destination.bytes": 96, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -9199,6 +9281,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -9311,6 +9394,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -9423,6 +9507,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -9534,6 +9619,7 @@ "destination.bytes": 7820, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.254.150.9", @@ -9644,6 +9730,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -9756,6 +9843,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -9868,6 +9956,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -9980,6 +10069,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -10092,6 +10182,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.4043, "destination.geo.location.lon": -122.0748, "destination.geo.region_iso_code": "US-CA", @@ -10203,6 +10294,7 @@ "destination.bytes": 172, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -10312,6 +10404,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -10421,6 +10514,7 @@ "destination.bytes": 94, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -10530,6 +10624,7 @@ "destination.bytes": 170, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -10639,6 +10734,7 @@ "destination.bytes": 94, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -10748,6 +10844,7 @@ "destination.bytes": 94, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -10857,6 +10954,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", diff --git a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json index f0150dcb87fb..d1a9aa8535fd 100644 --- a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json @@ -61,8 +61,8 @@ "uptatev4292.www.invalid" ], "related.ip": [ - "10.212.11.114", - "10.38.77.13" + "10.38.77.13", + "10.212.11.114" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "uam", @@ -826,8 +826,8 @@ "apari5002.api.test" ], "related.ip": [ - "10.9.200.197", - "10.182.213.195" + "10.182.213.195", + "10.9.200.197" ], "rsa.crypto.sig_type": "fugiatnu", "rsa.internal.messageid": "27813", @@ -1006,8 +1006,8 @@ "unturmag6190.api.lan" ], "related.ip": [ - "10.52.190.18", - "10.238.223.171" + "10.238.223.171", + "10.52.190.18" ], "rsa.crypto.sig_type": "Finibus", "rsa.internal.messageid": "16539", @@ -1209,8 +1209,8 @@ "iqu4858.mail.invalid" ], "related.ip": [ - "10.213.100.153", - "10.116.175.84" + "10.116.175.84", + "10.213.100.153" ], "rsa.crypto.sig_type": "exercit", "rsa.internal.messageid": "11634", @@ -1643,8 +1643,8 @@ "urau1660.www.lan" ], "related.ip": [ - "10.201.132.114", - "10.140.209.249" + "10.140.209.249", + "10.201.132.114" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "lor", @@ -1731,8 +1731,8 @@ "nofde7732.internal.test" ], "related.ip": [ - "10.198.44.231", - "10.36.122.169" + "10.36.122.169", + "10.198.44.231" ], "rsa.crypto.sig_type": "umquam", "rsa.internal.messageid": "13228", @@ -2113,8 +2113,8 @@ "uovol2459.www5.invalid" ], "related.ip": [ - "10.60.137.215", - "10.28.105.106" + "10.28.105.106", + "10.60.137.215" ], "rsa.crypto.sig_type": "tionu", "rsa.internal.messageid": "5155", @@ -2229,10 +2229,10 @@ "Loremips5368.www5.corp" ], "related.ip": [ + "10.20.167.114", "10.49.190.163", - "10.166.40.137", "10.65.144.119", - "10.20.167.114" + "10.166.40.137" ], "rsa.internal.event_desc": "Offloaded TCP Flow for connection", "rsa.internal.messageid": "FTD_events", @@ -2361,8 +2361,8 @@ "magn3657.api.invalid" ], "related.ip": [ - "10.180.28.156", - "10.234.234.205" + "10.234.234.205", + "10.180.28.156" ], "rsa.crypto.sig_type": "mnihil", "rsa.internal.messageid": "5315", @@ -2578,8 +2578,8 @@ "laparia5374.api.domain" ], "related.ip": [ - "10.147.155.100", - "10.232.67.182" + "10.232.67.182", + "10.147.155.100" ], "rsa.crypto.sig_type": "eufugi", "rsa.internal.messageid": "26152", @@ -2828,8 +2828,8 @@ "borios1685.www.localhost" ], "related.ip": [ - "10.231.10.63", - "10.38.22.60" + "10.38.22.60", + "10.231.10.63" ], "rsa.crypto.sig_type": "taliquip", "rsa.internal.messageid": "10329", @@ -2886,8 +2886,8 @@ "Bonoru5658.mail.invalid" ], "related.ip": [ - "10.29.231.11", - "10.46.57.181" + "10.46.57.181", + "10.29.231.11" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "remape", @@ -3160,8 +3160,8 @@ "onsecte5119.www.invalid" ], "related.ip": [ - "10.198.207.31", - "10.5.88.183" + "10.5.88.183", + "10.198.207.31" ], "rsa.internal.event_desc": "Failed to locate egress interface", "rsa.internal.messageid": "FTD_events", @@ -3836,9 +3836,9 @@ "erunt3957.internal.lan" ], "related.ip": [ - "10.118.103.185", "10.32.195.34", "10.240.77.10", + "10.118.103.185", "10.125.130.61" ], "rsa.internal.event_desc": "TCP Flow is no longer offloaded for connection", diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json index 9f972c2e6fc7..37d6d4325b79 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json @@ -28,6 +28,7 @@ "source.as.organization.name": "Orange", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "FR", + "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, "source.ip": [ @@ -95,6 +96,7 @@ "source.as.organization.name": "Orange", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "FR", + "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, "source.ip": [ @@ -243,6 +245,7 @@ "source.as.organization.name": "Orange", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "FR", + "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, "source.ip": [ @@ -310,6 +313,7 @@ "source.as.organization.name": "Orange", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "FR", + "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, "source.ip": [ @@ -347,6 +351,7 @@ "service.type": "sonicwall", "source.geo.continent_name": "Oceania", "source.geo.country_iso_code": "NZ", + "source.geo.country_name": "New Zealand", "source.geo.location.lat": -41.0, "source.geo.location.lon": 174.0, "source.ip": [ @@ -436,6 +441,7 @@ "source.as.organization.name": "Cloudflare, Inc.", "source.geo.continent_name": "Oceania", "source.geo.country_iso_code": "AU", + "source.geo.country_name": "Australia", "source.geo.location.lat": -33.494, "source.geo.location.lon": 143.2104, "source.ip": [ diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index 5b84648b930d..bd92a3aa08a9 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -23,8 +23,8 @@ "oreetdol1714.internal.corp" ], "related.ip": [ - "10.49.111.67", - "10.92.136.230" + "10.92.136.230", + "10.49.111.67" ], "rsa.internal.messageid": "914", "rsa.internal.msg": "lupt", @@ -86,8 +86,8 @@ "observer.vendor": "Sonicwall", "related.ip": [ "10.227.15.1", - "10.149.203.46", - "10.150.156.22" + "10.150.156.22", + "10.149.203.46" ], "rsa.internal.event_desc": "ctetur", "rsa.internal.messageid": "1369", @@ -171,8 +171,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.13.70.213", - "10.95.245.65" + "10.95.245.65", + "10.13.70.213" ], "rsa.internal.messageid": "372", "rsa.internal.msg": "llu", @@ -478,8 +478,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.78.151.178", - "10.157.161.103" + "10.157.161.103", + "10.78.151.178" ], "rsa.internal.event_desc": "taut", "rsa.internal.messageid": "24", @@ -551,9 +551,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.34.161.166", "10.245.200.97", - "10.219.116.137" + "10.219.116.137", + "10.34.161.166" ], "rsa.internal.event_desc": "rehend", "rsa.internal.messageid": "428", @@ -599,8 +599,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.118.80.140", - "10.252.122.195" + "10.252.122.195", + "10.118.80.140" ], "rsa.internal.messageid": "401", "rsa.internal.msg": "inesci", @@ -845,8 +845,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.248.101.25", - "10.60.129.15" + "10.60.129.15", + "10.248.101.25" ], "rsa.internal.messageid": "372", "rsa.internal.msg": "ommodico", @@ -1006,8 +1006,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.101.74.44", - "10.251.20.13" + "10.251.20.13", + "10.101.74.44" ], "related.user": [ "rsitv" @@ -1219,8 +1219,8 @@ "ise5905.www.local" ], "related.ip": [ - "10.97.124.211", - "10.53.113.23" + "10.53.113.23", + "10.97.124.211" ], "rsa.identity.user_sid_dst": "iumdol", "rsa.internal.messageid": "1154", @@ -1279,8 +1279,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.187.201.250", - "10.64.229.79" + "10.64.229.79", + "10.187.201.250" ], "rsa.db.index": "rumwrit", "rsa.internal.messageid": "83", @@ -1389,8 +1389,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.31.190.145", - "10.147.88.219" + "10.147.88.219", + "10.31.190.145" ], "related.user": [ "corpori" @@ -1431,9 +1431,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.108.84.24", "10.251.248.228", - "10.113.100.237" + "10.113.100.237", + "10.108.84.24" ], "rsa.internal.event_desc": "volupt", "rsa.internal.messageid": "606", @@ -1777,8 +1777,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.165.48.224", - "10.191.242.168" + "10.191.242.168", + "10.165.48.224" ], "rsa.internal.event_desc": "equep", "rsa.internal.messageid": "995", @@ -1831,8 +1831,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.185.37.32", - "10.116.173.79" + "10.116.173.79", + "10.185.37.32" ], "rsa.internal.messageid": "178", "rsa.internal.msg": "ende", @@ -1863,8 +1863,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.57.85.98", - "10.219.42.212" + "10.219.42.212", + "10.57.85.98" ], "rsa.internal.event_desc": "mquisno", "rsa.internal.messageid": "995", @@ -1917,8 +1917,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.135.70.159", - "10.195.223.82" + "10.195.223.82", + "10.135.70.159" ], "rsa.internal.messageid": "351", "rsa.internal.msg": "CSe", @@ -2068,8 +2068,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.56.10.84", - "10.12.54.142" + "10.12.54.142", + "10.56.10.84" ], "rsa.internal.messageid": "658", "rsa.internal.msg": "osquirat", @@ -2105,8 +2105,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.117.63.181", - "10.222.169.140" + "10.222.169.140", + "10.117.63.181" ], "rsa.internal.messageid": "195", "rsa.internal.msg": "magnaal", @@ -2247,8 +2247,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.129.101.147", - "10.206.229.61" + "10.206.229.61", + "10.129.101.147" ], "rsa.internal.messageid": "413", "rsa.internal.msg": "upta", @@ -2383,8 +2383,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.29.120.226", - "10.203.146.137" + "10.203.146.137", + "10.29.120.226" ], "rsa.internal.messageid": "712", "rsa.misc.action": [ diff --git a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json index b57ab7067ab7..392ac679e441 100644 --- a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json @@ -59,9 +59,9 @@ "10.57.170.140" ], "related.user": [ - "sunt", + "dexeac", "icistatuscode=giatquov", - "dexeac" + "sunt" ], "rsa.db.index": "run", "rsa.identity.logon_type": "nofdeF", @@ -70,8 +70,8 @@ "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ - "block", - "ugiatnu" + "ugiatnu", + "block" ], "rsa.misc.comments": "colabo", "rsa.misc.content_type": "sedd", @@ -163,8 +163,8 @@ "10.106.239.55" ], "related.user": [ - "itquiin", - "eaq" + "eaq", + "itquiin" ], "rsa.identity.logon_type": "stquidol", "rsa.internal.event_desc": "bor", @@ -638,8 +638,8 @@ "10.54.169.175" ], "related.user": [ - "taspe", - "scipit" + "scipit", + "taspe" ], "rsa.identity.logon_type": "olores", "rsa.internal.event_desc": "secil", @@ -974,8 +974,8 @@ "10.232.108.32" ], "related.user": [ - "rsp", - "llum" + "llum", + "rsp" ], "rsa.identity.logon_type": "ntut", "rsa.internal.event_desc": "ittenb", @@ -1033,13 +1033,13 @@ "Duis583.api.local" ], "related.ip": [ - "10.17.51.153", - "10.89.41.97" + "10.89.41.97", + "10.17.51.153" ], "related.user": [ - "tcustatuscode=eumiu", "tio", - "pteurs" + "pteurs", + "tcustatuscode=eumiu" ], "rsa.db.index": "eavolupt", "rsa.identity.logon_type": "ursintoc", @@ -1610,8 +1610,8 @@ "10.244.96.61" ], "related.user": [ - "itsedqui", - "iumt" + "iumt", + "itsedqui" ], "rsa.identity.logon_type": "psamvolu", "rsa.internal.event_desc": "orroqui", @@ -1851,13 +1851,13 @@ "tenbyCi4371.www5.localdomain" ], "related.ip": [ - "10.98.126.206", - "10.214.167.164" + "10.214.167.164", + "10.98.126.206" ], "related.user": [ - "hen", + "amremapstatuscode=dolorsit", "isnostru", - "amremapstatuscode=dolorsit" + "hen" ], "rsa.db.index": "spernatu", "rsa.identity.logon_type": "untutl", @@ -1866,8 +1866,8 @@ "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ - "nsectetu", - "block" + "block", + "nsectetu" ], "rsa.misc.comments": "uaer", "rsa.misc.content_type": "eaqu", @@ -1924,8 +1924,8 @@ "observer.vendor": "Sophos", "process.pid": 6722, "related.ip": [ - "10.32.236.117", - "10.203.157.250" + "10.203.157.250", + "10.32.236.117" ], "rsa.internal.event_desc": "Packet", "rsa.internal.messageid": "ulogd", @@ -2033,10 +2033,10 @@ "10.92.93.236" ], "related.user": [ - "ulpaq", + "ntoccae", "Sedutper", "dolorsistatuscode=acc", - "ntoccae" + "ulpaq" ], "rsa.db.index": "snisiut", "rsa.identity.logon_type": "umdol", @@ -2045,8 +2045,8 @@ "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ - "icons", - "block" + "block", + "icons" ], "rsa.misc.comments": "porincid", "rsa.misc.content_type": "temvele", @@ -2124,9 +2124,9 @@ "10.202.65.2" ], "related.user": [ - "atatno", "iscivelistatuscode=urve", - "tasu" + "tasu", + "atatno" ], "rsa.db.index": "amrem", "rsa.identity.logon_type": "nulamcol", @@ -2314,13 +2314,13 @@ "obea2960.mail.corp" ], "related.ip": [ - "10.33.138.154", - "10.45.12.53" + "10.45.12.53", + "10.33.138.154" ], "related.user": [ - "eturadip", + "porincid", "umqustatuscode=ntexpli", - "porincid" + "eturadip" ], "rsa.db.index": "dolor", "rsa.identity.logon_type": "eturadi", @@ -2481,8 +2481,8 @@ "10.32.85.21" ], "related.user": [ - "antium", - "etconsec" + "etconsec", + "antium" ], "rsa.identity.logon_type": "umiurere", "rsa.internal.event_desc": "serro", @@ -2628,14 +2628,14 @@ "nisiuta4810.api.test" ], "related.ip": [ - "10.85.200.58", - "10.210.175.52" + "10.210.175.52", + "10.85.200.58" ], "related.user": [ - "Loremi", - "rExce", "reetd", - "inimastatuscode=emipsum" + "inimastatuscode=emipsum", + "Loremi", + "rExce" ], "rsa.db.index": "apa", "rsa.identity.logon_type": "sedquia", @@ -2644,8 +2644,8 @@ "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ - "cancel", - "odte" + "odte", + "cancel" ], "rsa.misc.comments": "emquia", "rsa.misc.content_type": "sauteir", @@ -3619,8 +3619,8 @@ "10.96.200.83" ], "related.user": [ - "lapariat", - "acommod" + "acommod", + "lapariat" ], "rsa.identity.logon_type": "remeumf", "rsa.internal.event_desc": "dol", diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json index 90a40d0b0958..a78e3c1ccb0d 100644 --- a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json @@ -70,6 +70,7 @@ "destination.geo.city_name": "Saint-Prex", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", "destination.geo.location.lat": 46.4796, "destination.geo.location.lon": 6.4599, "destination.geo.region_iso_code": "CH-VD", @@ -131,6 +132,7 @@ "source.geo.city_name": "Miami", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 25.7806, "source.geo.location.lon": -80.1826, "source.geo.region_iso_code": "US-FL", @@ -154,6 +156,7 @@ "destination.geo.city_name": "Saint-Prex", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", "destination.geo.location.lat": 46.4796, "destination.geo.location.lon": 6.4599, "destination.geo.region_iso_code": "CH-VD", @@ -217,6 +220,7 @@ "source.geo.city_name": "Cabreuva", "source.geo.continent_name": "South America", "source.geo.country_iso_code": "BR", + "source.geo.country_name": "Brazil", "source.geo.location.lat": -23.3149, "source.geo.location.lon": -47.0763, "source.geo.region_iso_code": "BR-SP", @@ -240,6 +244,7 @@ "destination.geo.city_name": "Saint-Prex", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", "destination.geo.location.lat": 46.4796, "destination.geo.location.lon": 6.4599, "destination.geo.region_iso_code": "CH-VD", @@ -302,6 +307,7 @@ "source.domain": "ELTOBGI.COM", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", "source.geo.location.lat": 51.4964, "source.geo.location.lon": -0.1224, "source.ip": "77.72.3.56", diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json index a78e27fa46e1..42590edbb335 100644 --- a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json @@ -10,6 +10,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6348, "destination.geo.location.lon": -122.3451, "destination.geo.region_iso_code": "US-WA", @@ -87,6 +88,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6348, "destination.geo.location.lon": -122.3451, "destination.geo.region_iso_code": "US-WA", @@ -163,6 +165,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "South America", "destination.geo.country_iso_code": "UY", + "destination.geo.country_name": "Uruguay", "destination.geo.location.lat": -33.0, "destination.geo.location.lon": -56.0, "destination.ip": "186.8.209.194", @@ -225,6 +228,7 @@ "source.bytes": 0, "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 51.2993, "source.geo.location.lon": 9.491, "source.ip": "82.165.194.211", @@ -246,6 +250,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 51.2993, "destination.geo.location.lon": 9.491, "destination.ip": "185.7.209.194", @@ -309,6 +314,7 @@ "source.geo.city_name": "Seattle", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 47.4902, "source.geo.location.lon": -122.3004, "source.geo.region_iso_code": "US-WA", diff --git a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json index 7dbb62894562..38c2694478e7 100644 --- a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json @@ -7,6 +7,7 @@ "destination.as.organization.name": "Petersburg Internet Network ltd.", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7386, "destination.geo.location.lon": 37.6068, "destination.ip": "46.161.30.47", @@ -76,6 +77,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6348, "destination.geo.location.lon": -122.3451, "destination.geo.region_iso_code": "US-WA", @@ -143,6 +145,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6348, "destination.geo.location.lon": -122.3451, "destination.geo.region_iso_code": "US-WA", @@ -209,6 +212,7 @@ "destination.as.organization.name": "Accelerated IT Services & Consulting GmbH", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 51.2993, "destination.geo.location.lon": 9.491, "destination.ip": "82.211.30.202", diff --git a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json index a82d4550f57b..84dc15e1aeb7 100644 --- a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json @@ -7,6 +7,7 @@ "destination.as.organization.name": "BHARTI Airtel Ltd.", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "IN", + "destination.geo.country_name": "India", "destination.geo.location.lat": 20.0, "destination.geo.location.lon": 77.0, "destination.ip": "182.79.221.19", @@ -78,6 +79,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.4043, "destination.geo.location.lon": -122.0748, "destination.geo.region_iso_code": "US-CA", @@ -134,6 +136,7 @@ "source.as.organization.name": "Telefonica Germany", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 51.2993, "source.geo.location.lon": 9.491, "source.ip": "5.5.5.15", @@ -153,6 +156,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "74.125.130.188", @@ -213,6 +217,7 @@ "source.as.organization.name": "Telefonica Germany", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 51.2993, "source.geo.location.lon": 9.491, "source.ip": "5.5.5.15", @@ -231,6 +236,7 @@ "destination.geo.city_name": "Dublin", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IE", + "destination.geo.country_name": "Ireland", "destination.geo.location.lat": 53.3338, "destination.geo.location.lon": -6.2488, "destination.geo.region_iso_code": "IE-L", @@ -302,6 +308,7 @@ "destination.geo.city_name": "Washington", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.7095, "destination.geo.location.lon": -78.1539, "destination.geo.region_iso_code": "US-VA", @@ -375,6 +382,7 @@ "destination.geo.city_name": "Bratislava", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "SK", + "destination.geo.country_name": "Slovakia", "destination.geo.location.lat": 48.15, "destination.geo.location.lon": 17.1078, "destination.geo.region_iso_code": "SK-BL", @@ -498,6 +506,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "64.233.189.147", @@ -569,6 +578,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "64.233.188.94", diff --git a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json index d14c2bb9924b..89d6878ec6f5 100644 --- a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json @@ -59,6 +59,7 @@ "destination.as.organization.name": "DoD Network Information Center", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "214.167.51.66", @@ -105,6 +106,7 @@ "source.geo.city_name": "Elblag", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PL", + "source.geo.country_name": "Poland", "source.geo.location.lat": 54.172, "source.geo.location.lon": 19.4195, "source.geo.region_iso_code": "PL-28", @@ -199,6 +201,7 @@ "source.geo.city_name": "August\u00f3w", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PL", + "source.geo.country_name": "Poland", "source.geo.location.lat": 53.845, "source.geo.location.lon": 22.985, "source.geo.region_iso_code": "PL-20", @@ -336,6 +339,7 @@ "source.geo.city_name": "Schleidweiler", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.8808, "source.geo.location.lon": 6.6593, "source.geo.region_iso_code": "DE-RP", @@ -438,6 +442,7 @@ "source.geo.city_name": "Fell", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.7667, "source.geo.location.lon": 6.7833, "source.geo.region_iso_code": "DE-RP", @@ -522,6 +527,7 @@ "sophos.xg.status": "Failed", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "172.66.35.15", diff --git a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json index d392790d7956..7f1e5d9190be 100644 --- a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json @@ -13,6 +13,7 @@ "destination.geo.city_name": "Bratislava", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "SK", + "destination.geo.country_name": "Slovakia", "destination.geo.location.lat": 48.15, "destination.geo.location.lon": 17.1078, "destination.geo.region_iso_code": "SK-BL", @@ -98,6 +99,7 @@ "source.bytes": 459, "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7386, "source.geo.location.lon": 37.6068, "source.ip": "172.17.34.15", @@ -125,6 +127,7 @@ "destination.geo.city_name": "Bratislava", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "SK", + "destination.geo.country_name": "Slovakia", "destination.geo.location.lat": 48.15, "destination.geo.location.lon": 17.1078, "destination.geo.region_iso_code": "SK-BL", @@ -211,6 +214,7 @@ "source.geo.city_name": "Saint-Prex", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "CH", + "source.geo.country_name": "Switzerland", "source.geo.location.lat": 46.4796, "source.geo.location.lon": 6.4599, "source.geo.region_iso_code": "CH-VD", @@ -410,6 +414,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 51.2993, "destination.geo.location.lon": 9.491, "destination.ip": "185.7.209.207", @@ -481,6 +486,7 @@ "source.geo.city_name": "Warsaw", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PL", + "source.geo.country_name": "Poland", "source.geo.location.lat": 52.25, "source.geo.location.lon": 21.0, "source.geo.region_iso_code": "PL-14", @@ -1030,6 +1036,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1437,6 +1444,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1687,6 +1695,7 @@ "destination.geo.city_name": "Richardson", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 32.9473, "destination.geo.location.lon": -96.7028, "destination.geo.region_iso_code": "US-TX", diff --git a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json index 7caee4d72eb3..d92a2b2e7e41 100644 --- a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json @@ -61,6 +61,7 @@ "source.as.organization.name": "Bestnet Service SRL", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RO", + "source.geo.country_name": "Romania", "source.geo.location.lat": 46.0, "source.geo.location.lon": 25.0, "source.ip": "89.40.182.58", @@ -132,6 +133,7 @@ "source.as.organization.name": "China Unicom Beijing Province Network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 31.0449, "source.geo.location.lon": 121.4012, "source.geo.region_iso_code": "CN-SH", @@ -205,6 +207,7 @@ "source.as.organization.name": "KPN B.V.", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "NL", + "source.geo.country_name": "Netherlands", "source.geo.location.lat": 52.3824, "source.geo.location.lon": 4.8995, "source.ip": "77.61.185.101", diff --git a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json index fe6af6446111..ceed76baef16 100644 --- a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json @@ -9,6 +9,7 @@ "destination.geo.city_name": "Saint-Prex", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", "destination.geo.location.lat": 46.4796, "destination.geo.location.lon": 6.4599, "destination.geo.region_iso_code": "CH-VD", @@ -66,6 +67,7 @@ "source.geo.city_name": "Gdynia", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PL", + "source.geo.country_name": "Poland", "source.geo.location.lat": 54.5055, "source.geo.location.lon": 18.5403, "source.geo.region_iso_code": "PL-22", @@ -88,6 +90,7 @@ "destination.geo.city_name": "Saint-Prex", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", "destination.geo.location.lat": 46.4796, "destination.geo.location.lon": 6.4599, "destination.geo.region_iso_code": "CH-VD", @@ -146,6 +149,7 @@ "source.geo.city_name": "Gdynia", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PL", + "source.geo.country_name": "Poland", "source.geo.location.lat": 54.5055, "source.geo.location.lon": 18.5403, "source.geo.region_iso_code": "PL-22", @@ -303,6 +307,7 @@ "destination.bytes": 403, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "216.167.51.72", @@ -359,6 +364,7 @@ "source.geo.city_name": "Bucharest", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RO", + "source.geo.country_name": "Romania", "source.geo.location.lat": 44.4176, "source.geo.location.lon": 26.1708, "source.geo.region_iso_code": "RO-B", diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json index 26b891ba4f12..e9284eed5548 100644 --- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -5,6 +5,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -36,8 +37,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -67,6 +68,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -89,8 +91,8 @@ "www.goonernews.com" ], "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -101,8 +103,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -132,6 +134,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -155,8 +158,8 @@ "www.goonernews.com" ], "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -167,8 +170,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -220,8 +223,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -273,8 +276,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "text/javascript", "rsa.misc.result_code": "200", @@ -304,6 +307,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -338,8 +342,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -368,6 +372,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -389,8 +394,8 @@ "www.google-analytics.com" ], "related.ip": [ - "10.105.21.199", - "66.102.9.147" + "66.102.9.147", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -401,8 +406,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -432,6 +437,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -455,8 +461,8 @@ "www.goonernews.com" ], "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -467,8 +473,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -498,6 +504,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -521,8 +528,8 @@ "www.goonernews.com" ], "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -533,8 +540,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -564,6 +571,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -652,8 +660,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -683,6 +691,7 @@ "destination.geo.city_name": "Dallas", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 32.9379, "destination.geo.location.lon": -96.8384, "destination.geo.region_iso_code": "US-TX", @@ -706,8 +715,8 @@ "as.casalemedia.com" ], "related.ip": [ - "10.105.21.199", - "209.85.16.38" + "209.85.16.38", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -746,6 +755,7 @@ "@timestamp": "2006-09-08T04:22:06.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -766,8 +776,8 @@ "us.bc.yahoo.com" ], "related.ip": [ - "10.105.21.199", - "68.142.213.132" + "68.142.213.132", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -777,8 +787,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -807,6 +817,7 @@ "destination.as.organization.name": "Telia Company AB", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "SE", + "destination.geo.country_name": "Sweden", "destination.geo.location.lat": 59.3247, "destination.geo.location.lon": 18.056, "destination.ip": [ @@ -840,8 +851,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -871,6 +882,7 @@ "destination.geo.city_name": "Los Angeles", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 34.0675, "destination.geo.location.lon": -118.3521, "destination.geo.region_iso_code": "US-CA", @@ -894,8 +906,8 @@ "4.adbrite.com" ], "related.ip": [ - "10.105.21.199", - "206.169.136.22" + "206.169.136.22", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -959,8 +971,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -990,6 +1002,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -1013,8 +1026,8 @@ "www.goonernews.com" ], "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -1025,8 +1038,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -1056,6 +1069,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -1079,8 +1093,8 @@ "www.goonernews.com" ], "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -1119,6 +1133,7 @@ "@timestamp": "2006-09-08T04:22:10.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -1140,8 +1155,8 @@ "4.adbrite.com" ], "related.ip": [ - "10.105.21.199", - "64.127.126.178" + "64.127.126.178", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1152,8 +1167,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1183,6 +1198,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -1206,8 +1222,8 @@ "ff.connextra.com" ], "related.ip": [ - "213.160.98.161", - "10.105.21.199" + "10.105.21.199", + "213.160.98.161" ], "related.user": [ "badeyek" @@ -1218,8 +1234,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "302", @@ -1249,6 +1265,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -1284,8 +1301,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -1336,8 +1353,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1366,6 +1383,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -1397,8 +1415,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1480,6 +1498,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -1542,6 +1561,7 @@ "destination.geo.city_name": "Victoria", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "CA", + "destination.geo.country_name": "Canada", "destination.geo.location.lat": 48.4267, "destination.geo.location.lon": -123.3655, "destination.geo.region_iso_code": "CA-BC", @@ -1607,6 +1627,7 @@ "destination.geo.city_name": "Victoria", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "CA", + "destination.geo.country_name": "Canada", "destination.geo.location.lat": 48.4267, "destination.geo.location.lon": -123.3655, "destination.geo.region_iso_code": "CA-BC", @@ -1630,8 +1651,8 @@ "hi5.com" ], "related.ip": [ - "10.105.47.218", - "204.13.51.238" + "204.13.51.238", + "10.105.47.218" ], "related.user": [ "nazsoau" @@ -1672,6 +1693,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -1692,8 +1714,8 @@ "shttp.msg.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -1809,8 +1831,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -1862,8 +1884,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -1893,6 +1915,7 @@ "destination.geo.city_name": "Victoria", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "CA", + "destination.geo.country_name": "Canada", "destination.geo.location.lat": 48.4267, "destination.geo.location.lon": -123.3655, "destination.geo.region_iso_code": "CA-BC", @@ -1915,8 +1938,8 @@ "hi5.com" ], "related.ip": [ - "204.13.51.238", - "10.105.47.218" + "10.105.47.218", + "204.13.51.238" ], "related.user": [ "nazsoau" @@ -1958,6 +1981,7 @@ "destination.geo.city_name": "Victoria", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "CA", + "destination.geo.country_name": "Canada", "destination.geo.location.lat": 48.4267, "destination.geo.location.lon": -123.3655, "destination.geo.region_iso_code": "CA-BC", @@ -1993,8 +2017,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -2023,6 +2047,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2054,8 +2079,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2082,6 +2107,7 @@ "@timestamp": "2006-09-08T04:22:33.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2102,8 +2128,8 @@ "insider.msg.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "68.142.194.14" + "68.142.194.14", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2114,8 +2140,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2144,6 +2170,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2165,8 +2192,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2177,8 +2204,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2207,6 +2234,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2266,6 +2294,7 @@ "@timestamp": "2006-09-08T04:22:35.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2330,6 +2359,7 @@ "destination.geo.city_name": "Sacramento", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.6415, "destination.geo.location.lon": -121.5114, "destination.geo.region_iso_code": "US-CA", @@ -2395,6 +2425,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2455,6 +2486,7 @@ "@timestamp": "2006-09-08T04:22:37.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2487,8 +2519,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2538,8 +2570,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "CONNECT" + "CONNECT", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2642,8 +2674,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "POST" + "POST", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2723,6 +2755,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2837,6 +2870,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2900,6 +2934,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2920,8 +2955,8 @@ "shttp.msg.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2961,6 +2996,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2994,8 +3030,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3024,6 +3060,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3057,8 +3094,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3109,8 +3146,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "POST" + "POST", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -3161,8 +3198,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_DENIED" + "TCP_DENIED", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -3191,6 +3228,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3224,8 +3262,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3254,6 +3292,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3287,8 +3326,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3317,6 +3356,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3338,8 +3378,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3350,8 +3390,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3380,6 +3420,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3401,8 +3442,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3413,8 +3454,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3466,8 +3507,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -3519,8 +3560,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -3572,8 +3613,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3602,6 +3643,7 @@ "destination.as.organization.name": "BBC", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.4964, "destination.geo.location.lon": -0.1224, "destination.ip": [ @@ -3623,8 +3665,8 @@ "newsrss.bbc.co.uk" ], "related.ip": [ - "212.58.226.33", - "10.105.21.199" + "10.105.21.199", + "212.58.226.33" ], "related.user": [ "badeyek" @@ -3665,6 +3707,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3834,6 +3877,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3855,8 +3899,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3866,8 +3910,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -3897,6 +3941,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -3962,6 +4007,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3983,8 +4029,8 @@ "radio.music.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3995,8 +4041,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4025,6 +4071,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4046,8 +4093,8 @@ "radio.music.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4058,8 +4105,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4088,6 +4135,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4121,8 +4169,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -4227,8 +4275,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4258,6 +4306,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -4281,8 +4330,8 @@ "us.news1.yimg.com" ], "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4293,8 +4342,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -4323,6 +4372,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4344,8 +4394,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -4386,6 +4436,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4450,6 +4501,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -4473,8 +4525,8 @@ "us.a2.yimg.com" ], "related.ip": [ - "10.105.33.214", - "213.160.98.152" + "213.160.98.152", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4515,6 +4567,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4536,8 +4589,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4576,6 +4629,7 @@ "@timestamp": "2006-09-08T04:22:54.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4597,8 +4651,8 @@ "us.bc.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "68.142.213.132" + "68.142.213.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4637,6 +4691,7 @@ "@timestamp": "2006-09-08T04:22:56.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4698,6 +4753,7 @@ "@timestamp": "2006-09-08T04:22:57.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4782,8 +4838,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "304", @@ -4813,6 +4869,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -4836,8 +4893,8 @@ "a1568.g.akamai.net" ], "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4879,6 +4936,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -4914,8 +4972,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4944,6 +5002,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4964,8 +5023,8 @@ "login.yahoo.com" ], "related.ip": [ - "209.73.177.115", - "10.105.21.199" + "10.105.21.199", + "209.73.177.115" ], "related.user": [ "badeyek" @@ -4975,8 +5034,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5006,6 +5065,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -5072,6 +5132,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -5095,8 +5156,8 @@ "a1568.g.akamai.net" ], "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "related.user": [ "adeolaegbedokun" @@ -5191,6 +5252,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -5257,6 +5319,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -5323,6 +5386,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -5346,8 +5410,8 @@ "a1568.g.akamai.net" ], "related.ip": [ - "10.105.33.214", - "213.160.98.167" + "213.160.98.167", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -5358,8 +5422,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5411,8 +5475,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5492,6 +5556,7 @@ "@timestamp": "2006-09-08T04:23:01.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -5513,8 +5578,8 @@ "launch.adserver.yahoo.com" ], "related.ip": [ - "216.109.125.112", - "10.105.33.214" + "10.105.33.214", + "216.109.125.112" ], "related.user": [ "adeolaegbedokun" @@ -5525,8 +5590,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -5555,6 +5620,7 @@ "destination.as.organization.name": "Yahoo! UK Services Limited", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.4964, "destination.geo.location.lon": -0.1224, "destination.ip": [ @@ -5576,8 +5642,8 @@ "uk.f250.mail.yahoo.com" ], "related.ip": [ - "217.12.10.96", - "10.105.21.199" + "10.105.21.199", + "217.12.10.96" ], "related.user": [ "badeyek" @@ -5639,8 +5705,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "CONNECT" + "CONNECT", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5670,6 +5736,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -5693,8 +5760,8 @@ "us.js2.yimg.com" ], "related.ip": [ - "213.160.98.169", - "10.105.21.199" + "10.105.21.199", + "213.160.98.169" ], "related.user": [ "badeyek" @@ -5789,6 +5856,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json index 68412b504dc4..a63e2fd592a7 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json @@ -9,6 +9,7 @@ "destination.geo.city_name": "Norwell", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.1596, "destination.geo.location.lon": -70.8217, "destination.geo.region_iso_code": "US-MA", @@ -89,6 +90,7 @@ "destination.geo.city_name": "Norwell", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.1596, "destination.geo.location.lon": -70.8217, "destination.geo.region_iso_code": "US-MA", @@ -169,6 +171,7 @@ "destination.geo.city_name": "Norwell", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.1596, "destination.geo.location.lon": -70.8217, "destination.geo.region_iso_code": "US-MA", @@ -249,6 +252,7 @@ "destination.geo.city_name": "Norwell", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.1596, "destination.geo.location.lon": -70.8217, "destination.geo.region_iso_code": "US-MA", @@ -329,6 +333,7 @@ "destination.geo.city_name": "Norwell", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.1596, "destination.geo.location.lon": -70.8217, "destination.geo.region_iso_code": "US-MA", @@ -409,6 +414,7 @@ "destination.geo.city_name": "Norwell", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.1596, "destination.geo.location.lon": -70.8217, "destination.geo.region_iso_code": "US-MA", @@ -489,6 +495,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5132, "destination.geo.location.lon": -0.0961, "destination.geo.region_iso_code": "GB-ENG", @@ -569,6 +576,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -649,6 +657,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -729,6 +738,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5132, "destination.geo.location.lon": -0.0961, "destination.geo.region_iso_code": "GB-ENG", @@ -809,6 +819,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5132, "destination.geo.location.lon": -0.0961, "destination.geo.region_iso_code": "GB-ENG", @@ -889,6 +900,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5132, "destination.geo.location.lon": -0.0961, "destination.geo.region_iso_code": "GB-ENG", @@ -969,6 +981,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -1049,6 +1062,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -1129,6 +1143,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -1209,6 +1224,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -1289,6 +1305,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -1369,6 +1386,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -1449,6 +1467,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -1528,6 +1547,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index 5d113c8d370b..4851f2db8263 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -415,6 +415,7 @@ "destination.domain": "p33-btmmdns.icloud.com", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "17.142.164.13", diff --git a/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json b/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json index 9b9183fe35a9..0c6eccf2dccb 100644 --- a/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json +++ b/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json @@ -704,8 +704,8 @@ "bore5546.www.local" ], "related.ip": [ - "10.7.164.113", "10.175.83.138", + "10.7.164.113", "10.207.125.114" ], "related.user": [ @@ -2263,8 +2263,8 @@ "edi6108.internal.domain" ], "related.ip": [ - "10.72.200.11", - "10.132.171.142" + "10.132.171.142", + "10.72.200.11" ], "related.user": [ "ero" @@ -2579,8 +2579,8 @@ "dita2048.www5.home" ], "related.ip": [ - "10.171.13.85", - "10.40.133.90" + "10.40.133.90", + "10.171.13.85" ], "related.user": [ "bor" @@ -2795,8 +2795,8 @@ "urExcep6087.www5.localhost" ], "related.ip": [ - "10.155.163.6", - "10.31.231.57" + "10.31.231.57", + "10.155.163.6" ], "related.user": [ "norumetM" diff --git a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json index ccb28ef2f925..b7c0e0bc8cbb 100644 --- a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json @@ -59,6 +59,7 @@ "destination.bytes": 206, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -116,6 +117,7 @@ "destination.bytes": 206, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -154,6 +156,7 @@ "source.bytes": 103, "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "4.4.2.2", diff --git a/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json b/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json index c4364d774268..200950e922a4 100644 --- a/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json @@ -7,6 +7,7 @@ "destination.geo.city_name": "San Jose", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.3388, "destination.geo.location.lon": -121.8914, "destination.geo.region_iso_code": "US-CA", diff --git a/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json b/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json index 245d1154e86b..06d833b6a424 100644 --- a/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json @@ -6,6 +6,7 @@ "destination.as.organization.name": "Team Cymru Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "38.229.70.20", @@ -52,6 +53,7 @@ "destination.as.organization.name": "Team Cymru Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "38.229.70.20", @@ -103,6 +105,7 @@ "destination.as.organization.name": "Team Cymru Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "38.229.70.20", diff --git a/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json b/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json index a5838e9f3f11..90bb5e3145ed 100644 --- a/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json @@ -40,6 +40,7 @@ "destination.geo.city_name": "Frankfurt am Main", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 50.1188, "destination.geo.location.lon": 8.6843, "destination.geo.region_iso_code": "DE-HE", @@ -71,6 +72,7 @@ "source.geo.city_name": "Longmont", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.1559, "source.geo.location.lon": -105.1624, "source.geo.region_iso_code": "US-CO", diff --git a/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json b/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json index 79b38a0717dd..71061cd293bc 100644 --- a/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json @@ -6,6 +6,7 @@ "destination.as.organization.name": "Internap Corporation", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "74.63.41.218", @@ -72,6 +73,7 @@ "destination.geo.city_name": "Mexico City", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "MX", + "destination.geo.country_name": "Mexico", "destination.geo.location.lat": 19.4357, "destination.geo.location.lon": -99.1438, "destination.geo.region_iso_code": "MX-CMX", @@ -108,6 +110,7 @@ "source.geo.city_name": "Mexico City", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "MX", + "source.geo.country_name": "Mexico", "source.geo.location.lat": 19.4357, "source.geo.location.lon": -99.1438, "source.geo.region_iso_code": "MX-CMX", @@ -151,6 +154,7 @@ "destination.geo.city_name": "Mexico City", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "MX", + "destination.geo.country_name": "Mexico", "destination.geo.location.lat": 19.4357, "destination.geo.location.lon": -99.1438, "destination.geo.region_iso_code": "MX-CMX", @@ -187,6 +191,7 @@ "source.geo.city_name": "Mexico City", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "MX", + "source.geo.country_name": "Mexico", "source.geo.location.lat": 19.4357, "source.geo.location.lon": -99.1438, "source.geo.region_iso_code": "MX-CMX", diff --git a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json index 805d20d2a543..67817ff0a426 100644 --- a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json @@ -8,6 +8,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.4043, "destination.geo.location.lon": -122.0748, "destination.geo.region_iso_code": "US-CA", @@ -88,6 +89,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.4043, "destination.geo.location.lon": -122.0748, "destination.geo.region_iso_code": "US-CA", diff --git a/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json b/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json index 8fdfd983c941..34d600174ac1 100644 --- a/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json @@ -6,6 +6,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", diff --git a/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json b/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json index 1e00e616e36c..3ef709508a3f 100644 --- a/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json @@ -6,6 +6,7 @@ "destination.as.organization.name": "Air Force Systems Networking", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "132.16.110.133", @@ -33,6 +34,7 @@ "source.as.organization.name": "Air Force Systems Networking", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "132.16.146.79", diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json index b7bd436496b9..1fbe44131f53 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -26,8 +26,8 @@ "rci737.www5.example" ], "related.ip": [ - "10.176.10.114", - "10.206.191.17" + "10.206.191.17", + "10.176.10.114" ], "related.user": [ "sumdo" @@ -115,8 +115,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "luptat", "rsa.misc.action": [ - "Allowed", - "tur" + "tur", + "Allowed" ], "rsa.misc.category": "eius", "rsa.misc.filter": "ameaqu", @@ -176,8 +176,8 @@ "orsitame3262.domain" ], "related.ip": [ - "10.254.146.57", - "10.204.86.149" + "10.204.86.149", + "10.254.146.57" ], "related.user": [ "tenima" @@ -191,8 +191,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uptassi", "rsa.misc.action": [ - "giatq", - "Blocked" + "Blocked", + "giatq" ], "rsa.misc.category": "llu", "rsa.misc.filter": "tconsec", @@ -252,8 +252,8 @@ "tempor4496.www.localdomain" ], "related.ip": [ - "10.252.125.53", - "10.103.246.190" + "10.103.246.190", + "10.252.125.53" ], "related.user": [ "equun" @@ -267,8 +267,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ima", "rsa.misc.action": [ - "llam", - "Allowed" + "Allowed", + "llam" ], "rsa.misc.category": "aboris", "rsa.misc.filter": "atatnonp", @@ -328,8 +328,8 @@ "ore2933.www.test" ], "related.ip": [ - "10.61.78.108", - "10.136.153.149" + "10.136.153.149", + "10.61.78.108" ], "related.user": [ "ercit" @@ -343,8 +343,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "inim", "rsa.misc.action": [ - "reetdolo", - "Blocked" + "Blocked", + "reetdolo" ], "rsa.misc.category": "osquir", "rsa.misc.filter": "ipit", @@ -480,8 +480,8 @@ "cup1793.local" ], "related.ip": [ - "10.243.224.205", - "10.123.104.59" + "10.123.104.59", + "10.243.224.205" ], "related.user": [ "xercitat" @@ -495,8 +495,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lupt", "rsa.misc.action": [ - "Blocked", - "dun" + "dun", + "Blocked" ], "rsa.misc.category": "rsitamet", "rsa.misc.filter": "usmod", @@ -632,8 +632,8 @@ "aperia4409.www5.invalid" ], "related.ip": [ - "10.78.151.178", - "10.25.192.202" + "10.25.192.202", + "10.78.151.178" ], "related.user": [ "quip" @@ -647,8 +647,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "atquovo", "rsa.misc.action": [ - "amvolup", - "Allowed" + "Allowed", + "amvolup" ], "rsa.misc.category": "hil", "rsa.misc.filter": "deFinibu", @@ -723,8 +723,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ihilm", "rsa.misc.action": [ - "Allowed", - "psaquae" + "psaquae", + "Allowed" ], "rsa.misc.category": "eFinib", "rsa.misc.filter": "inesci", @@ -784,8 +784,8 @@ "ite2026.www.invalid" ], "related.ip": [ - "10.19.145.131", - "10.223.247.86" + "10.223.247.86", + "10.19.145.131" ], "related.user": [ "tNequepo" @@ -860,8 +860,8 @@ "radipisc7020.home" ], "related.ip": [ - "10.2.53.125", - "10.181.80.139" + "10.181.80.139", + "10.2.53.125" ], "related.user": [ "ihilmo" @@ -936,8 +936,8 @@ "uamei2493.www.test" ], "related.ip": [ - "10.31.240.6", - "10.167.98.76" + "10.167.98.76", + "10.31.240.6" ], "related.user": [ "ratvolu" @@ -951,8 +951,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "catc", "rsa.misc.action": [ - "Allowed", - "veni" + "veni", + "Allowed" ], "rsa.misc.category": "sBono", "rsa.misc.filter": "isnisiu", @@ -1027,8 +1027,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iurer", "rsa.misc.action": [ - "ionevo", - "Allowed" + "Allowed", + "ionevo" ], "rsa.misc.category": "tinvolu", "rsa.misc.filter": "idex", @@ -1088,8 +1088,8 @@ "spi3544.www.host" ], "related.ip": [ - "10.63.250.128", - "10.111.187.12" + "10.111.187.12", + "10.63.250.128" ], "related.user": [ "saute" @@ -1164,8 +1164,8 @@ "tlab5981.www.host" ], "related.ip": [ - "10.5.126.127", - "10.252.124.150" + "10.252.124.150", + "10.5.126.127" ], "related.user": [ "inibusB" @@ -1179,8 +1179,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mod", "rsa.misc.action": [ - "Allowed", - "xeacomm" + "xeacomm", + "Allowed" ], "rsa.misc.category": "sauteiru", "rsa.misc.filter": "antiu", @@ -1331,8 +1331,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quid", "rsa.misc.action": [ - "itecto", - "Allowed" + "Allowed", + "itecto" ], "rsa.misc.category": "quam", "rsa.misc.filter": "adeser", @@ -1392,8 +1392,8 @@ "uamei2389.internal.example" ], "related.ip": [ - "10.215.205.216", - "10.31.198.58" + "10.31.198.58", + "10.215.205.216" ], "related.user": [ "aturve" @@ -1468,8 +1468,8 @@ "eacommod1930.internal.lan" ], "related.ip": [ - "10.229.83.165", - "10.29.155.171" + "10.29.155.171", + "10.229.83.165" ], "related.user": [ "ulapar" @@ -1483,8 +1483,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedi", "rsa.misc.action": [ - "llitanim", - "Allowed" + "Allowed", + "llitanim" ], "rsa.misc.category": "apariat", "rsa.misc.filter": "tasnulap", @@ -1544,8 +1544,8 @@ "tem6984.www5.domain" ], "related.ip": [ - "10.161.148.64", - "10.129.192.145" + "10.129.192.145", + "10.161.148.64" ], "related.user": [ "lor" @@ -1620,8 +1620,8 @@ "lapariat7287.internal.host" ], "related.ip": [ - "10.203.65.161", - "10.7.200.140" + "10.7.200.140", + "10.203.65.161" ], "related.user": [ "snost" @@ -1711,8 +1711,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iutali", "rsa.misc.action": [ - "atcupi", - "Blocked" + "Blocked", + "atcupi" ], "rsa.misc.category": "isetq", "rsa.misc.filter": "equinesc", @@ -1772,8 +1772,8 @@ "stenatu4844.www.invalid" ], "related.ip": [ - "10.39.31.115", - "10.24.111.229" + "10.24.111.229", + "10.39.31.115" ], "related.user": [ "fugi" @@ -1848,8 +1848,8 @@ "sitam5077.internal.host" ], "related.ip": [ - "10.32.39.220", - "10.179.210.218" + "10.179.210.218", + "10.32.39.220" ], "related.user": [ "boreetdo" @@ -2000,8 +2000,8 @@ "lloin4019.www.localhost" ], "related.ip": [ - "10.130.241.232", - "10.238.224.49" + "10.238.224.49", + "10.130.241.232" ], "related.user": [ "onse" @@ -2015,8 +2015,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mnisiut", "rsa.misc.action": [ - "mod", - "Allowed" + "Allowed", + "mod" ], "rsa.misc.category": "uiinea", "rsa.misc.filter": "aturQu", @@ -2076,8 +2076,8 @@ "tamet6317.www.host" ], "related.ip": [ - "10.2.67.127", - "10.115.53.31" + "10.115.53.31", + "10.2.67.127" ], "related.user": [ "Cic" @@ -2091,8 +2091,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quatD", "rsa.misc.action": [ - "tatem", - "Allowed" + "Allowed", + "tatem" ], "rsa.misc.category": "aincidun", "rsa.misc.filter": "uela", @@ -2167,8 +2167,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tasun", "rsa.misc.action": [ - "quasiarc", - "Allowed" + "Allowed", + "quasiarc" ], "rsa.misc.category": "autfugi", "rsa.misc.filter": "ritqu", @@ -2228,8 +2228,8 @@ "utaliqu4248.www.localhost" ], "related.ip": [ - "10.18.226.72", - "10.101.85.169" + "10.101.85.169", + "10.18.226.72" ], "related.user": [ "rroqu" @@ -2319,8 +2319,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mag", "rsa.misc.action": [ - "tali", - "Allowed" + "Allowed", + "tali" ], "rsa.misc.category": "oconse", "rsa.misc.filter": "npr", @@ -2380,8 +2380,8 @@ "tatio6513.www.invalid" ], "related.ip": [ - "10.80.57.247", - "10.229.242.223" + "10.229.242.223", + "10.80.57.247" ], "related.user": [ "itasp" @@ -2471,8 +2471,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uteir", "rsa.misc.action": [ - "Allowed", - "Section" + "Section", + "Allowed" ], "rsa.misc.category": "cididu", "rsa.misc.filter": "Utenima", @@ -2532,8 +2532,8 @@ "aquioff3853.www.localdomain" ], "related.ip": [ - "10.54.159.1", - "10.236.230.136" + "10.236.230.136", + "10.54.159.1" ], "related.user": [ "mUteni" @@ -2547,8 +2547,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tec", "rsa.misc.action": [ - "tatema", - "Allowed" + "Allowed", + "tatema" ], "rsa.misc.category": "emullamc", "rsa.misc.filter": "emveleum", @@ -2623,8 +2623,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tvolup", "rsa.misc.action": [ - "utemvel", - "Allowed" + "Allowed", + "utemvel" ], "rsa.misc.category": "untutlab", "rsa.misc.filter": "dol", @@ -2684,8 +2684,8 @@ "iamea478.www5.host" ], "related.ip": [ - "10.142.120.198", - "10.166.10.42" + "10.166.10.42", + "10.142.120.198" ], "related.user": [ "olori" @@ -2699,8 +2699,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ende", "rsa.misc.action": [ - "doconse", - "Blocked" + "Blocked", + "doconse" ], "rsa.misc.category": "uovolupt", "rsa.misc.filter": "litesse", @@ -2775,8 +2775,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "issu", "rsa.misc.action": [ - "Allowed", - "sed" + "sed", + "Allowed" ], "rsa.misc.category": "atur", "rsa.misc.filter": "iciadese", @@ -2851,8 +2851,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ese", "rsa.misc.action": [ - "Allowed", - "litanim" + "litanim", + "Allowed" ], "rsa.misc.category": "idata", "rsa.misc.filter": "urerepre", @@ -2927,8 +2927,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "idolores", "rsa.misc.action": [ - "Blocked", - "lestia" + "lestia", + "Blocked" ], "rsa.misc.category": "risni", "rsa.misc.filter": "emacc", @@ -2988,8 +2988,8 @@ "pariatur7238.www5.invalid" ], "related.ip": [ - "10.202.224.79", - "10.33.144.10" + "10.33.144.10", + "10.202.224.79" ], "related.user": [ "rios" @@ -3079,8 +3079,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Loremip", "rsa.misc.action": [ - "quid", - "Allowed" + "Allowed", + "quid" ], "rsa.misc.category": "mini", "rsa.misc.filter": "uisnos", @@ -3140,8 +3140,8 @@ "mquisnos7453.home" ], "related.ip": [ - "10.134.128.27", - "10.118.177.136" + "10.118.177.136", + "10.134.128.27" ], "related.user": [ "Utenima" @@ -3155,8 +3155,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "voluptas", "rsa.misc.action": [ - "Allowed", - "olor" + "olor", + "Allowed" ], "rsa.misc.category": "ataevita", "rsa.misc.filter": "nderi", @@ -3307,8 +3307,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "etdol", "rsa.misc.action": [ - "mwrit", - "Blocked" + "Blocked", + "mwrit" ], "rsa.misc.category": "inim", "rsa.misc.filter": "aturQu", @@ -3368,8 +3368,8 @@ "etdolore4227.internal.corp" ], "related.ip": [ - "10.30.87.51", - "10.156.177.53" + "10.156.177.53", + "10.30.87.51" ], "related.user": [ "psaquaea" @@ -3383,8 +3383,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatno", "rsa.misc.action": [ - "ptatev", - "Blocked" + "Blocked", + "ptatev" ], "rsa.misc.category": "udexerc", "rsa.misc.filter": "ptatemse", @@ -3444,8 +3444,8 @@ "rors1935.api.domain" ], "related.ip": [ - "10.83.138.34", - "10.111.249.184" + "10.111.249.184", + "10.83.138.34" ], "related.user": [ "dentsunt" @@ -3459,8 +3459,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatemse", "rsa.misc.action": [ - "Blocked", - "upta" + "upta", + "Blocked" ], "rsa.misc.category": "tlabo", "rsa.misc.filter": "aliqui", @@ -3520,8 +3520,8 @@ "idexeac1655.internal.test" ], "related.ip": [ - "10.141.195.13", - "10.180.150.47" + "10.180.150.47", + "10.141.195.13" ], "related.user": [ "taliq" @@ -3535,8 +3535,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itesse", "rsa.misc.action": [ - "Allowed", - "uip" + "uip", + "Allowed" ], "rsa.misc.category": "teturad", "rsa.misc.filter": "roquisqu", @@ -3670,8 +3670,8 @@ "tecto708.www5.example" ], "related.ip": [ - "10.22.122.43", - "10.100.143.226" + "10.100.143.226", + "10.22.122.43" ], "related.user": [ "ute" @@ -3685,8 +3685,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ento", "rsa.misc.action": [ - "Bonoru", - "Blocked" + "Blocked", + "Bonoru" ], "rsa.misc.category": "luptasnu", "rsa.misc.filter": "quamni", @@ -3746,8 +3746,8 @@ "ine3181.www.invalid" ], "related.ip": [ - "10.119.53.68", - "10.121.9.5" + "10.121.9.5", + "10.119.53.68" ], "related.user": [ "ssec" @@ -3822,8 +3822,8 @@ "tsunt3403.www5.test" ], "related.ip": [ - "10.31.153.177", - "10.237.0.173" + "10.237.0.173", + "10.31.153.177" ], "related.user": [ "sci" @@ -3837,8 +3837,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "eritqui", "rsa.misc.action": [ - "dolor", - "Blocked" + "Blocked", + "dolor" ], "rsa.misc.category": "taspe", "rsa.misc.filter": "oremipsu", @@ -3911,8 +3911,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "epor", "rsa.misc.action": [ - "etquasia", - "Allowed" + "Allowed", + "etquasia" ], "rsa.misc.category": "iaturE", "rsa.misc.filter": "rep", @@ -3983,8 +3983,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "adipisc", "rsa.misc.action": [ - "exer", - "Blocked" + "Blocked", + "exer" ], "rsa.misc.category": "remagna", "rsa.misc.filter": "emvel", @@ -4044,8 +4044,8 @@ "tamr1693.api.home" ], "related.ip": [ - "10.53.191.49", - "10.133.102.57" + "10.133.102.57", + "10.53.191.49" ], "related.user": [ "onsec" @@ -4059,8 +4059,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ecillum", "rsa.misc.action": [ - "Blocked", - "emp" + "emp", + "Blocked" ], "rsa.misc.category": "ciati", "rsa.misc.filter": "elit", @@ -4135,8 +4135,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iuntN", "rsa.misc.action": [ - "nim", - "Allowed" + "Allowed", + "nim" ], "rsa.misc.category": "etco", "rsa.misc.filter": "autodita", @@ -4272,8 +4272,8 @@ "pici1525.www5.corp" ], "related.ip": [ - "10.155.252.123", - "10.178.148.188" + "10.178.148.188", + "10.155.252.123" ], "related.user": [ "inrepreh" @@ -4348,8 +4348,8 @@ "dolo6418.internal.host" ], "related.ip": [ - "10.190.42.245", - "10.220.1.249" + "10.220.1.249", + "10.190.42.245" ], "related.user": [ "olup" @@ -4363,8 +4363,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uamquaer", "rsa.misc.action": [ - "Blocked", - "aerat" + "aerat", + "Blocked" ], "rsa.misc.category": "quela", "rsa.misc.filter": "qui", @@ -4422,8 +4422,8 @@ "imveni193.www5.host" ], "related.ip": [ - "10.55.38.153", - "10.112.190.154" + "10.112.190.154", + "10.55.38.153" ], "related.user": [ "oremeu" @@ -4498,8 +4498,8 @@ "ionu3320.api.localhost" ], "related.ip": [ - "10.250.48.82", - "10.195.153.42" + "10.195.153.42", + "10.250.48.82" ], "related.user": [ "tsedquia" @@ -4574,8 +4574,8 @@ "remips1499.www.local" ], "related.ip": [ - "10.252.164.230", - "10.60.52.219" + "10.60.52.219", + "10.252.164.230" ], "related.user": [ "gnamali" @@ -4589,8 +4589,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rroq", "rsa.misc.action": [ - "fdeFin", - "Blocked" + "Blocked", + "fdeFin" ], "rsa.misc.category": "diduntut", "rsa.misc.filter": "ano", @@ -4646,8 +4646,8 @@ "mdoloree96.domain" ], "related.ip": [ - "10.187.16.73", - "10.122.102.156" + "10.122.102.156", + "10.187.16.73" ], "related.user": [ "emoen" @@ -4796,8 +4796,8 @@ "sBonoru1929.example" ], "related.ip": [ - "10.51.161.245", - "10.15.254.181" + "10.15.254.181", + "10.51.161.245" ], "related.user": [ "abo" @@ -4872,8 +4872,8 @@ "onorumet4871.lan" ], "related.ip": [ - "10.7.152.238", - "10.129.66.196" + "10.129.66.196", + "10.7.152.238" ], "related.user": [ "equamn" @@ -4887,8 +4887,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vento", "rsa.misc.action": [ - "Blocked", - "reh" + "reh", + "Blocked" ], "rsa.misc.category": "atev", "rsa.misc.filter": "umq", @@ -4948,8 +4948,8 @@ "onproi4354.www5.invalid" ], "related.ip": [ - "10.185.107.27", - "10.29.162.157" + "10.29.162.157", + "10.185.107.27" ], "related.user": [ "evelite" @@ -4963,8 +4963,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "orinrep", "rsa.misc.action": [ - "Blocked", - "squirat" + "squirat", + "Blocked" ], "rsa.misc.category": "sequa", "rsa.misc.filter": "orainci", @@ -5024,8 +5024,8 @@ "beataevi7552.api.test" ], "related.ip": [ - "10.215.63.248", - "10.138.0.214" + "10.138.0.214", + "10.215.63.248" ], "related.user": [ "eavolupt" @@ -5039,8 +5039,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "odita", "rsa.misc.action": [ - "dqu", - "Blocked" + "Blocked", + "dqu" ], "rsa.misc.category": "ipex", "rsa.misc.filter": "ine", @@ -5115,8 +5115,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tNequepo", "rsa.misc.action": [ - "Allowed", - "rmagnido" + "rmagnido", + "Allowed" ], "rsa.misc.category": "luptatem", "rsa.misc.filter": "deritq", @@ -5191,8 +5191,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "plicab", "rsa.misc.action": [ - "Blocked", - "umq" + "umq", + "Blocked" ], "rsa.misc.category": "eruntmol", "rsa.misc.filter": "labore", @@ -5267,8 +5267,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnisi", "rsa.misc.action": [ - "Allowed", - "userro" + "userro", + "Allowed" ], "rsa.misc.category": "etd", "rsa.misc.filter": "loremeum", @@ -5328,8 +5328,8 @@ "olo7317.www5.localhost" ], "related.ip": [ - "10.249.1.143", - "10.124.177.226" + "10.124.177.226", + "10.249.1.143" ], "related.user": [ "isciveli" @@ -5343,8 +5343,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Utenim", "rsa.misc.action": [ - "onevo", - "Allowed" + "Allowed", + "onevo" ], "rsa.misc.category": "tdolore", "rsa.misc.filter": "ptasn", @@ -5419,8 +5419,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ect", "rsa.misc.action": [ - "Blocked", - "maccu" + "maccu", + "Blocked" ], "rsa.misc.category": "iaecon", "rsa.misc.filter": "eni", @@ -5480,8 +5480,8 @@ "agna5654.www.corp" ], "related.ip": [ - "10.203.47.23", - "10.200.74.101" + "10.200.74.101", + "10.203.47.23" ], "related.user": [ "litesse" @@ -5495,8 +5495,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nde", "rsa.misc.action": [ - "Allowed", - "iqu" + "iqu", + "Allowed" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "ntincul", @@ -5556,8 +5556,8 @@ "ites5711.internal.host" ], "related.ip": [ - "10.162.78.48", - "10.24.23.209" + "10.24.23.209", + "10.162.78.48" ], "related.user": [ "ntore" @@ -5571,8 +5571,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ereprehe", "rsa.misc.action": [ - "Blocked", - "tutl" + "tutl", + "Blocked" ], "rsa.misc.category": "mip", "rsa.misc.filter": "umSecti", @@ -5632,8 +5632,8 @@ "oluptat2848.api.home" ], "related.ip": [ - "10.211.66.68", - "10.55.151.53" + "10.55.151.53", + "10.211.66.68" ], "related.user": [ "squir" @@ -5647,8 +5647,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "diconseq", "rsa.misc.action": [ - "Allowed", - "umet" + "umet", + "Allowed" ], "rsa.misc.category": "ciad", "rsa.misc.filter": "oeiusmod", @@ -5708,8 +5708,8 @@ "ngelitse7535.internal.lan" ], "related.ip": [ - "10.110.16.169", - "10.209.203.156" + "10.209.203.156", + "10.110.16.169" ], "related.user": [ "mes" @@ -5723,8 +5723,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iamquisn", "rsa.misc.action": [ - "Blocked", - "lupta" + "lupta", + "Blocked" ], "rsa.misc.category": "uasiarch", "rsa.misc.filter": "usBonor", @@ -5784,8 +5784,8 @@ "tiumtot3611.internal.localdomain" ], "related.ip": [ - "10.107.68.114", - "10.84.9.150" + "10.84.9.150", + "10.107.68.114" ], "related.user": [ "sequatDu" @@ -5799,8 +5799,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnis", "rsa.misc.action": [ - "uianonnu", - "Allowed" + "Allowed", + "uianonnu" ], "rsa.misc.category": "Excepteu", "rsa.misc.filter": "enimadmi", @@ -5875,8 +5875,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lloin", "rsa.misc.action": [ - "ici", - "Blocked" + "Blocked", + "ici" ], "rsa.misc.category": "quidolor", "rsa.misc.filter": "nonproi", @@ -5936,8 +5936,8 @@ "psaqu6066.www5.localhost" ], "related.ip": [ - "10.164.190.2", - "10.223.11.164" + "10.223.11.164", + "10.164.190.2" ], "related.user": [ "ten" @@ -6012,8 +6012,8 @@ "iavol5202.api.example" ], "related.ip": [ - "10.121.181.243", - "10.14.37.8" + "10.14.37.8", + "10.121.181.243" ], "related.user": [ "umwr" @@ -6027,8 +6027,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedic", "rsa.misc.action": [ - "Blocked", - "rinc" + "rinc", + "Blocked" ], "rsa.misc.category": "prehende", "rsa.misc.filter": "rume", @@ -6103,8 +6103,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tat", "rsa.misc.action": [ - "nia", - "Blocked" + "Blocked", + "nia" ], "rsa.misc.category": "turQuis", "rsa.misc.filter": "nonp", @@ -6164,8 +6164,8 @@ "rsitame4049.internal.corp" ], "related.ip": [ - "10.77.102.206", - "10.34.98.144" + "10.34.98.144", + "10.77.102.206" ], "related.user": [ "tectobe" @@ -6179,8 +6179,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Exce", "rsa.misc.action": [ - "Allowed", - "ulapa" + "ulapa", + "Allowed" ], "rsa.misc.category": "reprehen", "rsa.misc.filter": "itsedqui", @@ -6240,8 +6240,8 @@ "elit912.www5.test" ], "related.ip": [ - "10.176.233.249", - "10.75.144.118" + "10.75.144.118", + "10.176.233.249" ], "related.user": [ "isnos" @@ -6255,8 +6255,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "essequa", "rsa.misc.action": [ - "Blocked", - "odic" + "odic", + "Blocked" ], "rsa.misc.category": "cto", "rsa.misc.filter": "odite", @@ -6331,8 +6331,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uis", "rsa.misc.action": [ - "Allowed", - "mvele" + "mvele", + "Allowed" ], "rsa.misc.category": "vitaedi", "rsa.misc.filter": "ndeomni", @@ -6620,8 +6620,8 @@ "archite4407.mail.invalid" ], "related.ip": [ - "10.247.255.107", - "10.234.34.40" + "10.234.34.40", + "10.247.255.107" ], "related.user": [ "aeabillo" @@ -6696,8 +6696,8 @@ "aria1424.mail.home" ], "related.ip": [ - "10.250.102.42", - "10.124.81.20" + "10.124.81.20", + "10.250.102.42" ], "related.user": [ "tNequ" @@ -6711,8 +6711,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ilmoles", "rsa.misc.action": [ - "tatisetq", - "Blocked" + "Blocked", + "tatisetq" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "liquide", @@ -6772,8 +6772,8 @@ "Bonoru7444.www5.example" ], "related.ip": [ - "10.166.205.159", - "10.154.188.132" + "10.154.188.132", + "10.166.205.159" ], "related.user": [ "uptat" @@ -6787,8 +6787,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "proid", "rsa.misc.action": [ - "Allowed", - "onevolu" + "onevolu", + "Allowed" ], "rsa.misc.category": "iratio", "rsa.misc.filter": "odita", @@ -6916,8 +6916,8 @@ "oloremeu5047.www5.invalid" ], "related.ip": [ - "10.172.159.251", - "10.254.119.31" + "10.254.119.31", + "10.172.159.251" ], "related.user": [ "usm" @@ -6931,8 +6931,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "imadmi", "rsa.misc.action": [ - "tatemacc", - "Blocked" + "Blocked", + "tatemacc" ], "rsa.misc.category": "tutlabor", "rsa.misc.filter": "eturad", @@ -6992,8 +6992,8 @@ "edutpe1255.internal.lan" ], "related.ip": [ - "10.195.62.230", - "10.98.126.206" + "10.98.126.206", + "10.195.62.230" ], "related.user": [ "ptassit" @@ -7007,8 +7007,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "isnost", "rsa.misc.action": [ - "Allowed", - "oriosa" + "oriosa", + "Allowed" ], "rsa.misc.category": "uis", "rsa.misc.filter": "nemul", @@ -7068,8 +7068,8 @@ "nderit1171.www5.domain" ], "related.ip": [ - "10.144.93.186", - "10.84.140.5" + "10.84.140.5", + "10.144.93.186" ], "related.user": [ "eroi" @@ -7220,8 +7220,8 @@ "oremeum4231.internal.host" ], "related.ip": [ - "10.139.90.218", - "10.131.81.172" + "10.131.81.172", + "10.139.90.218" ], "related.user": [ "hende" @@ -7235,8 +7235,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rrorsi", "rsa.misc.action": [ - "Allowed", - "exe" + "exe", + "Allowed" ], "rsa.misc.category": "mnihi", "rsa.misc.filter": "consequa", @@ -7296,8 +7296,8 @@ "ueip6097.api.host" ], "related.ip": [ - "10.152.217.174", - "10.128.43.71" + "10.128.43.71", + "10.152.217.174" ], "related.user": [ "mquiado" @@ -7387,8 +7387,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tionemu", "rsa.misc.action": [ - "Blocked", - "rehe" + "rehe", + "Blocked" ], "rsa.misc.category": "aecons", "rsa.misc.filter": "aturve", @@ -7448,8 +7448,8 @@ "onsequ3168.www.corp" ], "related.ip": [ - "10.172.17.6", - "10.109.192.53" + "10.109.192.53", + "10.172.17.6" ], "related.user": [ "eprehen" @@ -7463,8 +7463,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "temUte", "rsa.misc.action": [ - "Blocked", - "tassit" + "tassit", + "Blocked" ], "rsa.misc.category": "ita", "rsa.misc.filter": "scive", @@ -7524,8 +7524,8 @@ "oremquel3120.internal.localhost" ], "related.ip": [ - "10.135.38.213", - "10.119.106.108" + "10.119.106.108", + "10.135.38.213" ], "related.user": [ "ore" @@ -7539,8 +7539,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "exeacomm", "rsa.misc.action": [ - "Blocked", - "volup" + "volup", + "Blocked" ], "rsa.misc.category": "ten", "rsa.misc.filter": "ssecil", diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json index bdf9957b55dc..d2e89ea6140a 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -31,8 +31,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "", "rsa.misc.action": [ - "", - "" + "", + "" ], "rsa.misc.category": "", "rsa.misc.filter": "", From 48c60f8ae024057a3e9ac49382978345a2893f93 Mon Sep 17 00:00:00 2001 From: Michal Pristas Date: Fri, 2 Oct 2020 10:03:33 +0200 Subject: [PATCH 12/18] [Ingest Manager] Split index restrictions into type,dataset, namespace parts (#21406) [Ingest Manager] Split index restrictions into type,dataset, namespace parts (#21406) --- .../application/filters/stream_checker.go | 91 ++++++++++--------- .../filters/stream_checker_test.go | 79 ++++++---------- 2 files changed, 77 insertions(+), 93 deletions(-) diff --git a/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker.go b/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker.go index 3a6a7843b72d..4f9e753ba949 100644 --- a/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker.go +++ b/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker.go @@ -5,7 +5,6 @@ package filters import ( - "fmt" "strings" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" @@ -47,11 +46,7 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { if nsNode, found := inputNode.Find("data_stream.namespace"); found { nsKey, ok := nsNode.(*transpiler.Key) if ok { - newNamespace := nsKey.Value().(transpiler.Node).String() - if !isValid(newNamespace) { - return ErrInvalidNamespace - } - namespace = newNamespace + namespace = nsKey.Value().(transpiler.Node).String() } } else { dsNode, found := inputNode.Find("data_stream") @@ -63,17 +58,17 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { if found { nsKey, ok := nsNode.(*transpiler.Key) if ok { - newNamespace := nsKey.Value().(transpiler.Node).String() - if !isValid(newNamespace) { - return ErrInvalidNamespace - } - namespace = newNamespace + namespace = nsKey.Value().(transpiler.Node).String() } } } } } + if !matchesNamespaceContraints(namespace) { + return ErrInvalidNamespace + } + // get the type, longest type for now is metrics datasetType := "metrics" if nsNode, found := inputNode.Find("data_stream.type"); found { @@ -100,6 +95,10 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { } } + if !matchesTypeConstraints(datasetType) { + return ErrInvalidIndex + } + streamsNode, ok := inputNode.Find("streams") if ok { streamsList, ok := streamsNode.Value().(*transpiler.List) @@ -119,11 +118,8 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { if dsNameNode, found := streamMap.Find("data_stream.dataset"); found { dsKey, ok := dsNameNode.(*transpiler.Key) if ok { - newDataset := dsKey.Value().(transpiler.Node).String() - if !isValid(newDataset) { - return ErrInvalidDataset - } - datasetName = newDataset + datasetName = dsKey.Value().(transpiler.Node).String() + break } } else { datasetNode, found := streamMap.Find("data_stream") @@ -137,11 +133,8 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { if found { dsKey, ok := dsNameNode.(*transpiler.Key) if ok { - newDataset := dsKey.Value().(transpiler.Node).String() - if !isValid(newDataset) { - return ErrInvalidDataset - } - datasetName = newDataset + datasetName = dsKey.Value().(transpiler.Node).String() + break } } } @@ -149,49 +142,65 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { } } } - - if indexName := fmt.Sprintf("%s-%s-%s", datasetType, datasetName, namespace); !matchesIndexContraints(indexName) { - return ErrInvalidIndex + if !matchesDatasetConstraints(datasetName) { + return ErrInvalidDataset } } return nil } -// The only two requirement are that it has only characters allowed in an Elasticsearch index name -// and does NOT contain a `-`. -func isValid(namespace string) bool { - return matchesIndexContraints(namespace) && !strings.Contains(namespace, "-") -} - // The only two requirement are that it has only characters allowed in an Elasticsearch index name // Index names must meet the following criteria: +// Not longer than 100 bytes // Lowercase only // Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # +func matchesNamespaceContraints(namespace string) bool { + // length restriction is in bytes, not characters + if len(namespace) <= 0 || len(namespace) > 100 { + return false + } + + return isCharactersetValid(namespace) +} + +// matchesTypeConstraints fails for following rules. As type is first element of resulting index prefix restrictions need to be applied. +// Not longer than 20 bytes +// Lowercase only // Cannot start with -, _, + -// Cannot be . or .. -func matchesIndexContraints(namespace string) bool { - // Cannot be . or .. - if namespace == "." || namespace == ".." { +// Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # +func matchesTypeConstraints(dsType string) bool { + // length restriction is in bytes, not characters + if len(dsType) <= 0 || len(dsType) > 20 { return false } - if len(namespace) <= 0 || len(namespace) > 255 { + if strings.HasPrefix(dsType, "-") || strings.HasPrefix(dsType, "_") || strings.HasPrefix(dsType, "+") { return false } - // Lowercase only - if strings.ToLower(namespace) != namespace { + return isCharactersetValid(dsType) +} + +// matchesDatasetConstraints fails for following rules +// Not longer than 100 bytes +// Lowercase only +// Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # +func matchesDatasetConstraints(dataset string) bool { + // length restriction is in bytes, not characters + if len(dataset) <= 0 || len(dataset) > 100 { return false } - // Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # - if strings.ContainsAny(namespace, "\\/*?\"<>| ,#") { + return isCharactersetValid(dataset) +} + +func isCharactersetValid(input string) bool { + if strings.ToLower(input) != input { return false } - // Cannot start with -, _, + - if strings.HasPrefix(namespace, "-") || strings.HasPrefix(namespace, "_") || strings.HasPrefix(namespace, "+") { + if strings.ContainsAny(input, "\\/*?\"<>| ,#:") { return false } diff --git a/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker_test.go b/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker_test.go index 1daa14a1ad69..5750734c477b 100644 --- a/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker_test.go @@ -93,25 +93,6 @@ func TestStreamCheck(t *testing.T) { }, result: ErrInvalidDataset, }, - - { - name: "dataset invalid dot - compact", - configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{ - {"streams": []map[string]interface{}{{"data_stream.dataset": "."}}}, - }, - }, - result: ErrInvalidDataset, - }, - { - name: "dataset invalid dotdot- compact", - configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{ - {"streams": []map[string]interface{}{{"data_stream.dataset": ".."}}}, - }, - }, - result: ErrInvalidDataset, - }, { name: "dataset invalid uppercase - compact", configMap: map[string]interface{}{ @@ -139,16 +120,6 @@ func TestStreamCheck(t *testing.T) { }, result: ErrInvalidDataset, }, - { - name: "dataset invalid invalid prefix- compact", - configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{ - {"streams": []map[string]interface{}{{"data_stream.dataset": "_isthisvalid"}}}, - }, - }, - result: ErrInvalidDataset, - }, - { name: "namespace invalid - compact", configMap: map[string]interface{}{ @@ -156,22 +127,6 @@ func TestStreamCheck(t *testing.T) { }, result: ErrInvalidNamespace, }, - { - name: "namespace invalid name 1 - compact", - configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{ - {"data_stream.namespace": "."}, - }, - }, - result: ErrInvalidNamespace, - }, - { - name: "namespace invalid name 2 - compact", - configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{{"data_stream.namespace": ".."}}, - }, - result: ErrInvalidNamespace, - }, { name: "namespace invalid name uppercase - compact", configMap: map[string]interface{}{ @@ -193,13 +148,6 @@ func TestStreamCheck(t *testing.T) { }, result: ErrInvalidNamespace, }, - { - name: "namespace invalid name invalid prefix - compact", - configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{{"data_stream.namespace": "+isitok"}}, - }, - result: ErrInvalidNamespace, - }, { name: "namespace invalid - long", configMap: map[string]interface{}{ @@ -274,6 +222,33 @@ func TestStreamCheck(t *testing.T) { }, result: nil, }, + { + name: "type invalid prefix _", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"data_stream.type": "_type"}, + }, + }, + result: ErrInvalidIndex, + }, + { + name: "type invalid prefix -", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"data_stream.type": "-type"}, + }, + }, + result: ErrInvalidIndex, + }, + { + name: "type invalid prefix +", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"data_stream.type": "+type"}, + }, + }, + result: ErrInvalidIndex, + }, } log, err := logger.New("") From a119083d71136cc18eed23128a02ad836a22d66b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Fri, 2 Oct 2020 12:33:32 +0200 Subject: [PATCH 13/18] Add implementation of FSWatcher and FSScanner for filestream (#21444) ## What does this PR do? This PR adds the implementation for `FSWatcher` and `FSScanner` for the `filestream` input. The implementation of `FSScanner` is called `fileScanner`. It is responsible for * resolves recursive globs on creation * normalizes glob patterns on creation * finds files which match the configured paths and returns `FileInfo` for those This is the refactored version of the `log` input's scanner, globber functions. The implementation of `FSWatcher` is called `fileWatcher`. It checks the file list returned by `fileScanner` and creates events based on the result. ## Why is it important? It is required for the `filestream` input. ## Related issues Related #20243 --- filebeat/input/filestream/fswatch.go | 375 ++++++++++++++++++ filebeat/input/filestream/fswatch_test.go | 300 ++++++++++++++ .../input/filestream/testdata/excluded_file | 0 .../input/filestream/testdata/included_file | 0 .../testdata/symlink_to_included_file | 1 + 5 files changed, 676 insertions(+) create mode 100644 filebeat/input/filestream/fswatch.go create mode 100644 filebeat/input/filestream/fswatch_test.go create mode 100644 filebeat/input/filestream/testdata/excluded_file create mode 100644 filebeat/input/filestream/testdata/included_file create mode 120000 filebeat/input/filestream/testdata/symlink_to_included_file diff --git a/filebeat/input/filestream/fswatch.go b/filebeat/input/filestream/fswatch.go new file mode 100644 index 000000000000..d4bc1b5ea089 --- /dev/null +++ b/filebeat/input/filestream/fswatch.go @@ -0,0 +1,375 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package filestream + +import ( + "fmt" + "os" + "path/filepath" + "time" + + "github.com/elastic/beats/v7/filebeat/input/file" + loginp "github.com/elastic/beats/v7/filebeat/input/filestream/internal/input-logfile" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/match" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/go-concert/unison" +) + +const ( + recursiveGlobDepth = 8 + scannerName = "scanner" + watcherDebugKey = "file_watcher" +) + +var ( + watcherFactories = map[string]watcherFactory{ + scannerName: newScannerWatcher, + } +) + +type watcherFactory func(paths []string, cfg *common.Config) (loginp.FSWatcher, error) + +// fileScanner looks for files which match the patterns in paths. +// It is able to exclude files and symlinks. +type fileScanner struct { + paths []string + excludedFiles []match.Matcher + symlinks bool + + log *logp.Logger +} + +type fileWatcherConfig struct { + // Interval is the time between two scans. + Interval time.Duration + // Scanner is the configuration of the scanner. + Scanner fileScannerConfig +} + +// fileWatcher gets the list of files from a FSWatcher and creates events by +// comparing the files between its last two runs. +type fileWatcher struct { + interval time.Duration + prev map[string]os.FileInfo + scanner loginp.FSScanner + log *logp.Logger + events chan loginp.FSEvent +} + +func newFileWatcher(paths []string, ns *common.ConfigNamespace) (loginp.FSWatcher, error) { + if ns == nil { + return newScannerWatcher(paths, nil) + } + + watcherType := ns.Name() + f, ok := watcherFactories[watcherType] + if !ok { + return nil, fmt.Errorf("no such file watcher: %s", watcherType) + } + + return f(paths, ns.Config()) +} + +func newScannerWatcher(paths []string, c *common.Config) (loginp.FSWatcher, error) { + config := defaultFileWatcherConfig() + err := c.Unpack(&config) + if err != nil { + return nil, err + } + scanner, err := newFileScanner(paths, config.Scanner) + if err != nil { + return nil, err + } + return &fileWatcher{ + log: logp.NewLogger(watcherDebugKey), + interval: config.Interval, + prev: make(map[string]os.FileInfo, 0), + scanner: scanner, + events: make(chan loginp.FSEvent), + }, nil +} + +func defaultFileWatcherConfig() fileWatcherConfig { + return fileWatcherConfig{ + Interval: 10 * time.Second, + Scanner: defaultFileScannerConfig(), + } +} + +func (w *fileWatcher) Run(ctx unison.Canceler) { + defer close(w.events) + + ticker := time.NewTicker(w.interval) + defer ticker.Stop() + for { + select { + case <-ctx.Done(): + return + case <-ticker.C: + w.watch(ctx) + } + } +} + +func (w *fileWatcher) watch(ctx unison.Canceler) { + w.log.Info("Start next scan") + + paths := w.scanner.GetFiles() + + newFiles := make(map[string]os.FileInfo) + + for path, info := range paths { + + prevInfo, ok := w.prev[path] + if !ok { + newFiles[path] = paths[path] + continue + } + + if prevInfo.ModTime() != info.ModTime() { + select { + case <-ctx.Done(): + return + case w.events <- writeEvent(path, info): + } + } + + // delete from previous state, as we have more up to date info + delete(w.prev, path) + } + + // remaining files are in the prev map are the ones that are missing + // either because they have been deleted or renamed + for removedPath, removedInfo := range w.prev { + for newPath, newInfo := range newFiles { + if os.SameFile(removedInfo, newInfo) { + select { + case <-ctx.Done(): + return + case w.events <- renamedEvent(removedPath, newPath, newInfo): + delete(newFiles, newPath) + goto CHECK_NEXT_REMOVED + } + } + } + + select { + case <-ctx.Done(): + return + case w.events <- deleteEvent(removedPath, removedInfo): + } + CHECK_NEXT_REMOVED: + } + + // remaining files in newFiles are new + for path, info := range newFiles { + select { + case <-ctx.Done(): + return + case w.events <- createEvent(path, info): + } + + } + + w.log.Debugf("Found %d paths", len(paths)) + w.prev = paths +} + +func createEvent(path string, fi os.FileInfo) loginp.FSEvent { + return loginp.FSEvent{Op: loginp.OpCreate, OldPath: "", NewPath: path, Info: fi} +} + +func writeEvent(path string, fi os.FileInfo) loginp.FSEvent { + return loginp.FSEvent{Op: loginp.OpWrite, OldPath: path, NewPath: path, Info: fi} +} + +func renamedEvent(oldPath, path string, fi os.FileInfo) loginp.FSEvent { + return loginp.FSEvent{Op: loginp.OpRename, OldPath: oldPath, NewPath: path, Info: fi} +} + +func deleteEvent(path string, fi os.FileInfo) loginp.FSEvent { + return loginp.FSEvent{Op: loginp.OpDelete, OldPath: path, NewPath: "", Info: fi} +} + +func (w *fileWatcher) Event() loginp.FSEvent { + return <-w.events +} + +type fileScannerConfig struct { + Paths []string + ExcludedFiles []match.Matcher + Symlinks bool + RecursiveGlob bool +} + +func defaultFileScannerConfig() fileScannerConfig { + return fileScannerConfig{ + Symlinks: false, + RecursiveGlob: true, + } +} + +func newFileScanner(paths []string, cfg fileScannerConfig) (loginp.FSScanner, error) { + fs := fileScanner{ + paths: paths, + excludedFiles: cfg.ExcludedFiles, + symlinks: cfg.Symlinks, + log: logp.NewLogger(scannerName), + } + err := fs.resolveRecursiveGlobs(cfg) + if err != nil { + return nil, err + } + err = fs.normalizeGlobPatterns() + if err != nil { + return nil, err + } + + return &fs, nil +} + +// resolveRecursiveGlobs expands `**` from the globs in multiple patterns +func (s *fileScanner) resolveRecursiveGlobs(c fileScannerConfig) error { + if !c.RecursiveGlob { + s.log.Debug("recursive glob disabled") + return nil + } + + s.log.Debug("recursive glob enabled") + var paths []string + for _, path := range s.paths { + patterns, err := file.GlobPatterns(path, recursiveGlobDepth) + if err != nil { + return err + } + if len(patterns) > 1 { + s.log.Debugf("%q expanded to %#v", path, patterns) + } + paths = append(paths, patterns...) + } + s.paths = paths + return nil +} + +// normalizeGlobPatterns calls `filepath.Abs` on all the globs from config +func (s *fileScanner) normalizeGlobPatterns() error { + var paths []string + for _, path := range s.paths { + pathAbs, err := filepath.Abs(path) + if err != nil { + return fmt.Errorf("failed to get the absolute path for %s: %v", path, err) + } + paths = append(paths, pathAbs) + } + s.paths = paths + return nil +} + +// GetFiles returns a map of files and fileinfos which +// match the configured paths. +func (s *fileScanner) GetFiles() map[string]os.FileInfo { + pathInfo := map[string]os.FileInfo{} + + for _, path := range s.paths { + matches, err := filepath.Glob(path) + if err != nil { + s.log.Errorf("glob(%s) failed: %v", path, err) + continue + } + + for _, file := range matches { + if s.shouldSkipFile(file) { + continue + } + + // If symlink is enabled, it is checked that original is not part of same input + // If original is harvested by other input, states will potentially overwrite each other + if s.isOriginalAndSymlinkConfigured(file, pathInfo) { + continue + } + + fileInfo, err := os.Stat(file) + if err != nil { + s.log.Debug("stat(%s) failed: %s", file, err) + continue + } + pathInfo[file] = fileInfo + } + } + + return pathInfo +} + +func (s *fileScanner) shouldSkipFile(file string) bool { + if s.isFileExcluded(file) { + s.log.Debugf("Exclude file: %s", file) + return true + } + + fileInfo, err := os.Lstat(file) + if err != nil { + s.log.Debugf("lstat(%s) failed: %s", file, err) + return true + } + + if fileInfo.IsDir() { + s.log.Debugf("Skipping directory: %s", file) + return true + } + + isSymlink := fileInfo.Mode()&os.ModeSymlink > 0 + if isSymlink && !s.symlinks { + s.log.Debugf("File %s skipped as it is a symlink", file) + return true + } + + return false +} + +func (s *fileScanner) isOriginalAndSymlinkConfigured(file string, paths map[string]os.FileInfo) bool { + if s.symlinks { + fileInfo, err := os.Stat(file) + if err != nil { + s.log.Debugf("stat(%s) failed: %s", file, err) + return false + } + + for _, finfo := range paths { + if os.SameFile(finfo, fileInfo) { + s.log.Info("Same file found as symlink and original. Skipping file: %s (as it same as %s)", file, finfo.Name()) + return true + } + } + } + return false +} + +func (s *fileScanner) isFileExcluded(file string) bool { + return len(s.excludedFiles) > 0 && s.matchAny(s.excludedFiles, file) +} + +// matchAny checks if the text matches any of the regular expressions +func (s *fileScanner) matchAny(matchers []match.Matcher, text string) bool { + for _, m := range matchers { + if m.MatchString(text) { + return true + } + } + return false +} diff --git a/filebeat/input/filestream/fswatch_test.go b/filebeat/input/filestream/fswatch_test.go new file mode 100644 index 000000000000..5e63987c868f --- /dev/null +++ b/filebeat/input/filestream/fswatch_test.go @@ -0,0 +1,300 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package filestream + +import ( + "context" + "os" + "path/filepath" + "testing" + "time" + + "github.com/stretchr/testify/assert" + + loginp "github.com/elastic/beats/v7/filebeat/input/filestream/internal/input-logfile" + "github.com/elastic/beats/v7/libbeat/common/match" + "github.com/elastic/beats/v7/libbeat/logp" +) + +func TestFileScanner(t *testing.T) { + testCases := map[string]struct { + paths []string + excludedFiles []match.Matcher + symlinks bool + expectedFiles []string + }{ + "select all files": { + paths: []string{ + filepath.Join("testdata", "excluded_file"), + filepath.Join("testdata", "included_file"), + }, + expectedFiles: []string{ + mustAbsPath(filepath.Join("testdata", "excluded_file")), + mustAbsPath(filepath.Join("testdata", "included_file")), + }, + }, + "skip excluded files": { + paths: []string{ + filepath.Join("testdata", "excluded_file"), + filepath.Join("testdata", "included_file"), + }, + excludedFiles: []match.Matcher{ + match.MustCompile(filepath.Join("testdata", "excluded_file")), + }, + expectedFiles: []string{ + mustAbsPath(filepath.Join("testdata", "included_file")), + }, + }, + // covers test_input.py/test_skip_symlinks + "skip symlinks": { + paths: []string{ + filepath.Join("testdata", "symlink_to_included_file"), + filepath.Join("testdata", "included_file"), + }, + symlinks: false, + expectedFiles: []string{ + mustAbsPath(filepath.Join("testdata", "included_file")), + }, + }, + "return a file once if symlinks are enabled": { + paths: []string{ + filepath.Join("testdata", "symlink_to_included_file"), + filepath.Join("testdata", "included_file"), + }, + symlinks: true, + expectedFiles: []string{ + mustAbsPath(filepath.Join("testdata", "included_file")), + }, + }, + "skip directories": { + paths: []string{ + filepath.Join("testdata", "unharvestable_dir"), + }, + expectedFiles: []string{}, + }, + } + + for name, test := range testCases { + test := test + + t.Run(name, func(t *testing.T) { + cfg := fileScannerConfig{ + ExcludedFiles: test.excludedFiles, + Symlinks: test.symlinks, + RecursiveGlob: false, + } + fs, err := newFileScanner(test.paths, cfg) + if err != nil { + t.Fatal(err) + } + files := fs.GetFiles() + paths := make([]string, 0) + for p, _ := range files { + paths = append(paths, p) + } + assert.Equal(t, test.expectedFiles, paths) + }) + } +} + +func TestFileWatchNewDeleteModified(t *testing.T) { + oldTs := time.Now() + newTs := oldTs.Add(5 * time.Second) + testCases := map[string]struct { + prevFiles map[string]os.FileInfo + nextFiles map[string]os.FileInfo + expectedEvents []loginp.FSEvent + }{ + "one new file": { + prevFiles: map[string]os.FileInfo{}, + nextFiles: map[string]os.FileInfo{ + "new_path": testFileInfo{"new_path", 5, oldTs}, + }, + expectedEvents: []loginp.FSEvent{ + loginp.FSEvent{Op: loginp.OpCreate, OldPath: "", NewPath: "new_path", Info: testFileInfo{"new_path", 5, oldTs}}, + }, + }, + "one deleted file": { + prevFiles: map[string]os.FileInfo{ + "old_path": testFileInfo{"old_path", 5, oldTs}, + }, + nextFiles: map[string]os.FileInfo{}, + expectedEvents: []loginp.FSEvent{ + loginp.FSEvent{Op: loginp.OpDelete, OldPath: "old_path", NewPath: "", Info: testFileInfo{"old_path", 5, oldTs}}, + }, + }, + "one modified file": { + prevFiles: map[string]os.FileInfo{ + "path": testFileInfo{"path", 5, oldTs}, + }, + nextFiles: map[string]os.FileInfo{ + "path": testFileInfo{"path", 10, newTs}, + }, + expectedEvents: []loginp.FSEvent{ + loginp.FSEvent{Op: loginp.OpWrite, OldPath: "path", NewPath: "path", Info: testFileInfo{"path", 10, newTs}}, + }, + }, + "two modified files": { + prevFiles: map[string]os.FileInfo{ + "path1": testFileInfo{"path1", 5, oldTs}, + "path2": testFileInfo{"path2", 5, oldTs}, + }, + nextFiles: map[string]os.FileInfo{ + "path1": testFileInfo{"path1", 10, newTs}, + "path2": testFileInfo{"path2", 10, newTs}, + }, + expectedEvents: []loginp.FSEvent{ + loginp.FSEvent{Op: loginp.OpWrite, OldPath: "path1", NewPath: "path1", Info: testFileInfo{"path1", 10, newTs}}, + loginp.FSEvent{Op: loginp.OpWrite, OldPath: "path2", NewPath: "path2", Info: testFileInfo{"path2", 10, newTs}}, + }, + }, + "one modified file, one new file": { + prevFiles: map[string]os.FileInfo{ + "path1": testFileInfo{"path1", 5, oldTs}, + }, + nextFiles: map[string]os.FileInfo{ + "path1": testFileInfo{"path1", 10, newTs}, + "path2": testFileInfo{"path2", 10, newTs}, + }, + expectedEvents: []loginp.FSEvent{ + loginp.FSEvent{Op: loginp.OpWrite, OldPath: "path1", NewPath: "path1", Info: testFileInfo{"path1", 10, newTs}}, + loginp.FSEvent{Op: loginp.OpCreate, OldPath: "", NewPath: "path2", Info: testFileInfo{"path2", 10, newTs}}, + }, + }, + "one new file, one deleted file": { + prevFiles: map[string]os.FileInfo{ + "path_deleted": testFileInfo{"path_deleted", 5, oldTs}, + }, + nextFiles: map[string]os.FileInfo{ + "path_new": testFileInfo{"path_new", 10, newTs}, + }, + expectedEvents: []loginp.FSEvent{ + loginp.FSEvent{Op: loginp.OpDelete, OldPath: "path_deleted", NewPath: "", Info: testFileInfo{"path_deleted", 5, oldTs}}, + loginp.FSEvent{Op: loginp.OpCreate, OldPath: "", NewPath: "path_new", Info: testFileInfo{"path_new", 10, newTs}}, + }, + }, + } + + for name, test := range testCases { + test := test + + t.Run(name, func(t *testing.T) { + w := fileWatcher{ + log: logp.L(), + prev: test.prevFiles, + scanner: &mockScanner{test.nextFiles}, + events: make(chan loginp.FSEvent), + } + + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + go w.watch(ctx) + + for _, expectedEvent := range test.expectedEvents { + evt := w.Event() + assert.Equal(t, expectedEvent, evt) + } + }) + } +} + +func TestFileWatcherRenamedFile(t *testing.T) { + testPath := mustAbsPath(filepath.Join("testdata", "first_name")) + renamedPath := mustAbsPath(filepath.Join("testdata", "renamed")) + + f, err := os.Create(testPath) + if err != nil { + t.Fatal(err) + } + f.Close() + fi, err := os.Stat(testPath) + if err != nil { + t.Fatal(err) + } + + cfg := fileScannerConfig{ + ExcludedFiles: nil, + Symlinks: false, + RecursiveGlob: false, + } + scanner, err := newFileScanner([]string{testPath, renamedPath}, cfg) + if err != nil { + t.Fatal(err) + } + w := fileWatcher{ + log: logp.L(), + scanner: scanner, + events: make(chan loginp.FSEvent), + } + + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + go w.watch(ctx) + assert.Equal(t, loginp.FSEvent{Op: loginp.OpCreate, OldPath: "", NewPath: testPath, Info: fi}, w.Event()) + + err = os.Rename(testPath, renamedPath) + if err != nil { + t.Fatal(err) + } + defer os.Remove(renamedPath) + fi, err = os.Stat(renamedPath) + if err != nil { + t.Fatal(err) + } + + go w.watch(ctx) + assert.Equal(t, loginp.FSEvent{Op: loginp.OpRename, OldPath: testPath, NewPath: renamedPath, Info: fi}, w.Event()) +} + +type mockScanner struct { + files map[string]os.FileInfo +} + +func (m *mockScanner) GetFiles() map[string]os.FileInfo { + return m.files +} + +type testFileInfo struct { + path string + size int64 + time time.Time +} + +func (t testFileInfo) Name() string { return t.path } +func (t testFileInfo) Size() int64 { return t.size } +func (t testFileInfo) Mode() os.FileMode { return 0 } +func (t testFileInfo) ModTime() time.Time { return t.time } +func (t testFileInfo) IsDir() bool { return false } +func (t testFileInfo) Sys() interface{} { return nil } + +func mustAbsPath(path string) string { + p, err := filepath.Abs(path) + if err != nil { + panic(err) + } + return p +} + +func mustDuration(durStr string) time.Duration { + dur, err := time.ParseDuration(durStr) + if err != nil { + panic(err) + } + return dur +} diff --git a/filebeat/input/filestream/testdata/excluded_file b/filebeat/input/filestream/testdata/excluded_file new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/filebeat/input/filestream/testdata/included_file b/filebeat/input/filestream/testdata/included_file new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/filebeat/input/filestream/testdata/symlink_to_included_file b/filebeat/input/filestream/testdata/symlink_to_included_file new file mode 120000 index 000000000000..40824f3f7d3c --- /dev/null +++ b/filebeat/input/filestream/testdata/symlink_to_included_file @@ -0,0 +1 @@ +filebeat/input/filestream/testdata/included_file \ No newline at end of file From b8fd5fc333d3bffc83a6590f15d7109ac83acdc8 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Fri, 2 Oct 2020 13:03:56 +0200 Subject: [PATCH 14/18] Remove duplicated sources url in dependencies report (#21462) It was added by mistake as part of the license URL. --- dev-tools/dependencies-report | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev-tools/dependencies-report b/dev-tools/dependencies-report index a2662a4ab9ac..928de5367ca4 100755 --- a/dev-tools/dependencies-report +++ b/dev-tools/dependencies-report @@ -48,7 +48,7 @@ go list -m -json all $@ | go run go.elastic.co/go-licence-detector \ # name,url,version,revision,license ubi8url='https://catalog.redhat.com/software/containers/ubi8/ubi-minimal/5c359a62bed8bd75a2c3fba8' ubi8source='https://oss-dependencies.elastic.co/redhat/ubi/ubi-minimal-8-source.tar.gz' -ubilicense='Custom;https://www.redhat.com/licenses/EULA_Red_Hat_Universal_Base_Image_English_20190422.pdf,https://oss-dependencies.elastic.co/redhat/ubi/ubi-minimal-8-source.tar.gz' +ubilicense='Custom;https://www.redhat.com/licenses/EULA_Red_Hat_Universal_Base_Image_English_20190422.pdf' cat <> $outfile Red Hat Universal Base Image,$ubi8url,8,,$ubilicense,$ubi8source EOF From 79ddbbfb642eda785f5ef76206e65c5a1690f0e9 Mon Sep 17 00:00:00 2001 From: Victor Martinez Date: Fri, 2 Oct 2020 12:12:52 +0100 Subject: [PATCH 15/18] [CI] Send slack message with build status (#21428) --- Jenkinsfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 119cea9b3abf..317a5c781e33 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -24,6 +24,7 @@ pipeline { PIPELINE_LOG_LEVEL = 'INFO' PYTEST_ADDOPTS = "${params.PYTEST_ADDOPTS}" RUNBLD_DISABLE_NOTIFICATIONS = 'true' + SLACK_CHANNEL = "#beats-ci-builds" TERRAFORM_VERSION = "0.12.24" XPACK_MODULE_PATTERN = '^x-pack\\/[a-z0-9]+beat\\/module\\/([^\\/]+)\\/.*' } @@ -121,7 +122,7 @@ pipeline { runbld(stashedTestReports: stashedTestReports, project: env.REPO) } cleanup { - notifyBuildResult(prComment: true) + notifyBuildResult(prComment: true, slackComment: true) } } } From 19453734455cc831422d236cdadc67e71ed5caba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Fri, 2 Oct 2020 13:13:31 +0200 Subject: [PATCH 16/18] Add new log file reader for filestream input (#21450) ## What does this PR do? This PR adds the new refactored version of the previous `Log` reader of the `log` input called `logFile`. The differences between the two readers are the following: * `logFile` calls `Stat` only once to avoid too many system calls (`Log` calls `Stat` 3 times after every read) * `logFile` starts separate go routines to check if `close.after_interval` or `close.inactive` has elapsed. `Log` checks `close_inactive` after every `Read`. Thus, if the output is blocked, it cannot stop the reader. * `logFile` does not check if the file has been removed or renamed if `close_removed` or `close_renamed` are enabled. Instead it is checked separately in the prospector, so if the output blocks, the reader can be closed. This prevents Filebeat keeping too many open files if the output is blocked. (The code mentioned is not yet included in any PR.) ## Why is it important? This is the improved version of the previous `log` reader. --- filebeat/input/filestream/config.go | 147 ++++++++++++++++ filebeat/input/filestream/filestream.go | 225 ++++++++++++++++++++++++ 2 files changed, 372 insertions(+) create mode 100644 filebeat/input/filestream/config.go create mode 100644 filebeat/input/filestream/filestream.go diff --git a/filebeat/input/filestream/config.go b/filebeat/input/filestream/config.go new file mode 100644 index 000000000000..93b232325945 --- /dev/null +++ b/filebeat/input/filestream/config.go @@ -0,0 +1,147 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package filestream + +import ( + "fmt" + "time" + + "github.com/dustin/go-humanize" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/match" + "github.com/elastic/beats/v7/libbeat/reader/readfile" +) + +// Config stores the options of a file stream. +type config struct { + Paths []string `config:"paths"` + Close closerConfig `config:"close"` + FileWatcher *common.ConfigNamespace `config:"file_watcher"` + Reader readerConfig `config:"readers"` + FileIdentity *common.ConfigNamespace `config:"file_identity"` + CleanInactive time.Duration `config:"clean_inactive" validate:"min=0"` + CleanRemoved bool `config:"clean_removed"` + HarvesterLimit uint32 `config:"harvester_limit" validate:"min=0"` + IgnoreOlder time.Duration `config:"ignore_older"` +} + +type closerConfig struct { + OnStateChange stateChangeCloserConfig `config:"on_state_change"` + Reader readerCloserConfig `config:"reader"` +} + +type readerCloserConfig struct { + AfterInterval time.Duration + Inactive time.Duration + OnEOF bool +} + +type stateChangeCloserConfig struct { + CheckInterval time.Duration + Removed bool + Renamed bool +} + +// TODO should this be inline? +type readerConfig struct { + Backoff backoffConfig `config:"backoff"` + BufferSize int `config:"buffer_size"` + Encoding string `config:"encoding"` + ExcludeLines []match.Matcher `config:"exclude_lines"` + IncludeLines []match.Matcher `config:"include_lines"` + LineTerminator readfile.LineTerminator `config:"line_terminator"` + MaxBytes int `config:"message_max_bytes" validate:"min=0,nonzero"` + Tail bool `config:"seek_to_tail"` + + Parsers []*common.ConfigNamespace `config:"parsers"` // TODO multiline, json, syslog? +} + +type backoffConfig struct { + Init time.Duration `config:"init" validate:"nonzero"` + Max time.Duration `config:"max" validate:"nonzero"` +} + +func defaultConfig() config { + return config{ + Paths: []string{}, + Close: defaultCloserConfig(), + Reader: defaultReaderConfig(), + CleanInactive: 0, + CleanRemoved: true, + HarvesterLimit: 0, + IgnoreOlder: 0, + } +} + +func defaultCloserConfig() closerConfig { + return closerConfig{ + OnStateChange: stateChangeCloserConfig{ + CheckInterval: 5 * time.Second, + Removed: true, // TODO check clean_removed option + Renamed: false, + }, + Reader: readerCloserConfig{ + OnEOF: false, + Inactive: 0 * time.Second, + AfterInterval: 0 * time.Second, + }, + } +} + +func defaultReaderConfig() readerConfig { + return readerConfig{ + Backoff: backoffConfig{ + Init: 1 * time.Second, + Max: 10 * time.Second, + }, + BufferSize: 16 * humanize.KiByte, + LineTerminator: readfile.AutoLineTerminator, + MaxBytes: 10 * humanize.MiByte, + Tail: false, + Parsers: nil, + } +} + +func (c *config) Validate() error { + if len(c.Paths) == 0 { + return fmt.Errorf("no path is configured") + } + // TODO + //if c.CleanInactive != 0 && c.IgnoreOlder == 0 { + // return fmt.Errorf("ignore_older must be enabled when clean_inactive is used") + //} + + // TODO + //if c.CleanInactive != 0 && c.CleanInactive <= c.IgnoreOlder+c.ScanFrequency { + // return fmt.Errorf("clean_inactive must be > ignore_older + scan_frequency to make sure only files which are not monitored anymore are removed") + //} + + // TODO + //if c.JSON != nil && len(c.JSON.MessageKey) == 0 && + // c.Multiline != nil { + // return fmt.Errorf("When using the JSON decoder and multiline together, you need to specify a message_key value") + //} + + //if c.JSON != nil && len(c.JSON.MessageKey) == 0 && + // (len(c.IncludeLines) > 0 || len(c.ExcludeLines) > 0) { + // return fmt.Errorf("When using the JSON decoder and line filtering together, you need to specify a message_key value") + //} + + return nil +} diff --git a/filebeat/input/filestream/filestream.go b/filebeat/input/filestream/filestream.go new file mode 100644 index 000000000000..59f26ccca1b3 --- /dev/null +++ b/filebeat/input/filestream/filestream.go @@ -0,0 +1,225 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package filestream + +import ( + "context" + "errors" + "io" + "os" + "time" + + input "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/common/backoff" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/go-concert/ctxtool" + "github.com/elastic/go-concert/unison" +) + +var ( + ErrFileTruncate = errors.New("detected file being truncated") + ErrClosed = errors.New("reader closed") +) + +// logFile contains all log related data +type logFile struct { + file *os.File + log *logp.Logger + ctx context.Context + cancelReading context.CancelFunc + + closeInactive time.Duration + closeAfterInterval time.Duration + closeOnEOF bool + + offset int64 + lastTimeRead time.Time + backoff backoff.Backoff + tg unison.TaskGroup +} + +// newFileReader creates a new log instance to read log sources +func newFileReader( + log *logp.Logger, + canceler input.Canceler, + f *os.File, + config readerConfig, + closerConfig readerCloserConfig, +) (*logFile, error) { + offset, err := f.Seek(0, os.SEEK_CUR) + if err != nil { + return nil, err + } + + l := &logFile{ + file: f, + log: log, + closeInactive: closerConfig.Inactive, + closeAfterInterval: closerConfig.AfterInterval, + closeOnEOF: closerConfig.OnEOF, + offset: offset, + lastTimeRead: time.Now(), + backoff: backoff.NewExpBackoff(canceler.Done(), config.Backoff.Init, config.Backoff.Max), + tg: unison.TaskGroup{}, + } + + l.ctx, l.cancelReading = ctxtool.WithFunc(ctxtool.FromCanceller(canceler), func() { + err := l.tg.Stop() + if err != nil { + l.log.Errorf("Error while stopping filestream logFile reader: %v", err) + } + }) + + l.startFileMonitoringIfNeeded() + + return l, nil +} + +// Read reads from the reader and updates the offset +// The total number of bytes read is returned. +func (f *logFile) Read(buf []byte) (int, error) { + totalN := 0 + + for f.ctx.Err() == nil { + n, err := f.file.Read(buf) + if n > 0 { + f.offset += int64(n) + f.lastTimeRead = time.Now() + } + totalN += n + + // Read from source completed without error + // Either end reached or buffer full + if err == nil { + // reset backoff for next read + f.backoff.Reset() + return totalN, nil + } + + // Move buffer forward for next read + buf = buf[n:] + + // Checks if an error happened or buffer is full + // If buffer is full, cannot continue reading. + // Can happen if n == bufferSize + io.EOF error + err = f.errorChecks(err) + if err != nil || len(buf) == 0 { + return totalN, err + } + + f.log.Debugf("End of file reached: %s; Backoff now.", f.file.Name()) + f.backoff.Wait() + } + + return 0, ErrClosed +} + +func (f *logFile) startFileMonitoringIfNeeded() { + if f.closeInactive == 0 && f.closeAfterInterval == 0 { + return + } + + if f.closeInactive > 0 { + f.tg.Go(func(ctx unison.Canceler) error { + f.closeIfTimeout(ctx) + return nil + }) + } + + if f.closeAfterInterval > 0 { + f.tg.Go(func(ctx unison.Canceler) error { + f.closeIfInactive(ctx) + return nil + }) + } +} + +func (f *logFile) closeIfTimeout(ctx unison.Canceler) { + timer := time.NewTimer(f.closeAfterInterval) + defer timer.Stop() + + for { + select { + case <-ctx.Done(): + return + case <-timer.C: + f.cancelReading() + return + } + } +} + +func (f *logFile) closeIfInactive(ctx unison.Canceler) { + // This can be made configureble if users need a more flexible + // cheking for inactive files. + ticker := time.NewTicker(5 * time.Minute) + defer ticker.Stop() + + for { + select { + case <-ctx.Done(): + return + case <-ticker.C: + age := time.Since(f.lastTimeRead) + if age > f.closeInactive { + f.cancelReading() + return + } + } + } +} + +// errorChecks determines the cause for EOF errors, and how the EOF event should be handled +// based on the config options. +func (f *logFile) errorChecks(err error) error { + if err != io.EOF { + f.log.Error("Unexpected state reading from %s; error: %s", f.file.Name(), err) + return err + } + + return f.handleEOF() +} + +func (f *logFile) handleEOF() error { + if f.closeOnEOF { + return io.EOF + } + + // Refetch fileinfo to check if the file was truncated. + // Errors if the file was removed/rotated after reading and before + // calling the stat function + info, statErr := f.file.Stat() + if statErr != nil { + f.log.Error("Unexpected error reading from %s; error: %s", f.file.Name(), statErr) + return statErr + } + + // check if file was truncated + if info.Size() < f.offset { + f.log.Debugf("File was truncated as offset (%d) > size (%d): %s", f.offset, info.Size(), f.file.Name()) + return ErrFileTruncate + } + + return nil +} + +// Close +func (f *logFile) Close() error { + f.cancelReading() + return f.file.Close() +} From 01dfa5e16eaccb2d650b89ddc5e724884f3e6c7f Mon Sep 17 00:00:00 2001 From: Victor Martinez Date: Fri, 2 Oct 2020 14:15:28 +0100 Subject: [PATCH 17/18] [CI] changeset from #20603 was not added to CI2.0 (#21464) --- Jenkinsfile.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Jenkinsfile.yml b/Jenkinsfile.yml index 2f720bf055b2..2278ea93735a 100644 --- a/Jenkinsfile.yml +++ b/Jenkinsfile.yml @@ -28,11 +28,13 @@ changeset: - "^\\.ci/scripts/.*" oss: - "^go.mod" + - "^pytest.ini" - "^dev-tools/.*" - "^libbeat/.*" - "^testing/.*" xpack: - "^go.mod" + - "^pytest.ini" - "^dev-tools/.*" - "^libbeat/.*" - "^testing/.*" From 35a76dfe2c3caa19969fde4484792355077b58e2 Mon Sep 17 00:00:00 2001 From: Victor Martinez Date: Fri, 2 Oct 2020 14:16:06 +0100 Subject: [PATCH 18/18] [CI] Change x-pack/auditbeat build events (comments, labels) (#21463) --- x-pack/auditbeat/Jenkinsfile.yml | 8 ++++---- x-pack/packetbeat/Jenkinsfile.yml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/x-pack/auditbeat/Jenkinsfile.yml b/x-pack/auditbeat/Jenkinsfile.yml index fd73c10a1c5f..3bb96fbbc644 100644 --- a/x-pack/auditbeat/Jenkinsfile.yml +++ b/x-pack/auditbeat/Jenkinsfile.yml @@ -5,11 +5,11 @@ when: - "@ci" ## special token regarding the changeset for the ci - "@xpack" ## special token regarding the changeset for the xpack comments: ## when PR comment contains any of those entries - - "/test auditbeat" + - "/test x-pack/auditbeat" labels: ## when PR labels matches any of those entries - - "auditbeat" + - "x-pack-auditbeat" parameters: ## when parameter was selected in the UI. - - "auditbeat" + - "x-pack-auditbeat" tags: true ## for all the tags platform: "linux && ubuntu-18" ## default label for all the stages stages: @@ -22,7 +22,7 @@ stages: - "macosx" when: ## Override the top-level when. comments: - - "/test auditbeat for macos" + - "/test x-pack/auditbeat for macos" labels: - "macOS" parameters: diff --git a/x-pack/packetbeat/Jenkinsfile.yml b/x-pack/packetbeat/Jenkinsfile.yml index 8496265e0ac2..41257081e1f3 100644 --- a/x-pack/packetbeat/Jenkinsfile.yml +++ b/x-pack/packetbeat/Jenkinsfile.yml @@ -1,15 +1,15 @@ when: branches: true ## for all the branches changeset: ## when PR contains any of those entries in the changeset - - "^x-pack/winlogbeat/.*" + - "^x-pack/packetbeat/.*" - "@ci" ## special token regarding the changeset for the ci - "@xpack" ## special token regarding the changeset for the xpack comments: ## when PR comment contains any of those entries - - "/test x-pack/winlogbeat" + - "/test x-pack/packetbeat" labels: ## when PR labels matches any of those entries - - "x-pack-winlogbeat" + - "x-pack-packetbeat" parameters: ## when parameter was selected in the UI. - - "x-pack-winlogbeat" + - "x-pack-packetbeat" tags: true ## for all the tags platform: "linux && ubuntu-18" ## default label for all the stages stages: