From 8d21a79cf657e0c0ca9bd2db0b0229eb9a97497e Mon Sep 17 00:00:00 2001 From: Madison Caldwell Date: Thu, 7 Apr 2022 11:46:14 -0400 Subject: [PATCH 1/2] Add fixtures for 7.17, 8.0, and 8.1 --- .../security_solution/alerts/7.17.0/data.json | 3636 ++++++++ .../alerts/7.17.0/mappings.json | 5825 ++++++++++++ .../security_solution/alerts/8.0.0/data.json | 8127 ++++++++++++++++ .../alerts/8.0.0/mappings.json | 5243 +++++++++++ .../security_solution/alerts/8.1.0/data.json | 8186 +++++++++++++++++ .../alerts/8.1.0/mappings.json | 5250 +++++++++++ 6 files changed, 36267 insertions(+) create mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/data.json create mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/mappings.json create mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/data.json create mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/mappings.json create mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/8.1.0/data.json create mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/8.1.0/mappings.json diff --git a/x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/data.json b/x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/data.json new file mode 100644 index 0000000000000..abfee31ed9d11 --- /dev/null +++ b/x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/data.json @@ -0,0 +1,3636 @@ +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "31dfd9156a4b6f6b5b5dbbb9192275d2a129c6bf6c02a8becc2b207aba2c72e8", + "_score": 1, + "_source": { + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "7.17.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "7.17.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:24.657Z", + "dataset": "elastic_agent.filebeat", + "kind": "signal" + }, + "service.name": "filebeat", + "message": "Status message.", + "@timestamp": "2022-03-18T21:10:45.962Z", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "matched": { + "atomic": "security-linux-1", + "field": "host.name", + "id": "cWjdnn8BW0TS6Ffb-tK_", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "f2jenn8BW0TS6FfbC9LD", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "f2jenn8BW0TS6FfbC9LD", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "dde92c40-a6ff-11ec-a9c9-7bf7f6b6d825", + "actions": [], + "interval": "1m", + "name": "threat-match-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:42.108Z", + "updated_at": "2022-03-18T21:10:43.879Z", + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "ba2d0ca7-9f48-490b-9071-a47646eb5414", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "reason": "event on security-linux-1 created low alert threat-match-rule.", + "depth": 1, + "parent": { + "id": "f2jenn8BW0TS6FfbC9LD", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:24.657Z", + "original_event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:24.657Z", + "dataset": "elastic_agent.filebeat" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "7a6b11bce332d72f2c9183f2e6ce7c7c0b315d0c2b9bdd7be3da3baf7e07cdd6", + "_score": 1, + "_source": { + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "7.17.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "7.17.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:24.403Z", + "dataset": "elastic_agent.filebeat", + "kind": "signal" + }, + "service.name": "filebeat", + "message": "Status message.", + "@timestamp": "2022-03-18T21:10:45.966Z", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "matched": { + "atomic": "security-linux-3", + "field": "host.name", + "id": "c2jdnn8BW0TS6Ffb_tJV", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "fGjenn8BW0TS6FfbCtLM", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "fGjenn8BW0TS6FfbCtLM", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "dde92c40-a6ff-11ec-a9c9-7bf7f6b6d825", + "actions": [], + "interval": "1m", + "name": "threat-match-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:42.108Z", + "updated_at": "2022-03-18T21:10:43.879Z", + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "ba2d0ca7-9f48-490b-9071-a47646eb5414", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "reason": "event on security-linux-3 created low alert threat-match-rule.", + "depth": 1, + "parent": { + "id": "fGjenn8BW0TS6FfbCtLM", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:24.403Z", + "original_event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:24.403Z", + "dataset": "elastic_agent.filebeat" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "3b75ccc8c11a7406c33ea4788a3b19304e7ea096960514908a6edecbeda8954d", + "_score": 1, + "_source": { + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "7.17.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "7.17.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:24.168Z", + "dataset": "elastic_agent.filebeat", + "kind": "signal" + }, + "service.name": "filebeat", + "message": "Status message.", + "@timestamp": "2022-03-18T21:10:45.968Z", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "matched": { + "atomic": "security-linux-2", + "field": "host.name", + "id": "cmjdnn8BW0TS6Ffb_NIH", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "e2jenn8BW0TS6FfbCdLM", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "e2jenn8BW0TS6FfbCdLM", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "dde92c40-a6ff-11ec-a9c9-7bf7f6b6d825", + "actions": [], + "interval": "1m", + "name": "threat-match-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:42.108Z", + "updated_at": "2022-03-18T21:10:43.879Z", + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "ba2d0ca7-9f48-490b-9071-a47646eb5414", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "reason": "event on security-linux-2 created low alert threat-match-rule.", + "depth": 1, + "parent": { + "id": "e2jenn8BW0TS6FfbCdLM", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:24.168Z", + "original_event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:24.168Z", + "dataset": "elastic_agent.filebeat" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "544216ab258232e89e74a119cc881845c5091542bf3dcb9cb4b86e01c8d0adbb", + "_score": 1, + "_source": { + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "7.17.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "7.17.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:23.921Z", + "dataset": "elastic_agent.filebeat", + "kind": "signal" + }, + "service.name": "filebeat", + "message": "Status message.", + "@timestamp": "2022-03-18T21:10:45.969Z", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "matched": { + "atomic": "security-linux-1", + "field": "host.name", + "id": "cWjdnn8BW0TS6Ffb-tK_", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "emjenn8BW0TS6FfbCNLd", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "emjenn8BW0TS6FfbCNLd", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "dde92c40-a6ff-11ec-a9c9-7bf7f6b6d825", + "actions": [], + "interval": "1m", + "name": "threat-match-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:42.108Z", + "updated_at": "2022-03-18T21:10:43.879Z", + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "ba2d0ca7-9f48-490b-9071-a47646eb5414", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "reason": "event on security-linux-1 created low alert threat-match-rule.", + "depth": 1, + "parent": { + "id": "emjenn8BW0TS6FfbCNLd", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:23.921Z", + "original_event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:23.921Z", + "dataset": "elastic_agent.filebeat" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "baa027f490cd6f773fed0829e6ae5ce44168ff33399a4c79ba02d4f43cb55b3c", + "_score": 1, + "_source": { + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "7.17.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "7.17.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:23.344Z", + "dataset": "elastic_agent.filebeat", + "kind": "signal" + }, + "service.name": "filebeat", + "message": "Status message.", + "@timestamp": "2022-03-18T21:10:45.970Z", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "matched": { + "atomic": "security-linux-3", + "field": "host.name", + "id": "c2jdnn8BW0TS6Ffb_tJV", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "eWjenn8BW0TS6FfbB9Lm", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "eWjenn8BW0TS6FfbB9Lm", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "dde92c40-a6ff-11ec-a9c9-7bf7f6b6d825", + "actions": [], + "interval": "1m", + "name": "threat-match-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:42.108Z", + "updated_at": "2022-03-18T21:10:43.879Z", + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "ba2d0ca7-9f48-490b-9071-a47646eb5414", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "reason": "event on security-linux-3 created low alert threat-match-rule.", + "depth": 1, + "parent": { + "id": "eWjenn8BW0TS6FfbB9Lm", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:23.344Z", + "original_event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:23.344Z", + "dataset": "elastic_agent.filebeat" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "c8b7576b53cbd54d5fa90ad1087db08424ee00bff008f02551decb14db61e4b7", + "_score": 1, + "_source": { + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "7.17.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "7.17.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:23.011Z", + "dataset": "elastic_agent.filebeat", + "kind": "signal" + }, + "service.name": "filebeat", + "message": "Status message.", + "@timestamp": "2022-03-18T21:10:45.971Z", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "matched": { + "atomic": "security-linux-2", + "field": "host.name", + "id": "cmjdnn8BW0TS6Ffb_NIH", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "eGjenn8BW0TS6FfbBdKn", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "eGjenn8BW0TS6FfbBdKn", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "dde92c40-a6ff-11ec-a9c9-7bf7f6b6d825", + "actions": [], + "interval": "1m", + "name": "threat-match-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:42.108Z", + "updated_at": "2022-03-18T21:10:43.879Z", + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "ba2d0ca7-9f48-490b-9071-a47646eb5414", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "reason": "event on security-linux-2 created low alert threat-match-rule.", + "depth": 1, + "parent": { + "id": "eGjenn8BW0TS6FfbBdKn", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:23.011Z", + "original_event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:23.011Z", + "dataset": "elastic_agent.filebeat" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "0bab7081b4a922419c8362dd23942b486dac5e9592c8721eec7601b200687d59", + "_score": 1, + "_source": { + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "7.17.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "7.17.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:22.678Z", + "dataset": "elastic_agent.filebeat", + "kind": "signal" + }, + "service.name": "filebeat", + "message": "Status message.", + "@timestamp": "2022-03-18T21:10:45.972Z", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "matched": { + "atomic": "security-linux-1", + "field": "host.name", + "id": "cWjdnn8BW0TS6Ffb-tK_", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "d2jenn8BW0TS6FfbBNJb", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "d2jenn8BW0TS6FfbBNJb", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "dde92c40-a6ff-11ec-a9c9-7bf7f6b6d825", + "actions": [], + "interval": "1m", + "name": "threat-match-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:42.108Z", + "updated_at": "2022-03-18T21:10:43.879Z", + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "ba2d0ca7-9f48-490b-9071-a47646eb5414", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "reason": "event on security-linux-1 created low alert threat-match-rule.", + "depth": 1, + "parent": { + "id": "d2jenn8BW0TS6FfbBNJb", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:22.678Z", + "original_event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:22.678Z", + "dataset": "elastic_agent.filebeat" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "23dbc3b93eab372449a1b1897d77dc22d5a517edcb31bb1e53fe89ff727cedd9", + "_score": 1, + "_source": { + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "7.17.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "7.17.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:22.425Z", + "dataset": "elastic_agent.filebeat", + "kind": "signal" + }, + "service.name": "filebeat", + "message": "Status message.", + "@timestamp": "2022-03-18T21:10:45.973Z", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "matched": { + "atomic": "security-linux-3", + "field": "host.name", + "id": "c2jdnn8BW0TS6Ffb_tJV", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "dmjenn8BW0TS6FfbA9IO", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "dmjenn8BW0TS6FfbA9IO", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "dde92c40-a6ff-11ec-a9c9-7bf7f6b6d825", + "actions": [], + "interval": "1m", + "name": "threat-match-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:42.108Z", + "updated_at": "2022-03-18T21:10:43.879Z", + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "ba2d0ca7-9f48-490b-9071-a47646eb5414", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "reason": "event on security-linux-3 created low alert threat-match-rule.", + "depth": 1, + "parent": { + "id": "dmjenn8BW0TS6FfbA9IO", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:22.425Z", + "original_event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:22.425Z", + "dataset": "elastic_agent.filebeat" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "7c79f8e0402c5d2589332a790cd01db7468a2badc07918de7683b293c2e8d2d5", + "_score": 1, + "_source": { + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "7.17.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "7.17.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:21.850Z", + "dataset": "elastic_agent.filebeat", + "kind": "signal" + }, + "service.name": "filebeat", + "message": "Status message.", + "@timestamp": "2022-03-18T21:10:45.974Z", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "matched": { + "atomic": "security-linux-2", + "field": "host.name", + "id": "cmjdnn8BW0TS6Ffb_NIH", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "dWjenn8BW0TS6FfbAtIS", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "dWjenn8BW0TS6FfbAtIS", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "dde92c40-a6ff-11ec-a9c9-7bf7f6b6d825", + "actions": [], + "interval": "1m", + "name": "threat-match-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:42.108Z", + "updated_at": "2022-03-18T21:10:43.879Z", + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "ba2d0ca7-9f48-490b-9071-a47646eb5414", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "reason": "event on security-linux-2 created low alert threat-match-rule.", + "depth": 1, + "parent": { + "id": "dWjenn8BW0TS6FfbAtIS", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:21.850Z", + "original_event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:21.850Z", + "dataset": "elastic_agent.filebeat" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "d2a22b3c06c96b95ba412cf0891a624feff450e07b5572624f45040f023e55e9", + "_score": 1, + "_source": { + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "7.17.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "7.17.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:21.471Z", + "dataset": "elastic_agent.filebeat", + "kind": "signal" + }, + "service.name": "filebeat", + "message": "Status message.", + "@timestamp": "2022-03-18T21:10:45.975Z", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "matched": { + "atomic": "security-linux-1", + "field": "host.name", + "id": "cWjdnn8BW0TS6Ffb-tK_", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "dGjdnn8BW0TS6Ffb_9Kl", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "dGjdnn8BW0TS6Ffb_9Kl", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "dde92c40-a6ff-11ec-a9c9-7bf7f6b6d825", + "actions": [], + "interval": "1m", + "name": "threat-match-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:42.108Z", + "updated_at": "2022-03-18T21:10:43.879Z", + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "ba2d0ca7-9f48-490b-9071-a47646eb5414", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "reason": "event on security-linux-1 created low alert threat-match-rule.", + "depth": 1, + "parent": { + "id": "dGjdnn8BW0TS6Ffb_9Kl", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:21.471Z", + "original_event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:21.471Z", + "dataset": "elastic_agent.filebeat" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "d562cd311acc9f7c21d0c58ce37fd6ce0559f959918ae158a33da0bcb2d4c3f9", + "_score": 1, + "_source": { + "@timestamp": "2022-03-18T21:10:40.883Z", + "host.name": "security-linux-1", + "event": { + "kind": "signal" + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "865578ab-d427-554f-81f2-0b14c96229a7", + "type": "event", + "index": "events-index-*", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "865578ab-d427-554f-81f2-0b14c96229a7", + "type": "event", + "index": "events-index-*", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "db2ea020-a6ff-11ec-a34d-a33078cca37b", + "actions": [], + "interval": "1m", + "name": "threshold-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:37.100Z", + "updated_at": "2022-03-18T21:10:38.800Z", + "description": "a simple threshold rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "d36d0212-a9fe-4346-bff0-78b4877ff2d4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threshold", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threshold": { + "field": [ + "host.name" + ], + "value": 1 + } + }, + "reason": "event created low alert threshold-rule.", + "depth": 1, + "parent": { + "id": "865578ab-d427-554f-81f2-0b14c96229a7", + "type": "event", + "index": "events-index-*", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:24.657Z", + "threshold_result": { + "terms": [ + { + "field": "host.name", + "value": "security-linux-1" + } + ], + "count": 4, + "from": "2022-03-18T11:10:40.838Z" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "a7c7ecc631c7a7b5c96ff876cd4252001910bfdfacbd9e295652d4bde7ca5ada", + "_score": 1, + "_source": { + "@timestamp": "2022-03-18T21:10:40.884Z", + "host.name": "security-linux-2", + "event": { + "kind": "signal" + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "2ff92aec-17cc-5ed6-9ce4-c02f1281c39f", + "type": "event", + "index": "events-index-*", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "2ff92aec-17cc-5ed6-9ce4-c02f1281c39f", + "type": "event", + "index": "events-index-*", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "db2ea020-a6ff-11ec-a34d-a33078cca37b", + "actions": [], + "interval": "1m", + "name": "threshold-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:37.100Z", + "updated_at": "2022-03-18T21:10:38.800Z", + "description": "a simple threshold rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "d36d0212-a9fe-4346-bff0-78b4877ff2d4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threshold", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threshold": { + "field": [ + "host.name" + ], + "value": 1 + } + }, + "reason": "event created low alert threshold-rule.", + "depth": 1, + "parent": { + "id": "2ff92aec-17cc-5ed6-9ce4-c02f1281c39f", + "type": "event", + "index": "events-index-*", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:24.168Z", + "threshold_result": { + "terms": [ + { + "field": "host.name", + "value": "security-linux-2" + } + ], + "count": 3, + "from": "2022-03-18T11:10:40.838Z" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "bf0fcc35981aa44baaee5ca466e8ee956636c82a3cd9fa9dae48c55603df37b9", + "_score": 1, + "_source": { + "@timestamp": "2022-03-18T21:10:40.884Z", + "host.name": "security-linux-3", + "event": { + "kind": "signal" + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "1aa42cf4-ba9e-57d4-9912-1f923a852f0b", + "type": "event", + "index": "events-index-*", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "1aa42cf4-ba9e-57d4-9912-1f923a852f0b", + "type": "event", + "index": "events-index-*", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "db2ea020-a6ff-11ec-a34d-a33078cca37b", + "actions": [], + "interval": "1m", + "name": "threshold-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:37.100Z", + "updated_at": "2022-03-18T21:10:38.800Z", + "description": "a simple threshold rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "d36d0212-a9fe-4346-bff0-78b4877ff2d4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threshold", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threshold": { + "field": [ + "host.name" + ], + "value": 1 + } + }, + "reason": "event created low alert threshold-rule.", + "depth": 1, + "parent": { + "id": "1aa42cf4-ba9e-57d4-9912-1f923a852f0b", + "type": "event", + "index": "events-index-*", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:24.403Z", + "threshold_result": { + "terms": [ + { + "field": "host.name", + "value": "security-linux-3" + } + ], + "count": 3, + "from": "2022-03-18T11:10:40.838Z" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "217fc346273e4a37ef7c4ec55f52409df5d19942854c0e144516d133cc5442bc", + "_score": 1, + "_source": { + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "7.17.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "7.17.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:21.471Z", + "dataset": "elastic_agent.filebeat", + "kind": "signal" + }, + "service.name": "filebeat", + "message": "Status message.", + "@timestamp": "2022-03-18T21:10:31.769Z", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "dGjdnn8BW0TS6Ffb_9Kl", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "dGjdnn8BW0TS6Ffb_9Kl", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "d6766f40-a6ff-11ec-a9c9-7bf7f6b6d825", + "actions": [], + "interval": "1m", + "name": "query-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:29.079Z", + "updated_at": "2022-03-18T21:10:29.677Z", + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "d5e1bb1d-80e9-445d-b1ec-f63fa5f52e09", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "reason": "event on security-linux-1 created low alert query-rule.", + "depth": 1, + "parent": { + "id": "dGjdnn8BW0TS6Ffb_9Kl", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:21.471Z", + "original_event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:21.471Z", + "dataset": "elastic_agent.filebeat" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "5c27171e8a09b61d82bf4428835ea796c37c76b06585aec3208aecbc3bff8848", + "_score": 1, + "_source": { + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "7.17.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "7.17.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:21.850Z", + "dataset": "elastic_agent.filebeat", + "kind": "signal" + }, + "service.name": "filebeat", + "message": "Status message.", + "@timestamp": "2022-03-18T21:10:31.773Z", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "dWjenn8BW0TS6FfbAtIS", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "dWjenn8BW0TS6FfbAtIS", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "d6766f40-a6ff-11ec-a9c9-7bf7f6b6d825", + "actions": [], + "interval": "1m", + "name": "query-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:29.079Z", + "updated_at": "2022-03-18T21:10:29.677Z", + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "d5e1bb1d-80e9-445d-b1ec-f63fa5f52e09", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "reason": "event on security-linux-2 created low alert query-rule.", + "depth": 1, + "parent": { + "id": "dWjenn8BW0TS6FfbAtIS", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:21.850Z", + "original_event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:21.850Z", + "dataset": "elastic_agent.filebeat" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "023cadbb328c1537a3e2f0acee3e4daf4aa2d101f932762a86a5cf42628c9cd9", + "_score": 1, + "_source": { + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "7.17.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "7.17.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:22.425Z", + "dataset": "elastic_agent.filebeat", + "kind": "signal" + }, + "service.name": "filebeat", + "message": "Status message.", + "@timestamp": "2022-03-18T21:10:31.774Z", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "dmjenn8BW0TS6FfbA9IO", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "dmjenn8BW0TS6FfbA9IO", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "d6766f40-a6ff-11ec-a9c9-7bf7f6b6d825", + "actions": [], + "interval": "1m", + "name": "query-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:29.079Z", + "updated_at": "2022-03-18T21:10:29.677Z", + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "d5e1bb1d-80e9-445d-b1ec-f63fa5f52e09", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "reason": "event on security-linux-3 created low alert query-rule.", + "depth": 1, + "parent": { + "id": "dmjenn8BW0TS6FfbA9IO", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:22.425Z", + "original_event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:22.425Z", + "dataset": "elastic_agent.filebeat" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "c900ef94ef10ba2c28e323f79dfb305b3eac2be0a8d8c154e5b520fb02055186", + "_score": 1, + "_source": { + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "7.17.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "7.17.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:22.678Z", + "dataset": "elastic_agent.filebeat", + "kind": "signal" + }, + "service.name": "filebeat", + "message": "Status message.", + "@timestamp": "2022-03-18T21:10:31.775Z", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "d2jenn8BW0TS6FfbBNJb", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "d2jenn8BW0TS6FfbBNJb", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "d6766f40-a6ff-11ec-a9c9-7bf7f6b6d825", + "actions": [], + "interval": "1m", + "name": "query-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:29.079Z", + "updated_at": "2022-03-18T21:10:29.677Z", + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "d5e1bb1d-80e9-445d-b1ec-f63fa5f52e09", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "reason": "event on security-linux-1 created low alert query-rule.", + "depth": 1, + "parent": { + "id": "d2jenn8BW0TS6FfbBNJb", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:22.678Z", + "original_event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:22.678Z", + "dataset": "elastic_agent.filebeat" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "56f8c326f10733ca517549799e59b82349850747998dde7779ca65e711ea4aac", + "_score": 1, + "_source": { + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "7.17.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "7.17.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:23.011Z", + "dataset": "elastic_agent.filebeat", + "kind": "signal" + }, + "service.name": "filebeat", + "message": "Status message.", + "@timestamp": "2022-03-18T21:10:31.776Z", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "eGjenn8BW0TS6FfbBdKn", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "eGjenn8BW0TS6FfbBdKn", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "d6766f40-a6ff-11ec-a9c9-7bf7f6b6d825", + "actions": [], + "interval": "1m", + "name": "query-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:29.079Z", + "updated_at": "2022-03-18T21:10:29.677Z", + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "d5e1bb1d-80e9-445d-b1ec-f63fa5f52e09", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "reason": "event on security-linux-2 created low alert query-rule.", + "depth": 1, + "parent": { + "id": "eGjenn8BW0TS6FfbBdKn", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:23.011Z", + "original_event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:23.011Z", + "dataset": "elastic_agent.filebeat" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "12337125cc40a91dd96b21d4cb62f36e8e5ed11d9772d21950039f8e755d231d", + "_score": 1, + "_source": { + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "7.17.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "7.17.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:23.344Z", + "dataset": "elastic_agent.filebeat", + "kind": "signal" + }, + "service.name": "filebeat", + "message": "Status message.", + "@timestamp": "2022-03-18T21:10:31.777Z", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "eWjenn8BW0TS6FfbB9Lm", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "eWjenn8BW0TS6FfbB9Lm", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "d6766f40-a6ff-11ec-a9c9-7bf7f6b6d825", + "actions": [], + "interval": "1m", + "name": "query-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:29.079Z", + "updated_at": "2022-03-18T21:10:29.677Z", + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "d5e1bb1d-80e9-445d-b1ec-f63fa5f52e09", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "reason": "event on security-linux-3 created low alert query-rule.", + "depth": 1, + "parent": { + "id": "eWjenn8BW0TS6FfbB9Lm", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:23.344Z", + "original_event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:23.344Z", + "dataset": "elastic_agent.filebeat" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "172528411cae0ff2a41f42ce6cabcec7bafd6a9d5238c7016b8b8548675f827c", + "_score": 1, + "_source": { + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "7.17.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "7.17.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:23.921Z", + "dataset": "elastic_agent.filebeat", + "kind": "signal" + }, + "service.name": "filebeat", + "message": "Status message.", + "@timestamp": "2022-03-18T21:10:31.778Z", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "emjenn8BW0TS6FfbCNLd", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "emjenn8BW0TS6FfbCNLd", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "d6766f40-a6ff-11ec-a9c9-7bf7f6b6d825", + "actions": [], + "interval": "1m", + "name": "query-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:29.079Z", + "updated_at": "2022-03-18T21:10:29.677Z", + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "d5e1bb1d-80e9-445d-b1ec-f63fa5f52e09", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "reason": "event on security-linux-1 created low alert query-rule.", + "depth": 1, + "parent": { + "id": "emjenn8BW0TS6FfbCNLd", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:23.921Z", + "original_event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:23.921Z", + "dataset": "elastic_agent.filebeat" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "4d024b3f9134c10ee1acc3ba4899b39a32c714780aa9037435fae372a7a0dd8c", + "_score": 1, + "_source": { + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "7.17.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "7.17.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:24.168Z", + "dataset": "elastic_agent.filebeat", + "kind": "signal" + }, + "service.name": "filebeat", + "message": "Status message.", + "@timestamp": "2022-03-18T21:10:31.779Z", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "e2jenn8BW0TS6FfbCdLM", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "e2jenn8BW0TS6FfbCdLM", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "d6766f40-a6ff-11ec-a9c9-7bf7f6b6d825", + "actions": [], + "interval": "1m", + "name": "query-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:29.079Z", + "updated_at": "2022-03-18T21:10:29.677Z", + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "d5e1bb1d-80e9-445d-b1ec-f63fa5f52e09", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "reason": "event on security-linux-2 created low alert query-rule.", + "depth": 1, + "parent": { + "id": "e2jenn8BW0TS6FfbCdLM", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:24.168Z", + "original_event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:24.168Z", + "dataset": "elastic_agent.filebeat" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "156c5c290ce493043502367b57adb0e9a9761a9c19c861479fb19d5f4147c2c4", + "_score": 1, + "_source": { + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "7.17.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "7.17.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:24.403Z", + "dataset": "elastic_agent.filebeat", + "kind": "signal" + }, + "service.name": "filebeat", + "message": "Status message.", + "@timestamp": "2022-03-18T21:10:31.780Z", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "fGjenn8BW0TS6FfbCtLM", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "fGjenn8BW0TS6FfbCtLM", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "d6766f40-a6ff-11ec-a9c9-7bf7f6b6d825", + "actions": [], + "interval": "1m", + "name": "query-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:29.079Z", + "updated_at": "2022-03-18T21:10:29.677Z", + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "d5e1bb1d-80e9-445d-b1ec-f63fa5f52e09", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "reason": "event on security-linux-3 created low alert query-rule.", + "depth": 1, + "parent": { + "id": "fGjenn8BW0TS6FfbCtLM", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:24.403Z", + "original_event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:24.403Z", + "dataset": "elastic_agent.filebeat" + } + } + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".siem-signals-default-000001-7.17.0", + "_type": "_doc", + "_id": "09fba1b7d25dd17478a815fb5a0a616f7f09ad8c93bb5404caac1b0f55172e3b", + "_score": 1, + "_source": { + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "7.17.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "7.17.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:24.657Z", + "dataset": "elastic_agent.filebeat", + "kind": "signal" + }, + "service.name": "filebeat", + "message": "Status message.", + "@timestamp": "2022-03-18T21:10:31.782Z", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "signal": { + "_meta": { + "version": 57 + }, + "parents": [ + { + "id": "f2jenn8BW0TS6FfbC9LD", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "ancestors": [ + { + "id": "f2jenn8BW0TS6FfbC9LD", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "status": "open", + "rule": { + "id": "d6766f40-a6ff-11ec-a9c9-7bf7f6b6d825", + "actions": [], + "interval": "1m", + "name": "query-rule", + "tags": [], + "enabled": true, + "created_by": "elastic", + "updated_by": "elastic", + "throttle": null, + "created_at": "2022-03-18T21:10:29.079Z", + "updated_at": "2022-03-18T21:10:29.677Z", + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "output_index": ".siem-signals-default-000001", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "d5e1bb1d-80e9-445d-b1ec-f63fa5f52e09", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "reason": "event on security-linux-1 created low alert query-rule.", + "depth": 1, + "parent": { + "id": "f2jenn8BW0TS6FfbC9LD", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + "original_time": "2022-03-18T21:10:24.657Z", + "original_event": { + "agent_id_status": "verified", + "ingested": "2022-03-18T21:10:24.657Z", + "dataset": "elastic_agent.filebeat" + } + } + } + } +} + diff --git a/x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/mappings.json b/x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/mappings.json new file mode 100644 index 0000000000000..5b241ee374260 --- /dev/null +++ b/x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/mappings.json @@ -0,0 +1,5825 @@ +{ + "type": "index", + "value": { + "aliases": { + ".siem-signals-default": { + "is_write_index": true + } + }, + "index": ".siem-signals-default-000001-7.17.0", + "mappings": { + "dynamic": "false", + "_meta": { + "version": 57, + "aliases_version": 1 + }, + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "ephemeral_id": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "version": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + } + } + } + } + }, + "client": { + "properties": { + "address": { + "type": "keyword", + "ignore_above": 1024 + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "continent_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "continent_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "country_iso_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "country_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "postal_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "region_iso_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "region_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "timezone": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword", + "ignore_above": 1024 + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "subdomain": { + "type": "keyword", + "ignore_above": 1024 + }, + "top_level_domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "user": { + "properties": { + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "email": { + "type": "keyword", + "ignore_above": 1024 + }, + "full_name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "group": { + "properties": { + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "hash": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "roles": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "availability_zone": { + "type": "keyword", + "ignore_above": 1024 + }, + "instance": { + "properties": { + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "machine": { + "properties": { + "type": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "project": { + "properties": { + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "provider": { + "type": "keyword", + "ignore_above": 1024 + }, + "region": { + "type": "keyword", + "ignore_above": 1024 + }, + "service": { + "properties": { + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "type": "keyword", + "ignore_above": 1024 + }, + "subject_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "container": { + "properties": { + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "image": { + "properties": { + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "tag": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "runtime": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "type": "keyword" + }, + "namespace": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "type": "keyword", + "ignore_above": 1024 + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "continent_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "continent_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "country_iso_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "country_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "postal_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "region_iso_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "region_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "timezone": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword", + "ignore_above": 1024 + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "subdomain": { + "type": "keyword", + "ignore_above": 1024 + }, + "top_level_domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "user": { + "properties": { + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "email": { + "type": "keyword", + "ignore_above": 1024 + }, + "full_name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "group": { + "properties": { + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "hash": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "roles": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword", + "ignore_above": 1024 + }, + "status": { + "type": "keyword", + "ignore_above": 1024 + }, + "subject_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "team_id": { + "type": "keyword", + "ignore_above": 1024 + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "md5": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha1": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha256": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha512": { + "type": "keyword", + "ignore_above": 1024 + }, + "ssdeep": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "path": { + "type": "keyword", + "ignore_above": 1024 + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword", + "ignore_above": 1024 + }, + "company": { + "type": "keyword", + "ignore_above": 1024 + }, + "description": { + "type": "keyword", + "ignore_above": 1024 + }, + "file_version": { + "type": "keyword", + "ignore_above": 1024 + }, + "imphash": { + "type": "keyword", + "ignore_above": 1024 + }, + "original_file_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "product": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "type": "keyword", + "ignore_above": 1024 + }, + "data": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "ttl": { + "type": "long" + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "header_flags": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "op_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "question": { + "properties": { + "class": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "registered_domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "subdomain": { + "type": "keyword", + "ignore_above": 1024 + }, + "top_level_domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "ecs": { + "properties": { + "version": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "error": { + "properties": { + "code": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "message": { + "type": "text", + "norms": false + }, + "stack_trace": { + "type": "keyword", + "index": false, + "doc_values": false, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "event": { + "properties": { + "action": { + "type": "keyword", + "ignore_above": 1024 + }, + "agent_id_status": { + "type": "keyword", + "ignore_above": 1024 + }, + "category": { + "type": "keyword", + "ignore_above": 1024 + }, + "code": { + "type": "keyword", + "ignore_above": 1024 + }, + "created": { + "type": "date" + }, + "dataset": { + "type": "keyword", + "ignore_above": 1024 + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "ingested": { + "type": "date" + }, + "kind": { + "type": "keyword", + "ignore_above": 1024 + }, + "module": { + "type": "keyword", + "ignore_above": 1024 + }, + "original": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "outcome": { + "type": "keyword", + "ignore_above": 1024 + }, + "provider": { + "type": "keyword", + "ignore_above": 1024 + }, + "reason": { + "type": "keyword", + "ignore_above": 1024 + }, + "reference": { + "type": "keyword", + "ignore_above": 1024 + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "url": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "type": "keyword", + "ignore_above": 1024 + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword", + "ignore_above": 1024 + }, + "status": { + "type": "keyword", + "ignore_above": 1024 + }, + "subject_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "team_id": { + "type": "keyword", + "ignore_above": 1024 + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "type": "keyword", + "ignore_above": 1024 + }, + "directory": { + "type": "keyword", + "ignore_above": 1024 + }, + "drive_letter": { + "type": "keyword", + "ignore_above": 1 + }, + "elf": { + "properties": { + "architecture": { + "type": "keyword", + "ignore_above": 1024 + }, + "byte_order": { + "type": "keyword", + "ignore_above": 1024 + }, + "cpu_type": { + "type": "keyword", + "ignore_above": 1024 + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "type": "keyword", + "ignore_above": 1024 + }, + "class": { + "type": "keyword", + "ignore_above": 1024 + }, + "data": { + "type": "keyword", + "ignore_above": 1024 + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "type": "keyword", + "ignore_above": 1024 + }, + "os_abi": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "version": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "type": "nested", + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "physical_offset": { + "type": "keyword", + "ignore_above": 1024 + }, + "physical_size": { + "type": "long" + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + } + }, + "segments": { + "type": "nested", + "properties": { + "sections": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "shared_libraries": { + "type": "keyword", + "ignore_above": 1024 + }, + "telfhash": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "extension": { + "type": "keyword", + "ignore_above": 1024 + }, + "gid": { + "type": "keyword", + "ignore_above": 1024 + }, + "group": { + "type": "keyword", + "ignore_above": 1024 + }, + "hash": { + "properties": { + "md5": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha1": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha256": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha512": { + "type": "keyword", + "ignore_above": 1024 + }, + "ssdeep": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "inode": { + "type": "keyword", + "ignore_above": 1024 + }, + "mime_type": { + "type": "keyword", + "ignore_above": 1024 + }, + "mode": { + "type": "keyword", + "ignore_above": 1024 + }, + "mtime": { + "type": "date" + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "owner": { + "type": "keyword", + "ignore_above": 1024 + }, + "path": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword", + "ignore_above": 1024 + }, + "company": { + "type": "keyword", + "ignore_above": 1024 + }, + "description": { + "type": "keyword", + "ignore_above": 1024 + }, + "file_version": { + "type": "keyword", + "ignore_above": 1024 + }, + "imphash": { + "type": "keyword", + "ignore_above": 1024 + }, + "original_file_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "product": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "uid": { + "type": "keyword", + "ignore_above": 1024 + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword", + "ignore_above": 1024 + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "country": { + "type": "keyword", + "ignore_above": 1024 + }, + "distinguished_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "locality": { + "type": "keyword", + "ignore_above": 1024 + }, + "organization": { + "type": "keyword", + "ignore_above": 1024 + }, + "organizational_unit": { + "type": "keyword", + "ignore_above": 1024 + }, + "state_or_province": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword", + "ignore_above": 1024 + }, + "public_key_curve": { + "type": "keyword", + "ignore_above": 1024 + }, + "public_key_exponent": { + "type": "long", + "index": false, + "doc_values": false + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword", + "ignore_above": 1024 + }, + "signature_algorithm": { + "type": "keyword", + "ignore_above": 1024 + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "country": { + "type": "keyword", + "ignore_above": 1024 + }, + "distinguished_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "locality": { + "type": "keyword", + "ignore_above": 1024 + }, + "organization": { + "type": "keyword", + "ignore_above": 1024 + }, + "organizational_unit": { + "type": "keyword", + "ignore_above": 1024 + }, + "state_or_province": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "version_number": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "continent_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "country_iso_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "country_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "region_iso_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "region_name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "group": { + "properties": { + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "hash": { + "properties": { + "md5": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha1": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha256": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha512": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "host": { + "properties": { + "architecture": { + "type": "keyword", + "ignore_above": 1024 + }, + "cpu": { + "properties": { + "usage": { + "type": "scaled_float", + "scaling_factor": 1000 + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "continent_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "continent_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "country_iso_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "country_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "postal_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "region_iso_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "region_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "timezone": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "hostname": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "type": "keyword", + "ignore_above": 1024 + }, + "full": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "kernel": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "caseless": { + "type": "keyword", + "ignore_above": 1024, + "normalizer": "lowercase" + }, + "text": { + "type": "text", + "norms": false + } + } + }, + "platform": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "version": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "email": { + "type": "keyword", + "ignore_above": 1024 + }, + "full_name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "group": { + "properties": { + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "hash": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "roles": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "method": { + "type": "keyword", + "ignore_above": 1024 + }, + "mime_type": { + "type": "keyword", + "ignore_above": 1024 + }, + "referrer": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "type": "keyword", + "ignore_above": 1024 + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "interface": { + "properties": { + "alias": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "kibana": { + "properties": { + "alert": { + "properties": { + "ancestors": { + "properties": { + "depth": { + "type": "alias", + "path": "signal.ancestors.depth" + }, + "id": { + "type": "alias", + "path": "signal.ancestors.id" + }, + "index": { + "type": "alias", + "path": "signal.ancestors.index" + }, + "type": { + "type": "alias", + "path": "signal.ancestors.type" + } + } + }, + "depth": { + "type": "alias", + "path": "signal.depth" + }, + "original_event": { + "properties": { + "action": { + "type": "alias", + "path": "signal.original_event.action" + }, + "category": { + "type": "alias", + "path": "signal.original_event.category" + }, + "code": { + "type": "alias", + "path": "signal.original_event.code" + }, + "created": { + "type": "alias", + "path": "signal.original_event.created" + }, + "dataset": { + "type": "alias", + "path": "signal.original_event.dataset" + }, + "duration": { + "type": "alias", + "path": "signal.original_event.duration" + }, + "end": { + "type": "alias", + "path": "signal.original_event.end" + }, + "hash": { + "type": "alias", + "path": "signal.original_event.hash" + }, + "id": { + "type": "alias", + "path": "signal.original_event.id" + }, + "kind": { + "type": "alias", + "path": "signal.original_event.kind" + }, + "module": { + "type": "alias", + "path": "signal.original_event.module" + }, + "outcome": { + "type": "alias", + "path": "signal.original_event.outcome" + }, + "provider": { + "type": "alias", + "path": "signal.original_event.provider" + }, + "reason": { + "type": "alias", + "path": "signal.original_event.reason" + }, + "risk_score": { + "type": "alias", + "path": "signal.original_event.risk_score" + }, + "risk_score_norm": { + "type": "alias", + "path": "signal.original_event.risk_score_norm" + }, + "sequence": { + "type": "alias", + "path": "signal.original_event.sequence" + }, + "severity": { + "type": "alias", + "path": "signal.original_event.severity" + }, + "start": { + "type": "alias", + "path": "signal.original_event.start" + }, + "timezone": { + "type": "alias", + "path": "signal.original_event.timezone" + }, + "type": { + "type": "alias", + "path": "signal.original_event.type" + } + } + }, + "original_time": { + "type": "alias", + "path": "signal.original_time" + }, + "reason": { + "type": "alias", + "path": "signal.reason" + }, + "risk_score": { + "type": "alias", + "path": "signal.rule.risk_score" + }, + "rule": { + "properties": { + "author": { + "type": "alias", + "path": "signal.rule.author" + }, + "building_block_type": { + "type": "alias", + "path": "signal.rule.building_block_type" + }, + "created_at": { + "type": "alias", + "path": "signal.rule.created_at" + }, + "created_by": { + "type": "alias", + "path": "signal.rule.created_by" + }, + "description": { + "type": "alias", + "path": "signal.rule.description" + }, + "enabled": { + "type": "alias", + "path": "signal.rule.enabled" + }, + "false_positives": { + "type": "alias", + "path": "signal.rule.false_positives" + }, + "from": { + "type": "alias", + "path": "signal.rule.from" + }, + "immutable": { + "type": "alias", + "path": "signal.rule.immutable" + }, + "index": { + "type": "alias", + "path": "signal.rule.index" + }, + "interval": { + "type": "alias", + "path": "signal.rule.interval" + }, + "language": { + "type": "alias", + "path": "signal.rule.language" + }, + "license": { + "type": "alias", + "path": "signal.rule.license" + }, + "max_signals": { + "type": "alias", + "path": "signal.rule.max_signals" + }, + "name": { + "type": "alias", + "path": "signal.rule.name" + }, + "note": { + "type": "alias", + "path": "signal.rule.note" + }, + "query": { + "type": "alias", + "path": "signal.rule.query" + }, + "references": { + "type": "alias", + "path": "signal.rule.references" + }, + "risk_score_mapping": { + "properties": { + "field": { + "type": "alias", + "path": "signal.rule.risk_score_mapping.field" + }, + "operator": { + "type": "alias", + "path": "signal.rule.risk_score_mapping.operator" + }, + "value": { + "type": "alias", + "path": "signal.rule.risk_score_mapping.value" + } + } + }, + "rule_id": { + "type": "alias", + "path": "signal.rule.rule_id" + }, + "rule_name_override": { + "type": "alias", + "path": "signal.rule.rule_name_override" + }, + "saved_id": { + "type": "alias", + "path": "signal.rule.saved_id" + }, + "severity_mapping": { + "properties": { + "field": { + "type": "alias", + "path": "signal.rule.severity_mapping.field" + }, + "operator": { + "type": "alias", + "path": "signal.rule.severity_mapping.operator" + }, + "severity": { + "type": "alias", + "path": "signal.rule.severity_mapping.severity" + }, + "value": { + "type": "alias", + "path": "signal.rule.severity_mapping.value" + } + } + }, + "tags": { + "type": "alias", + "path": "signal.rule.tags" + }, + "threat": { + "properties": { + "framework": { + "type": "alias", + "path": "signal.rule.threat.framework" + }, + "tactic": { + "properties": { + "id": { + "type": "alias", + "path": "signal.rule.threat.tactic.id" + }, + "name": { + "type": "alias", + "path": "signal.rule.threat.tactic.name" + }, + "reference": { + "type": "alias", + "path": "signal.rule.threat.tactic.reference" + } + } + }, + "technique": { + "properties": { + "id": { + "type": "alias", + "path": "signal.rule.threat.technique.id" + }, + "name": { + "type": "alias", + "path": "signal.rule.threat.technique.name" + }, + "reference": { + "type": "alias", + "path": "signal.rule.threat.technique.reference" + }, + "subtechnique": { + "properties": { + "id": { + "type": "alias", + "path": "signal.rule.threat.technique.subtechnique.id" + }, + "name": { + "type": "alias", + "path": "signal.rule.threat.technique.subtechnique.name" + }, + "reference": { + "type": "alias", + "path": "signal.rule.threat.technique.subtechnique.reference" + } + } + } + } + } + } + }, + "threat_index": { + "type": "alias", + "path": "signal.rule.threat_index" + }, + "threat_indicator_path": { + "type": "alias", + "path": "signal.rule.threat_indicator_path" + }, + "threat_language": { + "type": "alias", + "path": "signal.rule.threat_language" + }, + "threat_mapping": { + "properties": { + "entries": { + "properties": { + "field": { + "type": "alias", + "path": "signal.rule.threat_mapping.entries.field" + }, + "type": { + "type": "alias", + "path": "signal.rule.threat_mapping.entries.type" + }, + "value": { + "type": "alias", + "path": "signal.rule.threat_mapping.entries.value" + } + } + } + } + }, + "threat_query": { + "type": "alias", + "path": "signal.rule.threat_query" + }, + "threshold": { + "properties": { + "field": { + "type": "alias", + "path": "signal.rule.threshold.field" + }, + "value": { + "type": "alias", + "path": "signal.rule.threshold.value" + } + } + }, + "timeline_id": { + "type": "alias", + "path": "signal.rule.timeline_id" + }, + "timeline_title": { + "type": "alias", + "path": "signal.rule.timeline_title" + }, + "to": { + "type": "alias", + "path": "signal.rule.to" + }, + "type": { + "type": "alias", + "path": "signal.rule.type" + }, + "updated_at": { + "type": "alias", + "path": "signal.rule.updated_at" + }, + "updated_by": { + "type": "alias", + "path": "signal.rule.updated_by" + }, + "uuid": { + "type": "alias", + "path": "signal.rule.id" + }, + "version": { + "type": "alias", + "path": "signal.rule.version" + } + } + }, + "severity": { + "type": "alias", + "path": "signal.rule.severity" + }, + "threshold_result": { + "properties": { + "cardinality": { + "properties": { + "field": { + "type": "alias", + "path": "signal.threshold_result.cardinality.field" + }, + "value": { + "type": "alias", + "path": "signal.threshold_result.cardinality.value" + } + } + }, + "count": { + "type": "alias", + "path": "signal.threshold_result.count" + }, + "from": { + "type": "alias", + "path": "signal.threshold_result.from" + }, + "terms": { + "properties": { + "field": { + "type": "alias", + "path": "signal.threshold_result.terms.field" + }, + "value": { + "type": "alias", + "path": "signal.threshold_result.terms.value" + } + } + } + } + }, + "workflow_status": { + "type": "alias", + "path": "signal.status" + } + } + } + } + }, + "labels": { + "type": "object" + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "level": { + "type": "keyword", + "ignore_above": 1024 + }, + "logger": { + "type": "keyword", + "ignore_above": 1024 + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "integer" + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "function": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "original": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + } + } + }, + "message": { + "type": "text", + "norms": false + }, + "network": { + "properties": { + "application": { + "type": "keyword", + "ignore_above": 1024 + }, + "bytes": { + "type": "long" + }, + "community_id": { + "type": "keyword", + "ignore_above": 1024 + }, + "direction": { + "type": "keyword", + "ignore_above": 1024 + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "type": "keyword", + "ignore_above": 1024 + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "packets": { + "type": "long" + }, + "protocol": { + "type": "keyword", + "ignore_above": 1024 + }, + "transport": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "vlan": { + "properties": { + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "vlan": { + "properties": { + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "zone": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "continent_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "continent_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "country_iso_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "country_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "postal_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "region_iso_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "region_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "timezone": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "hostname": { + "type": "keyword", + "ignore_above": 1024 + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "vlan": { + "properties": { + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "zone": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "os": { + "properties": { + "family": { + "type": "keyword", + "ignore_above": 1024 + }, + "full": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "kernel": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "platform": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "version": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "product": { + "type": "keyword", + "ignore_above": 1024 + }, + "serial_number": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "vendor": { + "type": "keyword", + "ignore_above": 1024 + }, + "version": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "orchestrator": { + "properties": { + "api_version": { + "type": "keyword", + "ignore_above": 1024 + }, + "cluster": { + "properties": { + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "url": { + "type": "keyword", + "ignore_above": 1024 + }, + "version": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "namespace": { + "type": "keyword", + "ignore_above": 1024 + }, + "organization": { + "type": "keyword", + "ignore_above": 1024 + }, + "resource": { + "properties": { + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "organization": { + "properties": { + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + } + } + }, + "os": { + "properties": { + "family": { + "type": "keyword", + "ignore_above": 1024 + }, + "full": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "kernel": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "platform": { + "type": "keyword", + "ignore_above": 1024 + }, + "version": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "package": { + "properties": { + "architecture": { + "type": "keyword", + "ignore_above": 1024 + }, + "build_version": { + "type": "keyword", + "ignore_above": 1024 + }, + "checksum": { + "type": "keyword", + "ignore_above": 1024 + }, + "description": { + "type": "keyword", + "ignore_above": 1024 + }, + "install_scope": { + "type": "keyword", + "ignore_above": 1024 + }, + "installed": { + "type": "date" + }, + "license": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "path": { + "type": "keyword", + "ignore_above": 1024 + }, + "reference": { + "type": "keyword", + "ignore_above": 1024 + }, + "size": { + "type": "long" + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "version": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "pe": { + "properties": { + "company": { + "type": "keyword", + "ignore_above": 1024 + }, + "description": { + "type": "keyword", + "ignore_above": 1024 + }, + "file_version": { + "type": "keyword", + "ignore_above": 1024 + }, + "original_file_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "product": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "process": { + "properties": { + "args": { + "type": "keyword", + "ignore_above": 1024 + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword", + "ignore_above": 1024 + }, + "status": { + "type": "keyword", + "ignore_above": 1024 + }, + "subject_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "team_id": { + "type": "keyword", + "ignore_above": 1024 + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "elf": { + "properties": { + "architecture": { + "type": "keyword", + "ignore_above": 1024 + }, + "byte_order": { + "type": "keyword", + "ignore_above": 1024 + }, + "cpu_type": { + "type": "keyword", + "ignore_above": 1024 + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "type": "keyword", + "ignore_above": 1024 + }, + "class": { + "type": "keyword", + "ignore_above": 1024 + }, + "data": { + "type": "keyword", + "ignore_above": 1024 + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "type": "keyword", + "ignore_above": 1024 + }, + "os_abi": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "version": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "type": "nested", + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "physical_offset": { + "type": "keyword", + "ignore_above": 1024 + }, + "physical_size": { + "type": "long" + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + } + }, + "segments": { + "type": "nested", + "properties": { + "sections": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "shared_libraries": { + "type": "keyword", + "ignore_above": 1024 + }, + "telfhash": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "entity_id": { + "type": "keyword", + "ignore_above": 1024 + }, + "executable": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha1": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha256": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha512": { + "type": "keyword", + "ignore_above": 1024 + }, + "ssdeep": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "parent": { + "properties": { + "args": { + "type": "keyword", + "ignore_above": 1024 + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword", + "ignore_above": 1024 + }, + "status": { + "type": "keyword", + "ignore_above": 1024 + }, + "subject_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "team_id": { + "type": "keyword", + "ignore_above": 1024 + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "elf": { + "properties": { + "architecture": { + "type": "keyword", + "ignore_above": 1024 + }, + "byte_order": { + "type": "keyword", + "ignore_above": 1024 + }, + "cpu_type": { + "type": "keyword", + "ignore_above": 1024 + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "type": "keyword", + "ignore_above": 1024 + }, + "class": { + "type": "keyword", + "ignore_above": 1024 + }, + "data": { + "type": "keyword", + "ignore_above": 1024 + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "type": "keyword", + "ignore_above": 1024 + }, + "os_abi": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "version": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "type": "nested", + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "physical_offset": { + "type": "keyword", + "ignore_above": 1024 + }, + "physical_size": { + "type": "long" + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + } + }, + "segments": { + "type": "nested", + "properties": { + "sections": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "shared_libraries": { + "type": "keyword", + "ignore_above": 1024 + }, + "telfhash": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "entity_id": { + "type": "keyword", + "ignore_above": 1024 + }, + "executable": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha1": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha256": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha512": { + "type": "keyword", + "ignore_above": 1024 + }, + "ssdeep": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword", + "ignore_above": 1024 + }, + "company": { + "type": "keyword", + "ignore_above": 1024 + }, + "description": { + "type": "keyword", + "ignore_above": 1024 + }, + "file_version": { + "type": "keyword", + "ignore_above": 1024 + }, + "imphash": { + "type": "keyword", + "ignore_above": 1024 + }, + "original_file_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "product": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "title": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + } + } + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword", + "ignore_above": 1024 + }, + "company": { + "type": "keyword", + "ignore_above": 1024 + }, + "description": { + "type": "keyword", + "ignore_above": 1024 + }, + "file_version": { + "type": "keyword", + "ignore_above": 1024 + }, + "imphash": { + "type": "keyword", + "ignore_above": 1024 + }, + "original_file_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "product": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "title": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "type": "keyword", + "ignore_above": 1024 + }, + "strings": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "hive": { + "type": "keyword", + "ignore_above": 1024 + }, + "key": { + "type": "keyword", + "ignore_above": 1024 + }, + "path": { + "type": "keyword", + "ignore_above": 1024 + }, + "value": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "related": { + "properties": { + "hash": { + "type": "keyword", + "ignore_above": 1024 + }, + "hosts": { + "type": "keyword", + "ignore_above": 1024 + }, + "ip": { + "type": "ip" + }, + "user": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "rule": { + "properties": { + "author": { + "type": "keyword", + "ignore_above": 1024 + }, + "category": { + "type": "keyword", + "ignore_above": 1024 + }, + "description": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "license": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "reference": { + "type": "keyword", + "ignore_above": 1024 + }, + "ruleset": { + "type": "keyword", + "ignore_above": 1024 + }, + "uuid": { + "type": "keyword", + "ignore_above": 1024 + }, + "version": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "server": { + "properties": { + "address": { + "type": "keyword", + "ignore_above": 1024 + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "continent_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "continent_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "country_iso_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "country_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "postal_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "region_iso_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "region_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "timezone": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword", + "ignore_above": 1024 + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "subdomain": { + "type": "keyword", + "ignore_above": 1024 + }, + "top_level_domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "user": { + "properties": { + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "email": { + "type": "keyword", + "ignore_above": 1024 + }, + "full_name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "group": { + "properties": { + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "hash": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "roles": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "service": { + "properties": { + "ephemeral_id": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "node": { + "properties": { + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "state": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "version": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "signal": { + "properties": { + "_meta": { + "properties": { + "version": { + "type": "long" + } + } + }, + "ancestors": { + "properties": { + "depth": { + "type": "long" + }, + "id": { + "type": "keyword" + }, + "index": { + "type": "keyword" + }, + "rule": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "depth": { + "type": "integer" + }, + "group": { + "properties": { + "id": { + "type": "keyword" + }, + "index": { + "type": "integer" + } + } + }, + "original_event": { + "properties": { + "action": { + "type": "keyword" + }, + "category": { + "type": "keyword" + }, + "code": { + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "kind": { + "type": "keyword" + }, + "module": { + "type": "keyword" + }, + "original": { + "type": "keyword", + "index": false, + "doc_values": false + }, + "outcome": { + "type": "keyword" + }, + "provider": { + "type": "keyword" + }, + "reason": { + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "original_signal": { + "type": "object", + "dynamic": "false", + "enabled": false + }, + "original_time": { + "type": "date" + }, + "parent": { + "properties": { + "depth": { + "type": "long" + }, + "id": { + "type": "keyword" + }, + "index": { + "type": "keyword" + }, + "rule": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "parents": { + "properties": { + "depth": { + "type": "long" + }, + "id": { + "type": "keyword" + }, + "index": { + "type": "keyword" + }, + "rule": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "reason": { + "type": "keyword" + }, + "rule": { + "properties": { + "author": { + "type": "keyword" + }, + "building_block_type": { + "type": "keyword" + }, + "created_at": { + "type": "date" + }, + "created_by": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "enabled": { + "type": "keyword" + }, + "false_positives": { + "type": "keyword" + }, + "filters": { + "type": "object" + }, + "from": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "immutable": { + "type": "keyword" + }, + "index": { + "type": "keyword" + }, + "interval": { + "type": "keyword" + }, + "language": { + "type": "keyword" + }, + "license": { + "type": "keyword" + }, + "max_signals": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "note": { + "type": "text" + }, + "output_index": { + "type": "keyword" + }, + "query": { + "type": "keyword" + }, + "references": { + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_mapping": { + "properties": { + "field": { + "type": "keyword" + }, + "operator": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + }, + "rule_id": { + "type": "keyword" + }, + "rule_name_override": { + "type": "keyword" + }, + "saved_id": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "severity_mapping": { + "properties": { + "field": { + "type": "keyword" + }, + "operator": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + }, + "size": { + "type": "keyword" + }, + "tags": { + "type": "keyword" + }, + "threat": { + "properties": { + "framework": { + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + } + } + } + } + }, + "threat_filters": { + "type": "object" + }, + "threat_index": { + "type": "keyword" + }, + "threat_indicator_path": { + "type": "keyword" + }, + "threat_language": { + "type": "keyword" + }, + "threat_mapping": { + "properties": { + "entries": { + "properties": { + "field": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + } + } + }, + "threat_query": { + "type": "keyword" + }, + "threshold": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "float" + } + } + }, + "timeline_id": { + "type": "keyword" + }, + "timeline_title": { + "type": "keyword" + }, + "timestamp_override": { + "type": "keyword" + }, + "to": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "updated_at": { + "type": "date" + }, + "updated_by": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "status": { + "type": "keyword" + }, + "threshold_count": { + "type": "float" + }, + "threshold_result": { + "properties": { + "cardinality": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "long" + } + } + }, + "count": { + "type": "long" + }, + "from": { + "type": "date" + }, + "terms": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + } + } + } + } + }, + "source": { + "properties": { + "address": { + "type": "keyword", + "ignore_above": 1024 + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "continent_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "continent_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "country_iso_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "country_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "postal_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "region_iso_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "region_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "timezone": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword", + "ignore_above": 1024 + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "subdomain": { + "type": "keyword", + "ignore_above": 1024 + }, + "top_level_domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "user": { + "properties": { + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "email": { + "type": "keyword", + "ignore_above": 1024 + }, + "full_name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "group": { + "properties": { + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "hash": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "roles": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "span": { + "properties": { + "id": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "tags": { + "type": "keyword", + "ignore_above": 1024 + }, + "threat": { + "properties": { + "enrichments": { + "type": "nested", + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + } + } + } + } + }, + "confidence": { + "type": "keyword", + "ignore_above": 1024 + }, + "description": { + "type": "keyword", + "ignore_above": 1024 + }, + "email": { + "properties": { + "address": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "type": "keyword", + "ignore_above": 1024 + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword", + "ignore_above": 1024 + }, + "status": { + "type": "keyword", + "ignore_above": 1024 + }, + "subject_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "team_id": { + "type": "keyword", + "ignore_above": 1024 + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "type": "keyword", + "ignore_above": 1024 + }, + "directory": { + "type": "keyword", + "ignore_above": 1024 + }, + "drive_letter": { + "type": "keyword", + "ignore_above": 1 + }, + "elf": { + "properties": { + "architecture": { + "type": "keyword", + "ignore_above": 1024 + }, + "byte_order": { + "type": "keyword", + "ignore_above": 1024 + }, + "cpu_type": { + "type": "keyword", + "ignore_above": 1024 + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "type": "keyword", + "ignore_above": 1024 + }, + "class": { + "type": "keyword", + "ignore_above": 1024 + }, + "data": { + "type": "keyword", + "ignore_above": 1024 + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "type": "keyword", + "ignore_above": 1024 + }, + "os_abi": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "version": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "type": "nested", + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "physical_offset": { + "type": "keyword", + "ignore_above": 1024 + }, + "physical_size": { + "type": "long" + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + } + }, + "segments": { + "type": "nested", + "properties": { + "sections": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "shared_libraries": { + "type": "keyword", + "ignore_above": 1024 + }, + "telfhash": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "extension": { + "type": "keyword", + "ignore_above": 1024 + }, + "gid": { + "type": "keyword", + "ignore_above": 1024 + }, + "group": { + "type": "keyword", + "ignore_above": 1024 + }, + "inode": { + "type": "keyword", + "ignore_above": 1024 + }, + "mime_type": { + "type": "keyword", + "ignore_above": 1024 + }, + "mode": { + "type": "keyword", + "ignore_above": 1024 + }, + "mtime": { + "type": "date" + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "owner": { + "type": "keyword", + "ignore_above": 1024 + }, + "path": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "uid": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "continent_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "continent_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "country_iso_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "country_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "postal_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "region_iso_code": { + "type": "keyword", + "ignore_above": 1024 + }, + "region_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "timezone": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "hash": { + "properties": { + "md5": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha1": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha256": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha512": { + "type": "keyword", + "ignore_above": 1024 + }, + "ssdeep": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "modified_at": { + "type": "date" + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword", + "ignore_above": 1024 + }, + "company": { + "type": "keyword", + "ignore_above": 1024 + }, + "description": { + "type": "keyword", + "ignore_above": 1024 + }, + "file_version": { + "type": "keyword", + "ignore_above": 1024 + }, + "imphash": { + "type": "keyword", + "ignore_above": 1024 + }, + "original_file_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "product": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "port": { + "type": "long" + }, + "provider": { + "type": "keyword", + "ignore_above": 1024 + }, + "reference": { + "type": "keyword", + "ignore_above": 1024 + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "type": "keyword", + "ignore_above": 1024 + }, + "strings": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "hive": { + "type": "keyword", + "ignore_above": 1024 + }, + "key": { + "type": "keyword", + "ignore_above": 1024 + }, + "path": { + "type": "keyword", + "ignore_above": 1024 + }, + "value": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "url": { + "properties": { + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "extension": { + "type": "keyword", + "ignore_above": 1024 + }, + "fragment": { + "type": "keyword", + "ignore_above": 1024 + }, + "full": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "original": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "password": { + "type": "keyword", + "ignore_above": 1024 + }, + "path": { + "type": "keyword", + "ignore_above": 1024 + }, + "port": { + "type": "long" + }, + "query": { + "type": "keyword", + "ignore_above": 1024 + }, + "registered_domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "scheme": { + "type": "keyword", + "ignore_above": 1024 + }, + "subdomain": { + "type": "keyword", + "ignore_above": 1024 + }, + "top_level_domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "username": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword", + "ignore_above": 1024 + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "country": { + "type": "keyword", + "ignore_above": 1024 + }, + "distinguished_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "locality": { + "type": "keyword", + "ignore_above": 1024 + }, + "organization": { + "type": "keyword", + "ignore_above": 1024 + }, + "organizational_unit": { + "type": "keyword", + "ignore_above": 1024 + }, + "state_or_province": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword", + "ignore_above": 1024 + }, + "public_key_curve": { + "type": "keyword", + "ignore_above": 1024 + }, + "public_key_exponent": { + "type": "long", + "index": false, + "doc_values": false + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword", + "ignore_above": 1024 + }, + "signature_algorithm": { + "type": "keyword", + "ignore_above": 1024 + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "country": { + "type": "keyword", + "ignore_above": 1024 + }, + "distinguished_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "locality": { + "type": "keyword", + "ignore_above": 1024 + }, + "organization": { + "type": "keyword", + "ignore_above": 1024 + }, + "organizational_unit": { + "type": "keyword", + "ignore_above": 1024 + }, + "state_or_province": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "version_number": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "matched": { + "properties": { + "atomic": { + "type": "keyword", + "ignore_above": 1024 + }, + "field": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "index": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "framework": { + "type": "keyword", + "ignore_above": 1024 + }, + "group": { + "properties": { + "alias": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "reference": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "software": { + "properties": { + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "platforms": { + "type": "keyword", + "ignore_above": 1024 + }, + "reference": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "tactic": { + "properties": { + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "reference": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "technique": { + "properties": { + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "reference": { + "type": "keyword", + "ignore_above": 1024 + }, + "subtechnique": { + "properties": { + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "reference": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + } + } + }, + "tls": { + "properties": { + "cipher": { + "type": "keyword", + "ignore_above": 1024 + }, + "client": { + "properties": { + "certificate": { + "type": "keyword", + "ignore_above": 1024 + }, + "certificate_chain": { + "type": "keyword", + "ignore_above": 1024 + }, + "hash": { + "properties": { + "md5": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha1": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha256": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "issuer": { + "type": "keyword", + "ignore_above": 1024 + }, + "ja3": { + "type": "keyword", + "ignore_above": 1024 + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "subject": { + "type": "keyword", + "ignore_above": 1024 + }, + "supported_ciphers": { + "type": "keyword", + "ignore_above": 1024 + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword", + "ignore_above": 1024 + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "country": { + "type": "keyword", + "ignore_above": 1024 + }, + "distinguished_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "locality": { + "type": "keyword", + "ignore_above": 1024 + }, + "organization": { + "type": "keyword", + "ignore_above": 1024 + }, + "organizational_unit": { + "type": "keyword", + "ignore_above": 1024 + }, + "state_or_province": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword", + "ignore_above": 1024 + }, + "public_key_curve": { + "type": "keyword", + "ignore_above": 1024 + }, + "public_key_exponent": { + "type": "long", + "index": false, + "doc_values": false + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword", + "ignore_above": 1024 + }, + "signature_algorithm": { + "type": "keyword", + "ignore_above": 1024 + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "country": { + "type": "keyword", + "ignore_above": 1024 + }, + "distinguished_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "locality": { + "type": "keyword", + "ignore_above": 1024 + }, + "organization": { + "type": "keyword", + "ignore_above": 1024 + }, + "organizational_unit": { + "type": "keyword", + "ignore_above": 1024 + }, + "state_or_province": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "version_number": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "curve": { + "type": "keyword", + "ignore_above": 1024 + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "type": "keyword", + "ignore_above": 1024 + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "type": "keyword", + "ignore_above": 1024 + }, + "certificate_chain": { + "type": "keyword", + "ignore_above": 1024 + }, + "hash": { + "properties": { + "md5": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha1": { + "type": "keyword", + "ignore_above": 1024 + }, + "sha256": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "issuer": { + "type": "keyword", + "ignore_above": 1024 + }, + "ja3s": { + "type": "keyword", + "ignore_above": 1024 + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "type": "keyword", + "ignore_above": 1024 + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword", + "ignore_above": 1024 + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "country": { + "type": "keyword", + "ignore_above": 1024 + }, + "distinguished_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "locality": { + "type": "keyword", + "ignore_above": 1024 + }, + "organization": { + "type": "keyword", + "ignore_above": 1024 + }, + "organizational_unit": { + "type": "keyword", + "ignore_above": 1024 + }, + "state_or_province": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword", + "ignore_above": 1024 + }, + "public_key_curve": { + "type": "keyword", + "ignore_above": 1024 + }, + "public_key_exponent": { + "type": "long", + "index": false, + "doc_values": false + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword", + "ignore_above": 1024 + }, + "signature_algorithm": { + "type": "keyword", + "ignore_above": 1024 + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "country": { + "type": "keyword", + "ignore_above": 1024 + }, + "distinguished_name": { + "type": "keyword", + "ignore_above": 1024 + }, + "locality": { + "type": "keyword", + "ignore_above": 1024 + }, + "organization": { + "type": "keyword", + "ignore_above": 1024 + }, + "organizational_unit": { + "type": "keyword", + "ignore_above": 1024 + }, + "state_or_province": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "version_number": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "version": { + "type": "keyword", + "ignore_above": 1024 + }, + "version_protocol": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "trace": { + "properties": { + "id": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "transaction": { + "properties": { + "id": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "url": { + "properties": { + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "extension": { + "type": "keyword", + "ignore_above": 1024 + }, + "fragment": { + "type": "keyword", + "ignore_above": 1024 + }, + "full": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "original": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "password": { + "type": "keyword", + "ignore_above": 1024 + }, + "path": { + "type": "keyword", + "ignore_above": 1024 + }, + "port": { + "type": "long" + }, + "query": { + "type": "keyword", + "ignore_above": 1024 + }, + "registered_domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "scheme": { + "type": "keyword", + "ignore_above": 1024 + }, + "subdomain": { + "type": "keyword", + "ignore_above": 1024 + }, + "top_level_domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "username": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "email": { + "type": "keyword", + "ignore_above": 1024 + }, + "full_name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "group": { + "properties": { + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "hash": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "roles": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "effective": { + "properties": { + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "email": { + "type": "keyword", + "ignore_above": 1024 + }, + "full_name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "group": { + "properties": { + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "hash": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "roles": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "email": { + "type": "keyword", + "ignore_above": 1024 + }, + "full_name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "group": { + "properties": { + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "hash": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "roles": { + "type": "keyword", + "ignore_above": 1024 + }, + "target": { + "properties": { + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "email": { + "type": "keyword", + "ignore_above": 1024 + }, + "full_name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "group": { + "properties": { + "domain": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "hash": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "roles": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + }, + "original": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "os": { + "properties": { + "family": { + "type": "keyword", + "ignore_above": 1024 + }, + "full": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "kernel": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "platform": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "version": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "version": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "vlan": { + "properties": { + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "name": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "vulnerability": { + "properties": { + "category": { + "type": "keyword", + "ignore_above": 1024 + }, + "classification": { + "type": "keyword", + "ignore_above": 1024 + }, + "description": { + "type": "keyword", + "ignore_above": 1024, + "fields": { + "text": { + "type": "text", + "norms": false + } + } + }, + "enumeration": { + "type": "keyword", + "ignore_above": 1024 + }, + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "reference": { + "type": "keyword", + "ignore_above": 1024 + }, + "report_id": { + "type": "keyword", + "ignore_above": 1024 + }, + "scanner": { + "properties": { + "vendor": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "severity": { + "type": "keyword", + "ignore_above": 1024 + } + } + } + } + }, + "settings": { + "index": { + "lifecycle": { + "name": ".siem-signals-default", + "rollover_alias": ".siem-signals-default" + }, + "routing": { + "allocation": { + "include": { + "_tier_preference": "data_content" + } + } + }, + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "number_of_shards": "1", + "provided_name": ".siem-signals-default-000001", + "creation_date": "1647637827326", + "number_of_replicas": "1", + "uuid": "-jizlh0yQvSM5OkirjN63Q", + "version": { + "created": "7170099" + } + } + } + } +} \ No newline at end of file diff --git a/x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/data.json b/x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/data.json new file mode 100644 index 0000000000000..c38f2265a4b08 --- /dev/null +++ b/x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/data.json @@ -0,0 +1,8127 @@ +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "f749117366e32b88f62b01f8fc9070480e06e604fe6413b8a4dbf38910823a4d", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Indicator Match Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "threat-match-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.indicatorRule", + "kibana.alert.rule.uuid": "d2e9b850-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:37.854Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "feed": {}, + "matched": { + "atomic": "security-linux-1", + "field": "host.name", + "id": "FCC8nn8Bx5kiROf39Q9q", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:20.775Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ICC9nn8Bx5kiROf3Bw9I", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert threat-match-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:35.289Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:36.803Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threat_match", + "kibana.alert.rule.description": "a simple threat match rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:20.775Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:20.775Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "f749117366e32b88f62b01f8fc9070480e06e604fe6413b8a4dbf38910823a4d" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "ab8e0e674e9220cacec30eef777be624dd8f84b989c04c00b8f8b3361e76063c", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Indicator Match Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "threat-match-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.indicatorRule", + "kibana.alert.rule.uuid": "d2e9b850-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:37.857Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "feed": {}, + "matched": { + "atomic": "security-linux-3", + "field": "host.name", + "id": "FiC8nn8Bx5kiROf39w-A", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:20.199Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "HyC9nn8Bx5kiROf3Bg8J", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert threat-match-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:35.289Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:36.803Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threat_match", + "kibana.alert.rule.description": "a simple threat match rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:20.199Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:20.199Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "ab8e0e674e9220cacec30eef777be624dd8f84b989c04c00b8f8b3361e76063c" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "84155febd44edb828ee2f2a58066c695d8aba500fbba24f3127559f22e8cd9d1", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Indicator Match Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "threat-match-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.indicatorRule", + "kibana.alert.rule.uuid": "d2e9b850-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:37.860Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "feed": {}, + "matched": { + "atomic": "security-linux-2", + "field": "host.name", + "id": "FSC8nn8Bx5kiROf39g9R", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:19.858Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "HiC9nn8Bx5kiROf3Aw_G", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert threat-match-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:35.289Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:36.803Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threat_match", + "kibana.alert.rule.description": "a simple threat match rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:19.858Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.858Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "84155febd44edb828ee2f2a58066c695d8aba500fbba24f3127559f22e8cd9d1" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "fbeb58a2b777a9852c9500ea45b53133b74341dd5b479ee14bc16927fc40c14c", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Indicator Match Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "threat-match-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.indicatorRule", + "kibana.alert.rule.uuid": "d2e9b850-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:37.862Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "feed": {}, + "matched": { + "atomic": "security-linux-1", + "field": "host.name", + "id": "FCC8nn8Bx5kiROf39Q9q", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:19.515Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "HSC9nn8Bx5kiROf3Ag9w", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert threat-match-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:35.289Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:36.803Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threat_match", + "kibana.alert.rule.description": "a simple threat match rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:19.515Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.515Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "fbeb58a2b777a9852c9500ea45b53133b74341dd5b479ee14bc16927fc40c14c" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "78b60c6a3c736c62d0439f07fc587bc6b79a6a9f682ffbb3f95c3c12422d8524", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Indicator Match Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "threat-match-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.indicatorRule", + "kibana.alert.rule.uuid": "d2e9b850-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:37.866Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "feed": {}, + "matched": { + "atomic": "security-linux-3", + "field": "host.name", + "id": "FiC8nn8Bx5kiROf39w-A", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:19.281Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "HCC9nn8Bx5kiROf3AQ8d", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert threat-match-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:35.289Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:36.803Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threat_match", + "kibana.alert.rule.description": "a simple threat match rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:19.281Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.281Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "78b60c6a3c736c62d0439f07fc587bc6b79a6a9f682ffbb3f95c3c12422d8524" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "fb6c54a130268bc365c0f92b231369c57869544c115c9df86dfb5e7de2c64901", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Indicator Match Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "threat-match-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.indicatorRule", + "kibana.alert.rule.uuid": "d2e9b850-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:37.868Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "feed": {}, + "matched": { + "atomic": "security-linux-2", + "field": "host.name", + "id": "FSC8nn8Bx5kiROf39g9R", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:18.959Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "GyC9nn8Bx5kiROf3AA80", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert threat-match-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:35.289Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:36.803Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threat_match", + "kibana.alert.rule.description": "a simple threat match rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:18.959Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.959Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "fb6c54a130268bc365c0f92b231369c57869544c115c9df86dfb5e7de2c64901" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "15673548fc038cd5e0db2a6b10f42402f144aa5fb7840da6b83901af6dc20514", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Indicator Match Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "threat-match-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.indicatorRule", + "kibana.alert.rule.uuid": "d2e9b850-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:37.870Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "feed": {}, + "matched": { + "atomic": "security-linux-1", + "field": "host.name", + "id": "FCC8nn8Bx5kiROf39Q9q", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:18.632Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "GiC8nn8Bx5kiROf3_g_t", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert threat-match-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:35.289Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:36.803Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threat_match", + "kibana.alert.rule.description": "a simple threat match rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:18.632Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.632Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "15673548fc038cd5e0db2a6b10f42402f144aa5fb7840da6b83901af6dc20514" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "87b0b0b35babe61d801337f6787c1b0b091ed182fd7cc1537bab5edd55e45c5e", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Indicator Match Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "threat-match-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.indicatorRule", + "kibana.alert.rule.uuid": "d2e9b850-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:37.873Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "feed": {}, + "matched": { + "atomic": "security-linux-3", + "field": "host.name", + "id": "FiC8nn8Bx5kiROf39w-A", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:18.031Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "GSC8nn8Bx5kiROf3_Q-m", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert threat-match-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:35.289Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:36.803Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threat_match", + "kibana.alert.rule.description": "a simple threat match rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:18.031Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.031Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "87b0b0b35babe61d801337f6787c1b0b091ed182fd7cc1537bab5edd55e45c5e" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "eba57f5f68f5b30a23e61e072e590557cecf61587981bb5a4cf3ae3aae7d1924", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Indicator Match Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "threat-match-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.indicatorRule", + "kibana.alert.rule.uuid": "d2e9b850-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:37.875Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "feed": {}, + "matched": { + "atomic": "security-linux-2", + "field": "host.name", + "id": "FSC8nn8Bx5kiROf39g9R", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:17.429Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "GCC8nn8Bx5kiROf3-w9Q", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert threat-match-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:35.289Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:36.803Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threat_match", + "kibana.alert.rule.description": "a simple threat match rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:17.429Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:17.429Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "eba57f5f68f5b30a23e61e072e590557cecf61587981bb5a4cf3ae3aae7d1924" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "a85253a6a45c8ce93f8c72b5926b501025503a857984f899ecee9469680ae199", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Indicator Match Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "threat-match-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.indicatorRule", + "kibana.alert.rule.uuid": "d2e9b850-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:37.877Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "feed": {}, + "matched": { + "atomic": "security-linux-1", + "field": "host.name", + "id": "FCC8nn8Bx5kiROf39Q9q", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:17.054Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "FyC8nn8Bx5kiROf3-A_I", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert threat-match-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:35.289Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:36.803Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threat_match", + "kibana.alert.rule.description": "a simple threat match rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:17.054Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:17.054Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "a85253a6a45c8ce93f8c72b5926b501025503a857984f899ecee9469680ae199" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "9d6cbb26fd21cf18390de874d9aa36630a649a467ede0895ec2ba7c99340b9a3", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Threshold Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "threshold-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.thresholdRule", + "kibana.alert.rule.uuid": "d110d9a0-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:34.812Z", + "host.name": "security-linux-1", + "kibana.alert.ancestors": [ + { + "id": "6b00b0e4-854d-5689-8a81-01cf8af209a6", + "type": "event", + "index": "events-index-*", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event created low alert threshold-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threshold rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "abb98471-6bfd-4cdc-b0af-da9bc74ca9d1", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threshold", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threshold": { + "field": [ + "host.name" + ], + "value": 1 + } + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:32.284Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:33.770Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threshold", + "kibana.alert.rule.description": "a simple threshold rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "abb98471-6bfd-4cdc-b0af-da9bc74ca9d1", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:20.775Z", + "kibana.alert.threshold_result": { + "terms": [ + { + "field": "host.name", + "value": "security-linux-1" + } + ], + "count": 4, + "from": "2022-03-18T10:34:34.219Z" + }, + "event.kind": "signal", + "kibana.alert.uuid": "9d6cbb26fd21cf18390de874d9aa36630a649a467ede0895ec2ba7c99340b9a3" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "edfb451406abe4740f6d99b44b7bc6d2ce32d394c0adf2001fd25011641789dd", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Threshold Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "threshold-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.thresholdRule", + "kibana.alert.rule.uuid": "d110d9a0-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:34.813Z", + "host.name": "security-linux-2", + "kibana.alert.ancestors": [ + { + "id": "7ab8b94f-87d5-560e-aa7b-32daa6ab5f72", + "type": "event", + "index": "events-index-*", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event created low alert threshold-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threshold rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "abb98471-6bfd-4cdc-b0af-da9bc74ca9d1", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threshold", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threshold": { + "field": [ + "host.name" + ], + "value": 1 + } + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:32.284Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:33.770Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threshold", + "kibana.alert.rule.description": "a simple threshold rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "abb98471-6bfd-4cdc-b0af-da9bc74ca9d1", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:19.858Z", + "kibana.alert.threshold_result": { + "terms": [ + { + "field": "host.name", + "value": "security-linux-2" + } + ], + "count": 3, + "from": "2022-03-18T10:34:34.219Z" + }, + "event.kind": "signal", + "kibana.alert.uuid": "edfb451406abe4740f6d99b44b7bc6d2ce32d394c0adf2001fd25011641789dd" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "5edc68060103d782e59a622cbfcf8cb3a183f3b21f2c9ab221983031d0cd4e64", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Threshold Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "threshold-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.thresholdRule", + "kibana.alert.rule.uuid": "d110d9a0-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:34.815Z", + "host.name": "security-linux-3", + "kibana.alert.ancestors": [ + { + "id": "c69a9b05-0217-58e5-8d09-64a60ef11c70", + "type": "event", + "index": "events-index-*", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event created low alert threshold-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threshold rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "abb98471-6bfd-4cdc-b0af-da9bc74ca9d1", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threshold", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threshold": { + "field": [ + "host.name" + ], + "value": 1 + } + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:32.284Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:33.770Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threshold", + "kibana.alert.rule.description": "a simple threshold rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "abb98471-6bfd-4cdc-b0af-da9bc74ca9d1", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:20.199Z", + "kibana.alert.threshold_result": { + "terms": [ + { + "field": "host.name", + "value": "security-linux-3" + } + ], + "count": 3, + "from": "2022-03-18T10:34:34.219Z" + }, + "event.kind": "signal", + "kibana.alert.uuid": "5edc68060103d782e59a622cbfcf8cb3a183f3b21f2c9ab221983031d0cd4e64" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "c0e6bc0a2ed86d7f3488f72ee128ff4ac677b3ea5c8128775dd0a6ba5fa94e57", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:31.973Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:17.054Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "FyC8nn8Bx5kiROf3-A_I", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:17.054Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:17.054Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "c0e6bc0a2ed86d7f3488f72ee128ff4ac677b3ea5c8128775dd0a6ba5fa94e57", + "kibana.alert.group.id": "e45b101ca1b2c07d2b2bf1a040e5b9547a7490cad591cd1bec669f2a05ae6815", + "kibana.alert.group.index": 0 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "f00619b71b4bb83e3c4b23644e428fba0656f8935847c9dfa1038fb13271ea82", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:31.975Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:17.429Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "GCC8nn8Bx5kiROf3-w9Q", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:17.429Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:17.429Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "f00619b71b4bb83e3c4b23644e428fba0656f8935847c9dfa1038fb13271ea82", + "kibana.alert.group.id": "e45b101ca1b2c07d2b2bf1a040e5b9547a7490cad591cd1bec669f2a05ae6815", + "kibana.alert.group.index": 1 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "e45b101ca1b2c07d2b2bf1a040e5b9547a7490cad591cd1bec669f2a05ae6815", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:31.977Z", + "agent": { + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 2, + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "event": { + "kind": "signal" + }, + "kibana.alert.ancestors": [ + { + "id": "FyC8nn8Bx5kiROf3-A_I", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "c0e6bc0a2ed86d7f3488f72ee128ff4ac677b3ea5c8128775dd0a6ba5fa94e57", + "type": "signal", + "index": "", + "depth": 1, + "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" + }, + { + "id": "GCC8nn8Bx5kiROf3-w9Q", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "f00619b71b4bb83e3c4b23644e428fba0656f8935847c9dfa1038fb13271ea82", + "type": "signal", + "index": "", + "depth": 1, + "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" + } + ], + "kibana.alert.reason": "event created low alert eql-rule.", + "kibana.alert.rule.actions": [], + "kibana.alert.original_time": "2022-03-18T20:34:17.054Z", + "kibana.alert.group.id": "e45b101ca1b2c07d2b2bf1a040e5b9547a7490cad591cd1bec669f2a05ae6815" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "eb8b8fe02c5fa92b62ea4016abf309e0825515e2859f7790435d328ce4fa24f1", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:31.980Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:17.429Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "GCC8nn8Bx5kiROf3-w9Q", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:17.429Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:17.429Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "eb8b8fe02c5fa92b62ea4016abf309e0825515e2859f7790435d328ce4fa24f1", + "kibana.alert.group.id": "01d8eb6ffb62a7e43eab94b4e81d323f637b3e873468958e93d21b0a634070a9", + "kibana.alert.group.index": 0 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "b71ae13a141ecf7bda96cbd450e021b82627e9a6232b3fd2bad1227162f8095d", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:31.983Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:18.031Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "GSC8nn8Bx5kiROf3_Q-m", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:18.031Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.031Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "b71ae13a141ecf7bda96cbd450e021b82627e9a6232b3fd2bad1227162f8095d", + "kibana.alert.group.id": "01d8eb6ffb62a7e43eab94b4e81d323f637b3e873468958e93d21b0a634070a9", + "kibana.alert.group.index": 1 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "01d8eb6ffb62a7e43eab94b4e81d323f637b3e873468958e93d21b0a634070a9", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:31.984Z", + "agent": { + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 2, + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "event": { + "kind": "signal" + }, + "kibana.alert.ancestors": [ + { + "id": "GCC8nn8Bx5kiROf3-w9Q", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "eb8b8fe02c5fa92b62ea4016abf309e0825515e2859f7790435d328ce4fa24f1", + "type": "signal", + "index": "", + "depth": 1, + "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" + }, + { + "id": "GSC8nn8Bx5kiROf3_Q-m", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "b71ae13a141ecf7bda96cbd450e021b82627e9a6232b3fd2bad1227162f8095d", + "type": "signal", + "index": "", + "depth": 1, + "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" + } + ], + "kibana.alert.reason": "event created low alert eql-rule.", + "kibana.alert.rule.actions": [], + "kibana.alert.original_time": "2022-03-18T20:34:17.429Z", + "kibana.alert.group.id": "01d8eb6ffb62a7e43eab94b4e81d323f637b3e873468958e93d21b0a634070a9" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "f757a7a330f9750adee240bac8ceba9f6d6e0c3d51f5e53e3868d53abdc48833", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:31.987Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:18.031Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "GSC8nn8Bx5kiROf3_Q-m", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:18.031Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.031Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "f757a7a330f9750adee240bac8ceba9f6d6e0c3d51f5e53e3868d53abdc48833", + "kibana.alert.group.id": "ca3adb3e0ccdbc711c616970d17d150773b8f1d3cc2d7644c4e3b451ad2b26d6", + "kibana.alert.group.index": 0 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "d8e4b2e592b397f293976c113fd9f54f2f548064dbde4e5635f6c6ee74c94906", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:31.990Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:18.632Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "GiC8nn8Bx5kiROf3_g_t", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:18.632Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.632Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "d8e4b2e592b397f293976c113fd9f54f2f548064dbde4e5635f6c6ee74c94906", + "kibana.alert.group.id": "ca3adb3e0ccdbc711c616970d17d150773b8f1d3cc2d7644c4e3b451ad2b26d6", + "kibana.alert.group.index": 1 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "ca3adb3e0ccdbc711c616970d17d150773b8f1d3cc2d7644c4e3b451ad2b26d6", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:31.991Z", + "agent": { + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 2, + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "event": { + "kind": "signal" + }, + "kibana.alert.ancestors": [ + { + "id": "GSC8nn8Bx5kiROf3_Q-m", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "f757a7a330f9750adee240bac8ceba9f6d6e0c3d51f5e53e3868d53abdc48833", + "type": "signal", + "index": "", + "depth": 1, + "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" + }, + { + "id": "GiC8nn8Bx5kiROf3_g_t", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "d8e4b2e592b397f293976c113fd9f54f2f548064dbde4e5635f6c6ee74c94906", + "type": "signal", + "index": "", + "depth": 1, + "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" + } + ], + "kibana.alert.reason": "event created low alert eql-rule.", + "kibana.alert.rule.actions": [], + "kibana.alert.original_time": "2022-03-18T20:34:18.031Z", + "kibana.alert.group.id": "ca3adb3e0ccdbc711c616970d17d150773b8f1d3cc2d7644c4e3b451ad2b26d6" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "e1b786c09f1c1c09292e6d5282a2547da980da8f815a04cc8596fb2781456216", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:31.995Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:18.632Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "GiC8nn8Bx5kiROf3_g_t", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:18.632Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.632Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "e1b786c09f1c1c09292e6d5282a2547da980da8f815a04cc8596fb2781456216", + "kibana.alert.group.id": "b2424ad051869deff238429e2ea164314c1819592ced333c01a96a5401b120ad", + "kibana.alert.group.index": 0 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "818488b97e8141b9ea320d423ab97a2051eeee17406f62048829376d92fdcc77", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:31.997Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:18.959Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "GyC9nn8Bx5kiROf3AA80", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:18.959Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.959Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "818488b97e8141b9ea320d423ab97a2051eeee17406f62048829376d92fdcc77", + "kibana.alert.group.id": "b2424ad051869deff238429e2ea164314c1819592ced333c01a96a5401b120ad", + "kibana.alert.group.index": 1 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "b2424ad051869deff238429e2ea164314c1819592ced333c01a96a5401b120ad", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:31.998Z", + "agent": { + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 2, + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "event": { + "kind": "signal" + }, + "kibana.alert.ancestors": [ + { + "id": "GiC8nn8Bx5kiROf3_g_t", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "e1b786c09f1c1c09292e6d5282a2547da980da8f815a04cc8596fb2781456216", + "type": "signal", + "index": "", + "depth": 1, + "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" + }, + { + "id": "GyC9nn8Bx5kiROf3AA80", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "818488b97e8141b9ea320d423ab97a2051eeee17406f62048829376d92fdcc77", + "type": "signal", + "index": "", + "depth": 1, + "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" + } + ], + "kibana.alert.reason": "event created low alert eql-rule.", + "kibana.alert.rule.actions": [], + "kibana.alert.original_time": "2022-03-18T20:34:18.632Z", + "kibana.alert.group.id": "b2424ad051869deff238429e2ea164314c1819592ced333c01a96a5401b120ad" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "92c0a5b141e5cd2a3815741071655bfc0a5d96295d1b74e1cab9f081746c7b05", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:32.001Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:18.959Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "GyC9nn8Bx5kiROf3AA80", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:18.959Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.959Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "92c0a5b141e5cd2a3815741071655bfc0a5d96295d1b74e1cab9f081746c7b05", + "kibana.alert.group.id": "ccc0db82489ea49940db561d9542b307e96f6abf5e2bb220160d7b6ae4ef5196", + "kibana.alert.group.index": 0 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "930d8122b24659e376b54776039cec1aa15168386774d05c04a813ee5fa8f182", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:32.004Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:19.281Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "HCC9nn8Bx5kiROf3AQ8d", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:19.281Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.281Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "930d8122b24659e376b54776039cec1aa15168386774d05c04a813ee5fa8f182", + "kibana.alert.group.id": "ccc0db82489ea49940db561d9542b307e96f6abf5e2bb220160d7b6ae4ef5196", + "kibana.alert.group.index": 1 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "ccc0db82489ea49940db561d9542b307e96f6abf5e2bb220160d7b6ae4ef5196", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:32.005Z", + "agent": { + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 2, + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "event": { + "kind": "signal" + }, + "kibana.alert.ancestors": [ + { + "id": "GyC9nn8Bx5kiROf3AA80", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "92c0a5b141e5cd2a3815741071655bfc0a5d96295d1b74e1cab9f081746c7b05", + "type": "signal", + "index": "", + "depth": 1, + "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" + }, + { + "id": "HCC9nn8Bx5kiROf3AQ8d", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "930d8122b24659e376b54776039cec1aa15168386774d05c04a813ee5fa8f182", + "type": "signal", + "index": "", + "depth": 1, + "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" + } + ], + "kibana.alert.reason": "event created low alert eql-rule.", + "kibana.alert.rule.actions": [], + "kibana.alert.original_time": "2022-03-18T20:34:18.959Z", + "kibana.alert.group.id": "ccc0db82489ea49940db561d9542b307e96f6abf5e2bb220160d7b6ae4ef5196" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "763d6d9a7d0314e994e34160765496398bb950c0deb718c677e25a7d4ae9bd74", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:32.009Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:19.281Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "HCC9nn8Bx5kiROf3AQ8d", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:19.281Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.281Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "763d6d9a7d0314e994e34160765496398bb950c0deb718c677e25a7d4ae9bd74", + "kibana.alert.group.id": "9d0a89f1a45655e7b36929f5022dd7a45454ed165a1c1bebd4a2cfec63e0bb94", + "kibana.alert.group.index": 0 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "4363d5a52b18d06083720524d7881fc8eecd19888a96dcdf2976c2f7d49dda5f", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:32.011Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:19.515Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "HSC9nn8Bx5kiROf3Ag9w", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:19.515Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.515Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "4363d5a52b18d06083720524d7881fc8eecd19888a96dcdf2976c2f7d49dda5f", + "kibana.alert.group.id": "9d0a89f1a45655e7b36929f5022dd7a45454ed165a1c1bebd4a2cfec63e0bb94", + "kibana.alert.group.index": 1 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "9d0a89f1a45655e7b36929f5022dd7a45454ed165a1c1bebd4a2cfec63e0bb94", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:32.012Z", + "agent": { + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 2, + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "event": { + "kind": "signal" + }, + "kibana.alert.ancestors": [ + { + "id": "HCC9nn8Bx5kiROf3AQ8d", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "763d6d9a7d0314e994e34160765496398bb950c0deb718c677e25a7d4ae9bd74", + "type": "signal", + "index": "", + "depth": 1, + "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" + }, + { + "id": "HSC9nn8Bx5kiROf3Ag9w", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "4363d5a52b18d06083720524d7881fc8eecd19888a96dcdf2976c2f7d49dda5f", + "type": "signal", + "index": "", + "depth": 1, + "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" + } + ], + "kibana.alert.reason": "event created low alert eql-rule.", + "kibana.alert.rule.actions": [], + "kibana.alert.original_time": "2022-03-18T20:34:19.281Z", + "kibana.alert.group.id": "9d0a89f1a45655e7b36929f5022dd7a45454ed165a1c1bebd4a2cfec63e0bb94" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "a13cfd03267db8839879a55b581b1940a9b175d51f68f6f6dd5f7eed0b6f2fa5", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:32.022Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:19.515Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "HSC9nn8Bx5kiROf3Ag9w", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:19.515Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.515Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "a13cfd03267db8839879a55b581b1940a9b175d51f68f6f6dd5f7eed0b6f2fa5", + "kibana.alert.group.id": "e7c043b7ff78df30b930a01744e9824b7de03f39075cf747394cf85806db0eec", + "kibana.alert.group.index": 0 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "3caaf3a51113942a7064dcf5895cd94e7caa81ca3fddda4a1806a580f0f566fd", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:32.024Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:19.858Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "HiC9nn8Bx5kiROf3Aw_G", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:19.858Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.858Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "3caaf3a51113942a7064dcf5895cd94e7caa81ca3fddda4a1806a580f0f566fd", + "kibana.alert.group.id": "e7c043b7ff78df30b930a01744e9824b7de03f39075cf747394cf85806db0eec", + "kibana.alert.group.index": 1 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "e7c043b7ff78df30b930a01744e9824b7de03f39075cf747394cf85806db0eec", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:32.024Z", + "agent": { + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 2, + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "event": { + "kind": "signal" + }, + "kibana.alert.ancestors": [ + { + "id": "HSC9nn8Bx5kiROf3Ag9w", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "a13cfd03267db8839879a55b581b1940a9b175d51f68f6f6dd5f7eed0b6f2fa5", + "type": "signal", + "index": "", + "depth": 1, + "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" + }, + { + "id": "HiC9nn8Bx5kiROf3Aw_G", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "3caaf3a51113942a7064dcf5895cd94e7caa81ca3fddda4a1806a580f0f566fd", + "type": "signal", + "index": "", + "depth": 1, + "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" + } + ], + "kibana.alert.reason": "event created low alert eql-rule.", + "kibana.alert.rule.actions": [], + "kibana.alert.original_time": "2022-03-18T20:34:19.515Z", + "kibana.alert.group.id": "e7c043b7ff78df30b930a01744e9824b7de03f39075cf747394cf85806db0eec" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "aaea2a77dba200c71cebfdceadf441f67204e0a7537e873ea8835ae3dce9d698", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:32.028Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:19.858Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "HiC9nn8Bx5kiROf3Aw_G", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:19.858Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.858Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "aaea2a77dba200c71cebfdceadf441f67204e0a7537e873ea8835ae3dce9d698", + "kibana.alert.group.id": "ea15b1c3b655cf6174112f26888d8386437bc6436259085639f3803adc5e000c", + "kibana.alert.group.index": 0 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "d451bbf6d3cbc1b479b2a75708d45790b6d5d676f055f57685dc8c25cd681dec", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:32.030Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:20.199Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "HyC9nn8Bx5kiROf3Bg8J", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:20.199Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:20.199Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "d451bbf6d3cbc1b479b2a75708d45790b6d5d676f055f57685dc8c25cd681dec", + "kibana.alert.group.id": "ea15b1c3b655cf6174112f26888d8386437bc6436259085639f3803adc5e000c", + "kibana.alert.group.index": 1 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "ea15b1c3b655cf6174112f26888d8386437bc6436259085639f3803adc5e000c", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:32.031Z", + "agent": { + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 2, + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "event": { + "kind": "signal" + }, + "kibana.alert.ancestors": [ + { + "id": "HiC9nn8Bx5kiROf3Aw_G", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "aaea2a77dba200c71cebfdceadf441f67204e0a7537e873ea8835ae3dce9d698", + "type": "signal", + "index": "", + "depth": 1, + "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" + }, + { + "id": "HyC9nn8Bx5kiROf3Bg8J", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "d451bbf6d3cbc1b479b2a75708d45790b6d5d676f055f57685dc8c25cd681dec", + "type": "signal", + "index": "", + "depth": 1, + "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" + } + ], + "kibana.alert.reason": "event created low alert eql-rule.", + "kibana.alert.rule.actions": [], + "kibana.alert.original_time": "2022-03-18T20:34:19.858Z", + "kibana.alert.group.id": "ea15b1c3b655cf6174112f26888d8386437bc6436259085639f3803adc5e000c" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "34a93e78ff1b49b11bcbfc72162e0737393c63de0e20135685462b46edf94760", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:32.034Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:20.199Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "HyC9nn8Bx5kiROf3Bg8J", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:20.199Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:20.199Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "34a93e78ff1b49b11bcbfc72162e0737393c63de0e20135685462b46edf94760", + "kibana.alert.group.id": "46af66366386e15dee577091f6eb77c5fba3782e346c0dc157888417f9898b54", + "kibana.alert.group.index": 0 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "30b43dbbe130f75f33e8370cd9ca30a1476767700644cfb6ee35d63099176b43", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:32.036Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:20.775Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ICC9nn8Bx5kiROf3Bw9I", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:20.775Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:20.775Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "30b43dbbe130f75f33e8370cd9ca30a1476767700644cfb6ee35d63099176b43", + "kibana.alert.group.id": "46af66366386e15dee577091f6eb77c5fba3782e346c0dc157888417f9898b54", + "kibana.alert.group.index": 1 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "46af66366386e15dee577091f6eb77c5fba3782e346c0dc157888417f9898b54", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:32.037Z", + "agent": { + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 2, + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "event": { + "kind": "signal" + }, + "kibana.alert.ancestors": [ + { + "id": "HyC9nn8Bx5kiROf3Bg8J", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "34a93e78ff1b49b11bcbfc72162e0737393c63de0e20135685462b46edf94760", + "type": "signal", + "index": "", + "depth": 1, + "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" + }, + { + "id": "ICC9nn8Bx5kiROf3Bw9I", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "30b43dbbe130f75f33e8370cd9ca30a1476767700644cfb6ee35d63099176b43", + "type": "signal", + "index": "", + "depth": 1, + "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" + } + ], + "kibana.alert.reason": "event created low alert eql-rule.", + "kibana.alert.rule.actions": [], + "kibana.alert.original_time": "2022-03-18T20:34:20.199Z", + "kibana.alert.group.id": "46af66366386e15dee577091f6eb77c5fba3782e346c0dc157888417f9898b54" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "cadfed124e07778b37d1ffa03da091888fb760a8a98420defc9ce11a3707b7ad", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Custom Query Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "query-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.queryRule", + "kibana.alert.rule.uuid": "cd388170-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:28.793Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:17.054Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "FyC8nn8Bx5kiROf3-A_I", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert query-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:26.274Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:27.703Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "query", + "kibana.alert.rule.description": "a simple query rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:17.054Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:17.054Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "cadfed124e07778b37d1ffa03da091888fb760a8a98420defc9ce11a3707b7ad" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "c89ab9cbcf9ea0217688746df8d25a8209cf6c062ebc315a7459f711dfd082e5", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Custom Query Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "query-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.queryRule", + "kibana.alert.rule.uuid": "cd388170-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:28.797Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:17.429Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "GCC8nn8Bx5kiROf3-w9Q", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert query-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:26.274Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:27.703Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "query", + "kibana.alert.rule.description": "a simple query rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:17.429Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:17.429Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "c89ab9cbcf9ea0217688746df8d25a8209cf6c062ebc315a7459f711dfd082e5" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "23eb02e3f54112825511fd7b18258d288efda15484a73a73464005ec72e53a94", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Custom Query Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "query-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.queryRule", + "kibana.alert.rule.uuid": "cd388170-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:28.801Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:18.031Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "GSC8nn8Bx5kiROf3_Q-m", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert query-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:26.274Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:27.703Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "query", + "kibana.alert.rule.description": "a simple query rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:18.031Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.031Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "23eb02e3f54112825511fd7b18258d288efda15484a73a73464005ec72e53a94" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "7c2a1ffb2653dcc26dad5384523d9f54570b79a269ac395c91c6bbd94bcbe92c", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Custom Query Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "query-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.queryRule", + "kibana.alert.rule.uuid": "cd388170-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:28.806Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:18.632Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "GiC8nn8Bx5kiROf3_g_t", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert query-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:26.274Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:27.703Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "query", + "kibana.alert.rule.description": "a simple query rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:18.632Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.632Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "7c2a1ffb2653dcc26dad5384523d9f54570b79a269ac395c91c6bbd94bcbe92c" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "d8a91e57b73ce6d51c5aea108438917d0540dd22ed11cf1b8b6f771883c9541a", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Custom Query Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "query-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.queryRule", + "kibana.alert.rule.uuid": "cd388170-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:28.811Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:18.959Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "GyC9nn8Bx5kiROf3AA80", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert query-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:26.274Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:27.703Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "query", + "kibana.alert.rule.description": "a simple query rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:18.959Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.959Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "d8a91e57b73ce6d51c5aea108438917d0540dd22ed11cf1b8b6f771883c9541a" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "3606946f7925b4cd1550e3c924f2096960407810c1e163019aa4afd0855c3bc6", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Custom Query Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "query-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.queryRule", + "kibana.alert.rule.uuid": "cd388170-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:28.815Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:19.281Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "HCC9nn8Bx5kiROf3AQ8d", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert query-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:26.274Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:27.703Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "query", + "kibana.alert.rule.description": "a simple query rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:19.281Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.281Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "3606946f7925b4cd1550e3c924f2096960407810c1e163019aa4afd0855c3bc6" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "f49b6b07230c727f3afac02cfa02ab9950a663f6f657713526dcc9b40e4cddbd", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Custom Query Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "query-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.queryRule", + "kibana.alert.rule.uuid": "cd388170-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:28.818Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:19.515Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "HSC9nn8Bx5kiROf3Ag9w", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert query-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:26.274Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:27.703Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "query", + "kibana.alert.rule.description": "a simple query rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:19.515Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.515Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "f49b6b07230c727f3afac02cfa02ab9950a663f6f657713526dcc9b40e4cddbd" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "892746def295d2f050f9d7ea518f3d1936a31446a0daf992e97d6f30396656fb", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Custom Query Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "query-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.queryRule", + "kibana.alert.rule.uuid": "cd388170-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:28.822Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:19.858Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "HiC9nn8Bx5kiROf3Aw_G", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert query-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:26.274Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:27.703Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "query", + "kibana.alert.rule.description": "a simple query rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:19.858Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.858Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "892746def295d2f050f9d7ea518f3d1936a31446a0daf992e97d6f30396656fb" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "0739643bae7ae40e27b67340c9f38333fc497d1c10d1eb806001b9380355d77d", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Custom Query Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "query-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.queryRule", + "kibana.alert.rule.uuid": "cd388170-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:28.825Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:20.199Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "HyC9nn8Bx5kiROf3Bg8J", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert query-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:26.274Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:27.703Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "query", + "kibana.alert.rule.description": "a simple query rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:20.199Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:20.199Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "0739643bae7ae40e27b67340c9f38333fc497d1c10d1eb806001b9380355d77d" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default", + "_id": "fa86b2e41c2f118a5499ee514a989bb5352e18b7c2f8fbfe57ef55c6fecfaff2", + "_score": 1, + "_source": { + "kibana.version": "8.0.0", + "kibana.alert.rule.category": "Custom Query Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.name": "query-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.queryRule", + "kibana.alert.rule.uuid": "cd388170-a6fa-11ec-99b4-4d95ca76f836", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-18T20:34:28.828Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.0.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-18T20:34:20.775Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ICC9nn8Bx5kiROf3Bw9I", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert query-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-18T20:34:26.274Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-18T20:34:27.703Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "query", + "kibana.alert.rule.description": "a simple query rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-18T20:34:20.775Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-18T20:34:20.775Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "fa86b2e41c2f118a5499ee514a989bb5352e18b7c2f8fbfe57ef55c6fecfaff2" + } + } +} + diff --git a/x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/mappings.json b/x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/mappings.json new file mode 100644 index 0000000000000..9ef3267f3735b --- /dev/null +++ b/x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/mappings.json @@ -0,0 +1,5243 @@ +{ + "type": "index", + "value": { + "aliases": { + ".alerts-security.alerts-default": { + "is_write_index": true + }, + ".siem-signals-default": { + "is_write_index": false + } + }, + "index": ".internal.alerts-security.alerts-default-000001", + "mappings": { + "dynamic": "false", + "_meta": { + "namespace": "default", + "kibana": { + "version": "8.0.0" + } + }, + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "type": "keyword" + } + } + }, + "ephemeral_id": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "client": { + "properties": { + "address": { + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "availability_zone": { + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "account": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "availability_zone": { + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "provider": { + "type": "keyword" + }, + "region": { + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "project": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "provider": { + "type": "keyword" + }, + "region": { + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "target": { + "properties": { + "account": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "availability_zone": { + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "provider": { + "type": "keyword" + }, + "region": { + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + } + } + }, + "container": { + "properties": { + "id": { + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "type": "keyword" + }, + "tag": { + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "type": "keyword" + }, + "runtime": { + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + } + } + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "digest_algorithm": { + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "subject_name": { + "type": "keyword" + }, + "team_id": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + }, + "sha512": { + "type": "keyword" + }, + "ssdeep": { + "type": "keyword" + } + } + }, + "name": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword" + }, + "company": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "file_version": { + "type": "keyword" + }, + "imphash": { + "type": "keyword" + }, + "original_file_name": { + "type": "keyword" + }, + "product": { + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "type": "keyword" + } + } + }, + "header_flags": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "op_code": { + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "registered_domain": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "type": "keyword" + } + } + }, + "error": { + "properties": { + "code": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "message": { + "type": "match_only_text" + }, + "stack_trace": { + "type": "wildcard" + }, + "type": { + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "type": "keyword" + }, + "agent_id_status": { + "type": "keyword" + }, + "category": { + "type": "keyword" + }, + "code": { + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "type": "keyword" + }, + "module": { + "type": "keyword" + }, + "original": { + "type": "keyword" + }, + "outcome": { + "type": "keyword" + }, + "provider": { + "type": "keyword" + }, + "reason": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "url": { + "type": "keyword" + } + } + }, + "faas": { + "properties": { + "coldstart": { + "type": "boolean" + }, + "execution": { + "type": "keyword" + }, + "trigger": { + "type": "nested", + "properties": { + "request_id": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "subject_name": { + "type": "keyword" + }, + "team_id": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "type": "keyword" + }, + "directory": { + "type": "keyword" + }, + "drive_letter": { + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "type": "keyword" + }, + "byte_order": { + "type": "keyword" + }, + "cpu_type": { + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "type": "keyword" + }, + "class": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "type": "keyword" + }, + "os_abi": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "type": "nested", + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "physical_offset": { + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + } + }, + "segments": { + "type": "nested", + "properties": { + "sections": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "shared_libraries": { + "type": "keyword" + }, + "telfhash": { + "type": "keyword" + } + } + }, + "extension": { + "type": "keyword" + }, + "fork_name": { + "type": "keyword" + }, + "gid": { + "type": "keyword" + }, + "group": { + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + }, + "sha512": { + "type": "keyword" + }, + "ssdeep": { + "type": "keyword" + } + } + }, + "inode": { + "type": "keyword" + }, + "mime_type": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "type": "keyword" + }, + "owner": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword" + }, + "company": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "file_version": { + "type": "keyword" + }, + "imphash": { + "type": "keyword" + }, + "original_file_name": { + "type": "keyword" + }, + "product": { + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword" + }, + "public_key_curve": { + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword" + }, + "signature_algorithm": { + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "version_number": { + "type": "keyword" + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "type": "keyword" + }, + "cpu": { + "properties": { + "usage": { + "type": "scaled_float", + "scaling_factor": 1000 + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "hostname": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "type": "keyword" + }, + "full": { + "type": "keyword" + }, + "kernel": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "platform": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "type": { + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "type": "wildcard" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "type": "keyword" + }, + "method": { + "type": "keyword" + }, + "mime_type": { + "type": "keyword" + }, + "referrer": { + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "type": "wildcard" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "type": "keyword" + } + } + }, + "kibana": { + "properties": { + "alert": { + "properties": { + "action_group": { + "type": "keyword" + }, + "ancestors": { + "properties": { + "depth": { + "type": "long" + }, + "id": { + "type": "keyword" + }, + "index": { + "type": "keyword" + }, + "rule": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "building_block_type": { + "type": "keyword" + }, + "depth": { + "type": "long" + }, + "duration": { + "properties": { + "us": { + "type": "long" + } + } + }, + "end": { + "type": "date" + }, + "group": { + "properties": { + "id": { + "type": "keyword" + }, + "index": { + "type": "integer" + } + } + }, + "original_event": { + "properties": { + "action": { + "type": "keyword" + }, + "agent_id_status": { + "type": "keyword" + }, + "category": { + "type": "keyword" + }, + "code": { + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "type": "keyword" + }, + "duration": { + "type": "keyword" + }, + "end": { + "type": "date" + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "type": "keyword" + }, + "module": { + "type": "keyword" + }, + "original": { + "type": "keyword" + }, + "outcome": { + "type": "keyword" + }, + "provider": { + "type": "keyword" + }, + "reason": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "url": { + "type": "keyword" + } + } + }, + "original_time": { + "type": "date" + }, + "reason": { + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "rule": { + "properties": { + "author": { + "type": "keyword" + }, + "building_block_type": { + "type": "keyword" + }, + "category": { + "type": "keyword" + }, + "consumer": { + "type": "keyword" + }, + "created_at": { + "type": "date" + }, + "created_by": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "enabled": { + "type": "keyword" + }, + "exceptions_list": { + "type": "object" + }, + "false_positives": { + "type": "keyword" + }, + "from": { + "type": "keyword" + }, + "immutable": { + "type": "keyword" + }, + "interval": { + "type": "keyword" + }, + "license": { + "type": "keyword" + }, + "max_signals": { + "type": "long" + }, + "name": { + "type": "keyword" + }, + "note": { + "type": "keyword" + }, + "parameters": { + "type": "flattened", + "ignore_above": 4096 + }, + "producer": { + "type": "keyword" + }, + "references": { + "type": "keyword" + }, + "rule_id": { + "type": "keyword" + }, + "rule_name_override": { + "type": "keyword" + }, + "rule_type_id": { + "type": "keyword" + }, + "tags": { + "type": "keyword" + }, + "threat": { + "properties": { + "framework": { + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + } + } + } + } + }, + "timeline_id": { + "type": "keyword" + }, + "timeline_title": { + "type": "keyword" + }, + "timestamp_override": { + "type": "keyword" + }, + "to": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "updated_at": { + "type": "date" + }, + "updated_by": { + "type": "keyword" + }, + "uuid": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "severity": { + "type": "keyword" + }, + "start": { + "type": "date" + }, + "status": { + "type": "keyword" + }, + "system_status": { + "type": "keyword" + }, + "threshold_result": { + "properties": { + "cardinality": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "long" + } + } + }, + "count": { + "type": "long" + }, + "from": { + "type": "date" + }, + "terms": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + } + } + }, + "uuid": { + "type": "keyword" + }, + "workflow_reason": { + "type": "keyword" + }, + "workflow_status": { + "type": "keyword" + }, + "workflow_user": { + "type": "keyword" + } + } + }, + "space_ids": { + "type": "keyword" + }, + "version": { + "type": "version" + } + } + }, + "labels": { + "type": "object" + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "type": "keyword" + } + } + }, + "level": { + "type": "keyword" + }, + "logger": { + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "type": "keyword" + } + } + }, + "function": { + "type": "keyword" + } + } + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "type": "keyword" + } + } + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "type": "keyword" + } + } + } + } + } + } + }, + "message": { + "type": "match_only_text" + }, + "network": { + "properties": { + "application": { + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "type": "keyword" + }, + "direction": { + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "name": { + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "type": "keyword" + }, + "transport": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "zone": { + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "hostname": { + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "zone": { + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "type": "keyword" + }, + "full": { + "type": "keyword" + }, + "kernel": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "platform": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "product": { + "type": "keyword" + }, + "serial_number": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "vendor": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "orchestrator": { + "properties": { + "api_version": { + "type": "keyword" + }, + "cluster": { + "properties": { + "name": { + "type": "keyword" + }, + "url": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "namespace": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "resource": { + "properties": { + "name": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "type": { + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "package": { + "properties": { + "architecture": { + "type": "keyword" + }, + "build_version": { + "type": "keyword" + }, + "checksum": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "install_scope": { + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "subject_name": { + "type": "keyword" + }, + "team_id": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "type": "wildcard" + }, + "elf": { + "properties": { + "architecture": { + "type": "keyword" + }, + "byte_order": { + "type": "keyword" + }, + "cpu_type": { + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "type": "keyword" + }, + "class": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "type": "keyword" + }, + "os_abi": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "type": "nested", + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "physical_offset": { + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + } + }, + "segments": { + "type": "nested", + "properties": { + "sections": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "shared_libraries": { + "type": "keyword" + }, + "telfhash": { + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "type": "keyword" + }, + "executable": { + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + }, + "sha512": { + "type": "keyword" + }, + "ssdeep": { + "type": "keyword" + } + } + }, + "name": { + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "subject_name": { + "type": "keyword" + }, + "team_id": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "type": "wildcard" + }, + "elf": { + "properties": { + "architecture": { + "type": "keyword" + }, + "byte_order": { + "type": "keyword" + }, + "cpu_type": { + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "type": "keyword" + }, + "class": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "type": "keyword" + }, + "os_abi": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "type": "nested", + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "physical_offset": { + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + } + }, + "segments": { + "type": "nested", + "properties": { + "sections": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "shared_libraries": { + "type": "keyword" + }, + "telfhash": { + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "type": "keyword" + }, + "executable": { + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + }, + "sha512": { + "type": "keyword" + }, + "ssdeep": { + "type": "keyword" + } + } + }, + "name": { + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword" + }, + "company": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "file_version": { + "type": "keyword" + }, + "imphash": { + "type": "keyword" + }, + "original_file_name": { + "type": "keyword" + }, + "product": { + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "type": "keyword" + } + } + }, + "title": { + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword" + }, + "company": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "file_version": { + "type": "keyword" + }, + "imphash": { + "type": "keyword" + }, + "original_file_name": { + "type": "keyword" + }, + "product": { + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "type": "keyword" + } + } + }, + "title": { + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "type": "keyword" + } + } + }, + "hive": { + "type": "keyword" + }, + "key": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "type": "keyword" + }, + "hosts": { + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "type": "keyword" + }, + "category": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "license": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "ruleset": { + "type": "keyword" + }, + "uuid": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "address": { + "type": "keyword" + }, + "environment": { + "type": "keyword" + }, + "ephemeral_id": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "address": { + "type": "keyword" + }, + "environment": { + "type": "keyword" + }, + "ephemeral_id": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "state": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "state": { + "type": "keyword" + }, + "target": { + "properties": { + "address": { + "type": "keyword" + }, + "environment": { + "type": "keyword" + }, + "ephemeral_id": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "state": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "signal": { + "properties": { + "ancestors": { + "properties": { + "depth": { + "type": "alias", + "path": "kibana.alert.ancestors.depth" + }, + "id": { + "type": "alias", + "path": "kibana.alert.ancestors.id" + }, + "index": { + "type": "alias", + "path": "kibana.alert.ancestors.index" + }, + "type": { + "type": "alias", + "path": "kibana.alert.ancestors.type" + } + } + }, + "depth": { + "type": "alias", + "path": "kibana.alert.depth" + }, + "group": { + "properties": { + "id": { + "type": "alias", + "path": "kibana.alert.group.id" + }, + "index": { + "type": "alias", + "path": "kibana.alert.group.index" + } + } + }, + "original_event": { + "properties": { + "action": { + "type": "alias", + "path": "kibana.alert.original_event.action" + }, + "category": { + "type": "alias", + "path": "kibana.alert.original_event.category" + }, + "code": { + "type": "alias", + "path": "kibana.alert.original_event.code" + }, + "created": { + "type": "alias", + "path": "kibana.alert.original_event.created" + }, + "dataset": { + "type": "alias", + "path": "kibana.alert.original_event.dataset" + }, + "duration": { + "type": "alias", + "path": "kibana.alert.original_event.duration" + }, + "end": { + "type": "alias", + "path": "kibana.alert.original_event.end" + }, + "hash": { + "type": "alias", + "path": "kibana.alert.original_event.hash" + }, + "id": { + "type": "alias", + "path": "kibana.alert.original_event.id" + }, + "kind": { + "type": "alias", + "path": "kibana.alert.original_event.kind" + }, + "module": { + "type": "alias", + "path": "kibana.alert.original_event.module" + }, + "outcome": { + "type": "alias", + "path": "kibana.alert.original_event.outcome" + }, + "provider": { + "type": "alias", + "path": "kibana.alert.original_event.provider" + }, + "reason": { + "type": "alias", + "path": "kibana.alert.original_event.reason" + }, + "risk_score": { + "type": "alias", + "path": "kibana.alert.original_event.risk_score" + }, + "risk_score_norm": { + "type": "alias", + "path": "kibana.alert.original_event.risk_score_norm" + }, + "sequence": { + "type": "alias", + "path": "kibana.alert.original_event.sequence" + }, + "severity": { + "type": "alias", + "path": "kibana.alert.original_event.severity" + }, + "start": { + "type": "alias", + "path": "kibana.alert.original_event.start" + }, + "timezone": { + "type": "alias", + "path": "kibana.alert.original_event.timezone" + }, + "type": { + "type": "alias", + "path": "kibana.alert.original_event.type" + } + } + }, + "original_time": { + "type": "alias", + "path": "kibana.alert.original_time" + }, + "reason": { + "type": "alias", + "path": "kibana.alert.reason" + }, + "rule": { + "properties": { + "author": { + "type": "alias", + "path": "kibana.alert.rule.author" + }, + "building_block_type": { + "type": "alias", + "path": "kibana.alert.building_block_type" + }, + "created_at": { + "type": "alias", + "path": "kibana.alert.rule.created_at" + }, + "created_by": { + "type": "alias", + "path": "kibana.alert.rule.created_by" + }, + "description": { + "type": "alias", + "path": "kibana.alert.rule.description" + }, + "enabled": { + "type": "alias", + "path": "kibana.alert.rule.enabled" + }, + "false_positives": { + "type": "alias", + "path": "kibana.alert.rule.false_positives" + }, + "from": { + "type": "alias", + "path": "kibana.alert.rule.from" + }, + "id": { + "type": "alias", + "path": "kibana.alert.rule.uuid" + }, + "immutable": { + "type": "alias", + "path": "kibana.alert.rule.immutable" + }, + "interval": { + "type": "alias", + "path": "kibana.alert.rule.interval" + }, + "license": { + "type": "alias", + "path": "kibana.alert.rule.license" + }, + "max_signals": { + "type": "alias", + "path": "kibana.alert.rule.max_signals" + }, + "name": { + "type": "alias", + "path": "kibana.alert.rule.name" + }, + "note": { + "type": "alias", + "path": "kibana.alert.rule.note" + }, + "references": { + "type": "alias", + "path": "kibana.alert.rule.references" + }, + "risk_score": { + "type": "alias", + "path": "kibana.alert.risk_score" + }, + "rule_id": { + "type": "alias", + "path": "kibana.alert.rule.rule_id" + }, + "rule_name_override": { + "type": "alias", + "path": "kibana.alert.rule.rule_name_override" + }, + "severity": { + "type": "alias", + "path": "kibana.alert.severity" + }, + "tags": { + "type": "alias", + "path": "kibana.alert.rule.tags" + }, + "threat": { + "properties": { + "framework": { + "type": "alias", + "path": "kibana.alert.rule.threat.framework" + }, + "tactic": { + "properties": { + "id": { + "type": "alias", + "path": "kibana.alert.rule.threat.tactic.id" + }, + "name": { + "type": "alias", + "path": "kibana.alert.rule.threat.tactic.name" + }, + "reference": { + "type": "alias", + "path": "kibana.alert.rule.threat.tactic.reference" + } + } + }, + "technique": { + "properties": { + "id": { + "type": "alias", + "path": "kibana.alert.rule.threat.technique.id" + }, + "name": { + "type": "alias", + "path": "kibana.alert.rule.threat.technique.name" + }, + "reference": { + "type": "alias", + "path": "kibana.alert.rule.threat.technique.reference" + }, + "subtechnique": { + "properties": { + "id": { + "type": "alias", + "path": "kibana.alert.rule.threat.technique.subtechnique.id" + }, + "name": { + "type": "alias", + "path": "kibana.alert.rule.threat.technique.subtechnique.name" + }, + "reference": { + "type": "alias", + "path": "kibana.alert.rule.threat.technique.subtechnique.reference" + } + } + } + } + } + } + }, + "timeline_id": { + "type": "alias", + "path": "kibana.alert.rule.timeline_id" + }, + "timeline_title": { + "type": "alias", + "path": "kibana.alert.rule.timeline_title" + }, + "timestamp_override": { + "type": "alias", + "path": "kibana.alert.rule.timestamp_override" + }, + "to": { + "type": "alias", + "path": "kibana.alert.rule.to" + }, + "type": { + "type": "alias", + "path": "kibana.alert.rule.type" + }, + "updated_at": { + "type": "alias", + "path": "kibana.alert.rule.updated_at" + }, + "updated_by": { + "type": "alias", + "path": "kibana.alert.rule.updated_by" + }, + "version": { + "type": "alias", + "path": "kibana.alert.rule.version" + } + } + }, + "status": { + "type": "alias", + "path": "kibana.alert.workflow_status" + }, + "threshold_result": { + "properties": { + "cardinality": { + "properties": { + "field": { + "type": "alias", + "path": "kibana.alert.threshold_result.cardinality.field" + }, + "value": { + "type": "alias", + "path": "kibana.alert.threshold_result.cardinality.value" + } + } + }, + "count": { + "type": "alias", + "path": "kibana.alert.threshold_result.count" + }, + "from": { + "type": "alias", + "path": "kibana.alert.threshold_result.from" + }, + "terms": { + "properties": { + "field": { + "type": "alias", + "path": "kibana.alert.threshold_result.terms.field" + }, + "value": { + "type": "alias", + "path": "kibana.alert.threshold_result.terms.value" + } + } + } + } + } + } + }, + "source": { + "properties": { + "address": { + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "tags": { + "type": "keyword" + }, + "threat": { + "properties": { + "enrichments": { + "type": "nested", + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "confidence": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "subject_name": { + "type": "keyword" + }, + "team_id": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "type": "keyword" + }, + "directory": { + "type": "keyword" + }, + "drive_letter": { + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "type": "keyword" + }, + "byte_order": { + "type": "keyword" + }, + "cpu_type": { + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "type": "keyword" + }, + "class": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "type": "keyword" + }, + "os_abi": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "type": "nested", + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "physical_offset": { + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + } + }, + "segments": { + "type": "nested", + "properties": { + "sections": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "shared_libraries": { + "type": "keyword" + }, + "telfhash": { + "type": "keyword" + } + } + }, + "extension": { + "type": "keyword" + }, + "fork_name": { + "type": "keyword" + }, + "gid": { + "type": "keyword" + }, + "group": { + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + }, + "sha512": { + "type": "keyword" + }, + "ssdeep": { + "type": "keyword" + } + } + }, + "inode": { + "type": "keyword" + }, + "mime_type": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "type": "keyword" + }, + "owner": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword" + }, + "company": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "file_version": { + "type": "keyword" + }, + "imphash": { + "type": "keyword" + }, + "original_file_name": { + "type": "keyword" + }, + "product": { + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword" + }, + "public_key_curve": { + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword" + }, + "signature_algorithm": { + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "version_number": { + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "port": { + "type": "long" + }, + "provider": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "type": "keyword" + } + } + }, + "hive": { + "type": "keyword" + }, + "key": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "type": "keyword" + }, + "extension": { + "type": "keyword" + }, + "fragment": { + "type": "keyword" + }, + "full": { + "type": "wildcard" + }, + "original": { + "type": "wildcard" + }, + "password": { + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "type": "keyword" + }, + "registered_domain": { + "type": "keyword" + }, + "scheme": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "username": { + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword" + }, + "public_key_curve": { + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword" + }, + "signature_algorithm": { + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "version_number": { + "type": "keyword" + } + } + } + } + }, + "matched": { + "properties": { + "atomic": { + "type": "keyword" + }, + "field": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "index": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + } + } + }, + "framework": { + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "confidence": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "subject_name": { + "type": "keyword" + }, + "team_id": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "type": "keyword" + }, + "directory": { + "type": "keyword" + }, + "drive_letter": { + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "type": "keyword" + }, + "byte_order": { + "type": "keyword" + }, + "cpu_type": { + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "type": "keyword" + }, + "class": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "type": "keyword" + }, + "os_abi": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "type": "nested", + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "physical_offset": { + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + } + }, + "segments": { + "type": "nested", + "properties": { + "sections": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "shared_libraries": { + "type": "keyword" + }, + "telfhash": { + "type": "keyword" + } + } + }, + "extension": { + "type": "keyword" + }, + "fork_name": { + "type": "keyword" + }, + "gid": { + "type": "keyword" + }, + "group": { + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + }, + "sha512": { + "type": "keyword" + }, + "ssdeep": { + "type": "keyword" + } + } + }, + "inode": { + "type": "keyword" + }, + "mime_type": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "type": "keyword" + }, + "owner": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword" + }, + "company": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "file_version": { + "type": "keyword" + }, + "imphash": { + "type": "keyword" + }, + "original_file_name": { + "type": "keyword" + }, + "product": { + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword" + }, + "public_key_curve": { + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword" + }, + "signature_algorithm": { + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "version_number": { + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "port": { + "type": "long" + }, + "provider": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "type": "keyword" + } + } + }, + "hive": { + "type": "keyword" + }, + "key": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "type": "keyword" + }, + "extension": { + "type": "keyword" + }, + "fragment": { + "type": "keyword" + }, + "full": { + "type": "wildcard" + }, + "original": { + "type": "wildcard" + }, + "password": { + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "type": "keyword" + }, + "registered_domain": { + "type": "keyword" + }, + "scheme": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "username": { + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword" + }, + "public_key_curve": { + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword" + }, + "signature_algorithm": { + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "version_number": { + "type": "keyword" + } + } + } + } + }, + "software": { + "properties": { + "alias": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "platforms": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "tactic": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + } + } + } + } + }, + "tls": { + "properties": { + "cipher": { + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "type": "keyword" + }, + "certificate_chain": { + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + } + } + }, + "issuer": { + "type": "keyword" + }, + "ja3": { + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "type": "keyword" + }, + "subject": { + "type": "keyword" + }, + "supported_ciphers": { + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword" + }, + "public_key_curve": { + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword" + }, + "signature_algorithm": { + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "version_number": { + "type": "keyword" + } + } + } + } + }, + "curve": { + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "type": "keyword" + }, + "certificate_chain": { + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + } + } + }, + "issuer": { + "type": "keyword" + }, + "ja3s": { + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword" + }, + "public_key_curve": { + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword" + }, + "signature_algorithm": { + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "version_number": { + "type": "keyword" + } + } + } + } + }, + "version": { + "type": "keyword" + }, + "version_protocol": { + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "type": "keyword" + }, + "extension": { + "type": "keyword" + }, + "fragment": { + "type": "keyword" + }, + "full": { + "type": "wildcard" + }, + "original": { + "type": "wildcard" + }, + "password": { + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "type": "keyword" + }, + "registered_domain": { + "type": "keyword" + }, + "scheme": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "username": { + "type": "keyword" + } + } + }, + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + } + } + }, + "domain": { + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + } + } + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + } + } + } + } + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "name": { + "type": "keyword" + }, + "original": { + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "type": "keyword" + }, + "full": { + "type": "keyword" + }, + "kernel": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "platform": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "version": { + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "category": { + "type": "keyword" + }, + "classification": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "enumeration": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "report_id": { + "type": "keyword" + }, + "scanner": { + "properties": { + "vendor": { + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "type": "keyword" + } + } + }, + "severity": { + "type": "keyword" + } + } + } + } + }, + "settings": { + "index": { + "lifecycle": { + "name": ".alerts-ilm-policy", + "rollover_alias": ".alerts-security.alerts-default" + }, + "routing": { + "allocation": { + "include": { + "_tier_preference": "data_content" + } + } + }, + "mapping": { + "total_fields": { + "limit": "1700" + } + }, + "hidden": "true", + "number_of_shards": "1", + "provided_name": ".internal.alerts-security.alerts-default-000001", + "creation_date": "1647635669038", + "number_of_replicas": "1", + "uuid": "FUalekzBT3Gidug_gisROA", + "version": { + "created": "8000099" + } + } + } + } +} \ No newline at end of file diff --git a/x-pack/test/functional/es_archives/security_solution/alerts/8.1.0/data.json b/x-pack/test/functional/es_archives/security_solution/alerts/8.1.0/data.json new file mode 100644 index 0000000000000..bcf0eaa4d0411 --- /dev/null +++ b/x-pack/test/functional/es_archives/security_solution/alerts/8.1.0/data.json @@ -0,0 +1,8186 @@ +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "30a75fe46d3dbdfab55982036f77a8d60e2d1112e96f277c3b8c22f9bb57817a", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Indicator Match Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "63219e9b-045c-4e91-9e9d-3584663bc0be", + "kibana.alert.rule.name": "threat-match-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.indicatorRule", + "kibana.alert.rule.uuid": "031d5c00-a72f-11ec-a8a3-7b1c8077fc3e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:12.634Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "feed": {}, + "matched": { + "atomic": "security-linux-1", + "field": "host.name", + "id": "XhEToH8BK09aFtXZBFPs", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:57.376Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ahEToH8BK09aFtXZFVMq", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert threat-match-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "53000028-120c-4e55-a8c0-db092e05aef4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:10.218Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:10.218Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threat_match", + "kibana.alert.rule.description": "a simple threat match rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "53000028-120c-4e55-a8c0-db092e05aef4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:57.376Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:57.376Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "30a75fe46d3dbdfab55982036f77a8d60e2d1112e96f277c3b8c22f9bb57817a" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "500b032158474ac14dc532b49cccbf1be50f2e31cecc5504ed8d01722943aa3e", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Indicator Match Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "63219e9b-045c-4e91-9e9d-3584663bc0be", + "kibana.alert.rule.name": "threat-match-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.indicatorRule", + "kibana.alert.rule.uuid": "031d5c00-a72f-11ec-a8a3-7b1c8077fc3e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:12.637Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "feed": {}, + "matched": { + "atomic": "security-linux-3", + "field": "host.name", + "id": "YBEToH8BK09aFtXZCFNr", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:57.047Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "aREToH8BK09aFtXZE1Pf", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert threat-match-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "53000028-120c-4e55-a8c0-db092e05aef4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:10.218Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:10.218Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threat_match", + "kibana.alert.rule.description": "a simple threat match rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "53000028-120c-4e55-a8c0-db092e05aef4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:57.047Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:57.047Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "500b032158474ac14dc532b49cccbf1be50f2e31cecc5504ed8d01722943aa3e" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "b8232f895189bcecf3c87550c54c9f24dd8c3606c3bfc3f74373f3eb017597df", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Indicator Match Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "63219e9b-045c-4e91-9e9d-3584663bc0be", + "kibana.alert.rule.name": "threat-match-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.indicatorRule", + "kibana.alert.rule.uuid": "031d5c00-a72f-11ec-a8a3-7b1c8077fc3e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:12.643Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "feed": {}, + "matched": { + "atomic": "security-linux-2", + "field": "host.name", + "id": "XxEToH8BK09aFtXZB1Mn", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:56.723Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "aBEToH8BK09aFtXZElOb", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert threat-match-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "53000028-120c-4e55-a8c0-db092e05aef4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:10.218Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:10.218Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threat_match", + "kibana.alert.rule.description": "a simple threat match rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "53000028-120c-4e55-a8c0-db092e05aef4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:56.723Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:56.723Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "b8232f895189bcecf3c87550c54c9f24dd8c3606c3bfc3f74373f3eb017597df" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "f3bbdf17847c703e37dca942dc6c1db69eb8af18a74c1f52b6d0bd76c6b3b135", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Indicator Match Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "63219e9b-045c-4e91-9e9d-3584663bc0be", + "kibana.alert.rule.name": "threat-match-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.indicatorRule", + "kibana.alert.rule.uuid": "031d5c00-a72f-11ec-a8a3-7b1c8077fc3e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:12.646Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "feed": {}, + "matched": { + "atomic": "security-linux-1", + "field": "host.name", + "id": "XhEToH8BK09aFtXZBFPs", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:56.372Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ZxEToH8BK09aFtXZEVNR", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert threat-match-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "53000028-120c-4e55-a8c0-db092e05aef4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:10.218Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:10.218Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threat_match", + "kibana.alert.rule.description": "a simple threat match rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "53000028-120c-4e55-a8c0-db092e05aef4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:56.372Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:56.372Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "f3bbdf17847c703e37dca942dc6c1db69eb8af18a74c1f52b6d0bd76c6b3b135" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "170865e675eda76202f0095b23869d8d0726df4c91a343876df38b566bf1e57d", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Indicator Match Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "63219e9b-045c-4e91-9e9d-3584663bc0be", + "kibana.alert.rule.name": "threat-match-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.indicatorRule", + "kibana.alert.rule.uuid": "031d5c00-a72f-11ec-a8a3-7b1c8077fc3e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:12.650Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "feed": {}, + "matched": { + "atomic": "security-linux-3", + "field": "host.name", + "id": "YBEToH8BK09aFtXZCFNr", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:56.044Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ZhEToH8BK09aFtXZD1P3", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert threat-match-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "53000028-120c-4e55-a8c0-db092e05aef4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:10.218Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:10.218Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threat_match", + "kibana.alert.rule.description": "a simple threat match rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "53000028-120c-4e55-a8c0-db092e05aef4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:56.044Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:56.044Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "170865e675eda76202f0095b23869d8d0726df4c91a343876df38b566bf1e57d" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "9d94a2a27250e17a68201dbb87848da654faffc0b3e152318b7b987123c169d7", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Indicator Match Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "63219e9b-045c-4e91-9e9d-3584663bc0be", + "kibana.alert.rule.name": "threat-match-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.indicatorRule", + "kibana.alert.rule.uuid": "031d5c00-a72f-11ec-a8a3-7b1c8077fc3e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:12.652Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "feed": {}, + "matched": { + "atomic": "security-linux-2", + "field": "host.name", + "id": "XxEToH8BK09aFtXZB1Mn", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:55.722Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ZREToH8BK09aFtXZDlOv", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert threat-match-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "53000028-120c-4e55-a8c0-db092e05aef4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:10.218Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:10.218Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threat_match", + "kibana.alert.rule.description": "a simple threat match rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "53000028-120c-4e55-a8c0-db092e05aef4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:55.722Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:55.722Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "9d94a2a27250e17a68201dbb87848da654faffc0b3e152318b7b987123c169d7" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "e6e5910a36f102033c316f083b93859ab1c793f7619f2edc946b8d9f016fd8bc", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Indicator Match Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "63219e9b-045c-4e91-9e9d-3584663bc0be", + "kibana.alert.rule.name": "threat-match-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.indicatorRule", + "kibana.alert.rule.uuid": "031d5c00-a72f-11ec-a8a3-7b1c8077fc3e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:12.655Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "feed": {}, + "matched": { + "atomic": "security-linux-1", + "field": "host.name", + "id": "XhEToH8BK09aFtXZBFPs", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:55.468Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ZBEToH8BK09aFtXZDVNr", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert threat-match-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "53000028-120c-4e55-a8c0-db092e05aef4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:10.218Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:10.218Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threat_match", + "kibana.alert.rule.description": "a simple threat match rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "53000028-120c-4e55-a8c0-db092e05aef4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:55.468Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:55.468Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "e6e5910a36f102033c316f083b93859ab1c793f7619f2edc946b8d9f016fd8bc" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "e888b3a14f852c5e81dcc5d5f67a3731862c1eda7ffae502407b8dd8c251c7ba", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Indicator Match Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "63219e9b-045c-4e91-9e9d-3584663bc0be", + "kibana.alert.rule.name": "threat-match-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.indicatorRule", + "kibana.alert.rule.uuid": "031d5c00-a72f-11ec-a8a3-7b1c8077fc3e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:12.658Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "feed": {}, + "matched": { + "atomic": "security-linux-3", + "field": "host.name", + "id": "YBEToH8BK09aFtXZCFNr", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:55.150Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "YxEToH8BK09aFtXZDFNv", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert threat-match-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "53000028-120c-4e55-a8c0-db092e05aef4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:10.218Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:10.218Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threat_match", + "kibana.alert.rule.description": "a simple threat match rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "53000028-120c-4e55-a8c0-db092e05aef4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:55.150Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:55.150Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "e888b3a14f852c5e81dcc5d5f67a3731862c1eda7ffae502407b8dd8c251c7ba" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "0e951426cfad980caabb41fee7a1eeae6a0ad18d1391ade9ef112fdab377999c", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Indicator Match Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "63219e9b-045c-4e91-9e9d-3584663bc0be", + "kibana.alert.rule.name": "threat-match-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.indicatorRule", + "kibana.alert.rule.uuid": "031d5c00-a72f-11ec-a8a3-7b1c8077fc3e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:12.661Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "feed": {}, + "matched": { + "atomic": "security-linux-2", + "field": "host.name", + "id": "XxEToH8BK09aFtXZB1Mn", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:54.820Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "YhEToH8BK09aFtXZC1Mt", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert threat-match-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "53000028-120c-4e55-a8c0-db092e05aef4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:10.218Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:10.218Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threat_match", + "kibana.alert.rule.description": "a simple threat match rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "53000028-120c-4e55-a8c0-db092e05aef4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:54.820Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:54.820Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "0e951426cfad980caabb41fee7a1eeae6a0ad18d1391ade9ef112fdab377999c" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "3fd3725809525f84c67d68e086c889f7046893c2b8ea2dc905af0844a086da51", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Indicator Match Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "63219e9b-045c-4e91-9e9d-3584663bc0be", + "kibana.alert.rule.name": "threat-match-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.indicatorRule", + "kibana.alert.rule.uuid": "031d5c00-a72f-11ec-a8a3-7b1c8077fc3e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:12.663Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "threat": { + "enrichments": [ + { + "indicator": {}, + "feed": {}, + "matched": { + "atomic": "security-linux-1", + "field": "host.name", + "id": "XhEToH8BK09aFtXZBFPs", + "index": "threat-index-000001", + "type": "indicator_match_rule" + } + } + ] + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:54.442Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "YREToH8BK09aFtXZCVO3", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert threat-match-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threat match rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "53000028-120c-4e55-a8c0-db092e05aef4", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threat_match", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threat_query": "*", + "threat_mapping": [ + { + "entries": [ + { + "field": "host.name", + "type": "mapping", + "value": "host.name" + } + ] + } + ], + "threat_language": "kuery", + "threat_index": [ + "threat-index-*" + ], + "threat_indicator_path": "threat.indicator" + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:10.218Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:10.218Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threat_match", + "kibana.alert.rule.description": "a simple threat match rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "53000028-120c-4e55-a8c0-db092e05aef4", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:54.442Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:54.442Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "3fd3725809525f84c67d68e086c889f7046893c2b8ea2dc905af0844a086da51" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "b1527c2efcd223c32e446308266072b196af4b40fd7b52f4f48651e07288c106", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Threshold Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "42543ad3-fc35-490f-b908-0904009de6b2", + "kibana.alert.rule.name": "threshold-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.thresholdRule", + "kibana.alert.rule.uuid": "0171a7d0-a72f-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:09.570Z", + "host.name": "security-linux-1", + "kibana.alert.ancestors": [ + { + "id": "5094535b-4092-5043-a842-ea63799e386b", + "type": "event", + "index": "events-index-*", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event created low alert threshold-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threshold rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "5e39f5f3-b561-4f4d-9493-7c37d2070f15", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threshold", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threshold": { + "field": [ + "host.name" + ], + "value": 1 + } + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:07.210Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:08.514Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threshold", + "kibana.alert.rule.description": "a simple threshold rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "5e39f5f3-b561-4f4d-9493-7c37d2070f15", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:57.376Z", + "kibana.alert.threshold_result": { + "terms": [ + { + "field": "host.name", + "value": "security-linux-1" + } + ], + "count": 4, + "from": "2022-03-19T02:47:54.442Z" + }, + "event.kind": "signal", + "kibana.alert.uuid": "b1527c2efcd223c32e446308266072b196af4b40fd7b52f4f48651e07288c106" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "e8030bc1d3f772588fd553b12015b98bb989536569ce3462170d3640c41a413b", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Threshold Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "42543ad3-fc35-490f-b908-0904009de6b2", + "kibana.alert.rule.name": "threshold-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.thresholdRule", + "kibana.alert.rule.uuid": "0171a7d0-a72f-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:09.571Z", + "host.name": "security-linux-2", + "kibana.alert.ancestors": [ + { + "id": "c7779a8c-3f89-578e-a66d-4b164f2c40f5", + "type": "event", + "index": "events-index-*", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event created low alert threshold-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threshold rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "5e39f5f3-b561-4f4d-9493-7c37d2070f15", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threshold", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threshold": { + "field": [ + "host.name" + ], + "value": 1 + } + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:07.210Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:08.514Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threshold", + "kibana.alert.rule.description": "a simple threshold rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "5e39f5f3-b561-4f4d-9493-7c37d2070f15", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:56.723Z", + "kibana.alert.threshold_result": { + "terms": [ + { + "field": "host.name", + "value": "security-linux-2" + } + ], + "count": 3, + "from": "2022-03-19T02:47:54.820Z" + }, + "event.kind": "signal", + "kibana.alert.uuid": "e8030bc1d3f772588fd553b12015b98bb989536569ce3462170d3640c41a413b" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "ec81cb5b5bc3cb2fe0a68995827680290072224d48b25e1c50a8bdf0c2319240", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Threshold Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "42543ad3-fc35-490f-b908-0904009de6b2", + "kibana.alert.rule.name": "threshold-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.thresholdRule", + "kibana.alert.rule.uuid": "0171a7d0-a72f-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:09.573Z", + "host.name": "security-linux-3", + "kibana.alert.ancestors": [ + { + "id": "be16bed6-44b8-5b24-b36b-4852b3c9dd01", + "type": "event", + "index": "events-index-*", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event created low alert threshold-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple threshold rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "5e39f5f3-b561-4f4d-9493-7c37d2070f15", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "threshold", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [], + "threshold": { + "field": [ + "host.name" + ], + "value": 1 + } + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:07.210Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:08.514Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "threshold", + "kibana.alert.rule.description": "a simple threshold rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "5e39f5f3-b561-4f4d-9493-7c37d2070f15", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:57.047Z", + "kibana.alert.threshold_result": { + "terms": [ + { + "field": "host.name", + "value": "security-linux-3" + } + ], + "count": 3, + "from": "2022-03-19T02:47:55.150Z" + }, + "event.kind": "signal", + "kibana.alert.uuid": "ec81cb5b5bc3cb2fe0a68995827680290072224d48b25e1c50a8bdf0c2319240" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "c2212cd742aff3560682e4e84c24cc3f7bb5dec5d7e41040065b150225d29712", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.802Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:54.442Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "YREToH8BK09aFtXZCVO3", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:54.442Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:54.442Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "c2212cd742aff3560682e4e84c24cc3f7bb5dec5d7e41040065b150225d29712", + "kibana.alert.group.id": "3166e88dc22be20867cf2841d1954fba65bd9969fa24d2bc228db18ff22d460a", + "kibana.alert.group.index": 0 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "73293504399a0c0297290010a6da0fc90b424c8b5b4a39c8e2d9b8e30535db6c", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.805Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:54.820Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "YhEToH8BK09aFtXZC1Mt", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:54.820Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:54.820Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "73293504399a0c0297290010a6da0fc90b424c8b5b4a39c8e2d9b8e30535db6c", + "kibana.alert.group.id": "3166e88dc22be20867cf2841d1954fba65bd9969fa24d2bc228db18ff22d460a", + "kibana.alert.group.index": 1 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "3166e88dc22be20867cf2841d1954fba65bd9969fa24d2bc228db18ff22d460a", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.806Z", + "agent": { + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 2, + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "event": { + "kind": "signal" + }, + "kibana.alert.ancestors": [ + { + "id": "YREToH8BK09aFtXZCVO3", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "c2212cd742aff3560682e4e84c24cc3f7bb5dec5d7e41040065b150225d29712", + "type": "signal", + "index": "", + "depth": 1, + "rule": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e" + }, + { + "id": "YhEToH8BK09aFtXZC1Mt", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "73293504399a0c0297290010a6da0fc90b424c8b5b4a39c8e2d9b8e30535db6c", + "type": "signal", + "index": "", + "depth": 1, + "rule": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e" + } + ], + "kibana.alert.reason": "event created low alert eql-rule.", + "kibana.alert.rule.actions": [], + "kibana.alert.original_time": "2022-03-19T02:47:54.442Z", + "kibana.alert.group.id": "3166e88dc22be20867cf2841d1954fba65bd9969fa24d2bc228db18ff22d460a", + "kibana.alert.uuid": "3166e88dc22be20867cf2841d1954fba65bd9969fa24d2bc228db18ff22d460a" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "deb4ff08d8ee46741e3552694de1405d9c8dc94f3ddf7c2b12386a33f4c43ac8", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.810Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:54.820Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "YhEToH8BK09aFtXZC1Mt", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:54.820Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:54.820Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "deb4ff08d8ee46741e3552694de1405d9c8dc94f3ddf7c2b12386a33f4c43ac8", + "kibana.alert.group.id": "99ecd61224453120ab8ac69a68a8c198143ea3920273941a6b85b4609ab86e1a", + "kibana.alert.group.index": 0 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "70ac61a6a0bb630da02e4a2737958b814536a8016d88eddb4e6d5b193fabcbcb", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.812Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:55.150Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "YxEToH8BK09aFtXZDFNv", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:55.150Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:55.150Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "70ac61a6a0bb630da02e4a2737958b814536a8016d88eddb4e6d5b193fabcbcb", + "kibana.alert.group.id": "99ecd61224453120ab8ac69a68a8c198143ea3920273941a6b85b4609ab86e1a", + "kibana.alert.group.index": 1 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "99ecd61224453120ab8ac69a68a8c198143ea3920273941a6b85b4609ab86e1a", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.813Z", + "agent": { + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 2, + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "event": { + "kind": "signal" + }, + "kibana.alert.ancestors": [ + { + "id": "YhEToH8BK09aFtXZC1Mt", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "deb4ff08d8ee46741e3552694de1405d9c8dc94f3ddf7c2b12386a33f4c43ac8", + "type": "signal", + "index": "", + "depth": 1, + "rule": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e" + }, + { + "id": "YxEToH8BK09aFtXZDFNv", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "70ac61a6a0bb630da02e4a2737958b814536a8016d88eddb4e6d5b193fabcbcb", + "type": "signal", + "index": "", + "depth": 1, + "rule": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e" + } + ], + "kibana.alert.reason": "event created low alert eql-rule.", + "kibana.alert.rule.actions": [], + "kibana.alert.original_time": "2022-03-19T02:47:54.820Z", + "kibana.alert.group.id": "99ecd61224453120ab8ac69a68a8c198143ea3920273941a6b85b4609ab86e1a", + "kibana.alert.uuid": "99ecd61224453120ab8ac69a68a8c198143ea3920273941a6b85b4609ab86e1a" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "82ad71870bb9ce4c6570f5060feb5d6f2ca38806c67cca2cdda19384dc4b8a79", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.816Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:55.150Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "YxEToH8BK09aFtXZDFNv", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:55.150Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:55.150Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "82ad71870bb9ce4c6570f5060feb5d6f2ca38806c67cca2cdda19384dc4b8a79", + "kibana.alert.group.id": "86fbd0f02916608f9a6078ee5db3635e58b6138aae232d85006f27a05ee5ff30", + "kibana.alert.group.index": 0 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "50a224a9b65c5cdfcaee60d0f5fec7c98901161779138d686cff39277034f9fd", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.818Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:55.468Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ZBEToH8BK09aFtXZDVNr", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:55.468Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:55.468Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "50a224a9b65c5cdfcaee60d0f5fec7c98901161779138d686cff39277034f9fd", + "kibana.alert.group.id": "86fbd0f02916608f9a6078ee5db3635e58b6138aae232d85006f27a05ee5ff30", + "kibana.alert.group.index": 1 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "86fbd0f02916608f9a6078ee5db3635e58b6138aae232d85006f27a05ee5ff30", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.819Z", + "agent": { + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 2, + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "event": { + "kind": "signal" + }, + "kibana.alert.ancestors": [ + { + "id": "YxEToH8BK09aFtXZDFNv", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "82ad71870bb9ce4c6570f5060feb5d6f2ca38806c67cca2cdda19384dc4b8a79", + "type": "signal", + "index": "", + "depth": 1, + "rule": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e" + }, + { + "id": "ZBEToH8BK09aFtXZDVNr", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "50a224a9b65c5cdfcaee60d0f5fec7c98901161779138d686cff39277034f9fd", + "type": "signal", + "index": "", + "depth": 1, + "rule": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e" + } + ], + "kibana.alert.reason": "event created low alert eql-rule.", + "kibana.alert.rule.actions": [], + "kibana.alert.original_time": "2022-03-19T02:47:55.150Z", + "kibana.alert.group.id": "86fbd0f02916608f9a6078ee5db3635e58b6138aae232d85006f27a05ee5ff30", + "kibana.alert.uuid": "86fbd0f02916608f9a6078ee5db3635e58b6138aae232d85006f27a05ee5ff30" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "9148662e17d39a5b384c8429ca7736ea540b13ffc881ae6d4079678ea405f3f0", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.823Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:55.468Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ZBEToH8BK09aFtXZDVNr", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:55.468Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:55.468Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "9148662e17d39a5b384c8429ca7736ea540b13ffc881ae6d4079678ea405f3f0", + "kibana.alert.group.id": "6f6f4de344632bf418be705ea307e502295a64c2e5c8db5496a701a195ca8ba9", + "kibana.alert.group.index": 0 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "8497c7aeea8bc5c5faa870fd0f3e934e50047b54171b917c8255f0485a8c86bb", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.825Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:55.722Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ZREToH8BK09aFtXZDlOv", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:55.722Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:55.722Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "8497c7aeea8bc5c5faa870fd0f3e934e50047b54171b917c8255f0485a8c86bb", + "kibana.alert.group.id": "6f6f4de344632bf418be705ea307e502295a64c2e5c8db5496a701a195ca8ba9", + "kibana.alert.group.index": 1 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "6f6f4de344632bf418be705ea307e502295a64c2e5c8db5496a701a195ca8ba9", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.826Z", + "agent": { + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 2, + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "event": { + "kind": "signal" + }, + "kibana.alert.ancestors": [ + { + "id": "ZBEToH8BK09aFtXZDVNr", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "9148662e17d39a5b384c8429ca7736ea540b13ffc881ae6d4079678ea405f3f0", + "type": "signal", + "index": "", + "depth": 1, + "rule": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e" + }, + { + "id": "ZREToH8BK09aFtXZDlOv", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "8497c7aeea8bc5c5faa870fd0f3e934e50047b54171b917c8255f0485a8c86bb", + "type": "signal", + "index": "", + "depth": 1, + "rule": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e" + } + ], + "kibana.alert.reason": "event created low alert eql-rule.", + "kibana.alert.rule.actions": [], + "kibana.alert.original_time": "2022-03-19T02:47:55.468Z", + "kibana.alert.group.id": "6f6f4de344632bf418be705ea307e502295a64c2e5c8db5496a701a195ca8ba9", + "kibana.alert.uuid": "6f6f4de344632bf418be705ea307e502295a64c2e5c8db5496a701a195ca8ba9" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "11941a5508aa59bdfa43d8b5c660b26e9aa0eeb67a741ec93c5b61e7670fba7e", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.829Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:55.722Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ZREToH8BK09aFtXZDlOv", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:55.722Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:55.722Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "11941a5508aa59bdfa43d8b5c660b26e9aa0eeb67a741ec93c5b61e7670fba7e", + "kibana.alert.group.id": "89565a00d1db6d634d655e9b3e44e399f83c9305d4aafbd96bd476b570d0ef59", + "kibana.alert.group.index": 0 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "3c6a7eaf77af1d891cf57c7f8c1296907a2593b90b1fbe0fdcb31d7edc4c1e5f", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.832Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:56.044Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ZhEToH8BK09aFtXZD1P3", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:56.044Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:56.044Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "3c6a7eaf77af1d891cf57c7f8c1296907a2593b90b1fbe0fdcb31d7edc4c1e5f", + "kibana.alert.group.id": "89565a00d1db6d634d655e9b3e44e399f83c9305d4aafbd96bd476b570d0ef59", + "kibana.alert.group.index": 1 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "89565a00d1db6d634d655e9b3e44e399f83c9305d4aafbd96bd476b570d0ef59", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.833Z", + "agent": { + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 2, + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "event": { + "kind": "signal" + }, + "kibana.alert.ancestors": [ + { + "id": "ZREToH8BK09aFtXZDlOv", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "11941a5508aa59bdfa43d8b5c660b26e9aa0eeb67a741ec93c5b61e7670fba7e", + "type": "signal", + "index": "", + "depth": 1, + "rule": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e" + }, + { + "id": "ZhEToH8BK09aFtXZD1P3", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "3c6a7eaf77af1d891cf57c7f8c1296907a2593b90b1fbe0fdcb31d7edc4c1e5f", + "type": "signal", + "index": "", + "depth": 1, + "rule": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e" + } + ], + "kibana.alert.reason": "event created low alert eql-rule.", + "kibana.alert.rule.actions": [], + "kibana.alert.original_time": "2022-03-19T02:47:55.722Z", + "kibana.alert.group.id": "89565a00d1db6d634d655e9b3e44e399f83c9305d4aafbd96bd476b570d0ef59", + "kibana.alert.uuid": "89565a00d1db6d634d655e9b3e44e399f83c9305d4aafbd96bd476b570d0ef59" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "e2c0a0d7bdb23e8cf9cb37da28fe0eb9ee890e164b8adcb9a774b21d21d4191c", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.836Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:56.044Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ZhEToH8BK09aFtXZD1P3", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:56.044Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:56.044Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "e2c0a0d7bdb23e8cf9cb37da28fe0eb9ee890e164b8adcb9a774b21d21d4191c", + "kibana.alert.group.id": "34c97599a4f1a2d0a9c03934bf7e00b3894e5188f478db436aa23af09feb5344", + "kibana.alert.group.index": 0 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "b437e07a5f89d081884ce89a546c7d1857c481389b3b2acc8792805d180a6cd4", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.838Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:56.372Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ZxEToH8BK09aFtXZEVNR", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:56.372Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:56.372Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "b437e07a5f89d081884ce89a546c7d1857c481389b3b2acc8792805d180a6cd4", + "kibana.alert.group.id": "34c97599a4f1a2d0a9c03934bf7e00b3894e5188f478db436aa23af09feb5344", + "kibana.alert.group.index": 1 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "34c97599a4f1a2d0a9c03934bf7e00b3894e5188f478db436aa23af09feb5344", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.838Z", + "agent": { + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 2, + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "event": { + "kind": "signal" + }, + "kibana.alert.ancestors": [ + { + "id": "ZhEToH8BK09aFtXZD1P3", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "e2c0a0d7bdb23e8cf9cb37da28fe0eb9ee890e164b8adcb9a774b21d21d4191c", + "type": "signal", + "index": "", + "depth": 1, + "rule": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e" + }, + { + "id": "ZxEToH8BK09aFtXZEVNR", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "b437e07a5f89d081884ce89a546c7d1857c481389b3b2acc8792805d180a6cd4", + "type": "signal", + "index": "", + "depth": 1, + "rule": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e" + } + ], + "kibana.alert.reason": "event created low alert eql-rule.", + "kibana.alert.rule.actions": [], + "kibana.alert.original_time": "2022-03-19T02:47:56.044Z", + "kibana.alert.group.id": "34c97599a4f1a2d0a9c03934bf7e00b3894e5188f478db436aa23af09feb5344", + "kibana.alert.uuid": "34c97599a4f1a2d0a9c03934bf7e00b3894e5188f478db436aa23af09feb5344" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "29f746ebfaf25e59068d3bd11849f531c76c05619c0e5d560501bad163912bc7", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.842Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:56.372Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ZxEToH8BK09aFtXZEVNR", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:56.372Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:56.372Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "29f746ebfaf25e59068d3bd11849f531c76c05619c0e5d560501bad163912bc7", + "kibana.alert.group.id": "a0a0cf2900db9a5ad2376e7af94a730fa30e385d04f320c576db3a178559ecfa", + "kibana.alert.group.index": 0 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "d677e68795e482d683406cc274621e3908ce80bf47df8505410029ec1aa7e344", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.844Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:56.723Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "aBEToH8BK09aFtXZElOb", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:56.723Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:56.723Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "d677e68795e482d683406cc274621e3908ce80bf47df8505410029ec1aa7e344", + "kibana.alert.group.id": "a0a0cf2900db9a5ad2376e7af94a730fa30e385d04f320c576db3a178559ecfa", + "kibana.alert.group.index": 1 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "a0a0cf2900db9a5ad2376e7af94a730fa30e385d04f320c576db3a178559ecfa", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.844Z", + "agent": { + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 2, + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "event": { + "kind": "signal" + }, + "kibana.alert.ancestors": [ + { + "id": "ZxEToH8BK09aFtXZEVNR", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "29f746ebfaf25e59068d3bd11849f531c76c05619c0e5d560501bad163912bc7", + "type": "signal", + "index": "", + "depth": 1, + "rule": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e" + }, + { + "id": "aBEToH8BK09aFtXZElOb", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "d677e68795e482d683406cc274621e3908ce80bf47df8505410029ec1aa7e344", + "type": "signal", + "index": "", + "depth": 1, + "rule": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e" + } + ], + "kibana.alert.reason": "event created low alert eql-rule.", + "kibana.alert.rule.actions": [], + "kibana.alert.original_time": "2022-03-19T02:47:56.372Z", + "kibana.alert.group.id": "a0a0cf2900db9a5ad2376e7af94a730fa30e385d04f320c576db3a178559ecfa", + "kibana.alert.uuid": "a0a0cf2900db9a5ad2376e7af94a730fa30e385d04f320c576db3a178559ecfa" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "efd22ae93ac2d5fc7f91f1d9e52deb1b994263e6b16cf52711cc96df2919fef1", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.847Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:56.723Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "aBEToH8BK09aFtXZElOb", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:56.723Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:56.723Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "efd22ae93ac2d5fc7f91f1d9e52deb1b994263e6b16cf52711cc96df2919fef1", + "kibana.alert.group.id": "0485ecbf90fd3541db66415655bc13843543fa9c9803501228bf4e9e7a806985", + "kibana.alert.group.index": 0 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "3b67e7cba17e54aef89d70346bd47ae5ab73c5e11d0a5cda33b985c3e0c4f373", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.850Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:57.047Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "aREToH8BK09aFtXZE1Pf", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:57.047Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:57.047Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "3b67e7cba17e54aef89d70346bd47ae5ab73c5e11d0a5cda33b985c3e0c4f373", + "kibana.alert.group.id": "0485ecbf90fd3541db66415655bc13843543fa9c9803501228bf4e9e7a806985", + "kibana.alert.group.index": 1 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "0485ecbf90fd3541db66415655bc13843543fa9c9803501228bf4e9e7a806985", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.851Z", + "agent": { + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 2, + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "event": { + "kind": "signal" + }, + "kibana.alert.ancestors": [ + { + "id": "aBEToH8BK09aFtXZElOb", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "efd22ae93ac2d5fc7f91f1d9e52deb1b994263e6b16cf52711cc96df2919fef1", + "type": "signal", + "index": "", + "depth": 1, + "rule": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e" + }, + { + "id": "aREToH8BK09aFtXZE1Pf", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "3b67e7cba17e54aef89d70346bd47ae5ab73c5e11d0a5cda33b985c3e0c4f373", + "type": "signal", + "index": "", + "depth": 1, + "rule": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e" + } + ], + "kibana.alert.reason": "event created low alert eql-rule.", + "kibana.alert.rule.actions": [], + "kibana.alert.original_time": "2022-03-19T02:47:56.723Z", + "kibana.alert.group.id": "0485ecbf90fd3541db66415655bc13843543fa9c9803501228bf4e9e7a806985", + "kibana.alert.uuid": "0485ecbf90fd3541db66415655bc13843543fa9c9803501228bf4e9e7a806985" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "80be2d338842cc01c46455a140db8dcb142a937eb67cf3ee9c70a34242863781", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.861Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:57.047Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "aREToH8BK09aFtXZE1Pf", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:57.047Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:57.047Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "80be2d338842cc01c46455a140db8dcb142a937eb67cf3ee9c70a34242863781", + "kibana.alert.group.id": "912d955d2286325b67c10968faa11d706e9d9a3bc2360ec27083039f9b6b41d1", + "kibana.alert.group.index": 0 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "a960b4ce4e3135a66a79bf4bd78910e470330a9470c86cd8b682515975662c6c", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.863Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:57.376Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ahEToH8BK09aFtXZFVMq", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert eql-rule.", + "kibana.alert.building_block_type": "default", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:57.376Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:57.376Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "a960b4ce4e3135a66a79bf4bd78910e470330a9470c86cd8b682515975662c6c", + "kibana.alert.group.id": "912d955d2286325b67c10968faa11d706e9d9a3bc2360ec27083039f9b6b41d1", + "kibana.alert.group.index": 1 + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "912d955d2286325b67c10968faa11d706e9d9a3bc2360ec27083039f9b6b41d1", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Event Correlation Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "51d785a9-7d7c-4688-9e64-f7901eef88bb", + "kibana.alert.rule.name": "eql-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.eqlRule", + "kibana.alert.rule.uuid": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:06.865Z", + "agent": { + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 2, + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple eql rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "eql", + "language": "eql", + "index": [ + "events-index-*" + ], + "query": "sequence [any where true] [any where true]", + "filters": [] + }, + "kibana.alert.rule.created_at": "2022-03-19T02:48:04.202Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:05.465Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "eql", + "kibana.alert.rule.description": "a simple eql rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "4dd16f77-5dd2-46c8-a1d9-f1d2ffb56456", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "event": { + "kind": "signal" + }, + "kibana.alert.ancestors": [ + { + "id": "aREToH8BK09aFtXZE1Pf", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "80be2d338842cc01c46455a140db8dcb142a937eb67cf3ee9c70a34242863781", + "type": "signal", + "index": "", + "depth": 1, + "rule": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e" + }, + { + "id": "ahEToH8BK09aFtXZFVMq", + "type": "event", + "index": "events-index-000001", + "depth": 0 + }, + { + "id": "a960b4ce4e3135a66a79bf4bd78910e470330a9470c86cd8b682515975662c6c", + "type": "signal", + "index": "", + "depth": 1, + "rule": "ff7a1d90-a72e-11ec-bc9e-ed906a2c068e" + } + ], + "kibana.alert.reason": "event created low alert eql-rule.", + "kibana.alert.rule.actions": [], + "kibana.alert.original_time": "2022-03-19T02:47:57.047Z", + "kibana.alert.group.id": "912d955d2286325b67c10968faa11d706e9d9a3bc2360ec27083039f9b6b41d1", + "kibana.alert.uuid": "912d955d2286325b67c10968faa11d706e9d9a3bc2360ec27083039f9b6b41d1" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "f0aa867f7a29bb6d655207d9b3db9b4186000bdc816b52f96955b9d0f1778c33", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Custom Query Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "f378da0e-6f34-4d37-97eb-a3871b6c4509", + "kibana.alert.rule.name": "query-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.queryRule", + "kibana.alert.rule.uuid": "fd531ee0-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:03.524Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:54.442Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "YREToH8BK09aFtXZCVO3", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert query-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "83fef54f-2751-419a-844e-ce3e9605000c", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:01.193Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:02.426Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "query", + "kibana.alert.rule.description": "a simple query rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "83fef54f-2751-419a-844e-ce3e9605000c", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:54.442Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:54.442Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "f0aa867f7a29bb6d655207d9b3db9b4186000bdc816b52f96955b9d0f1778c33" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "5b2dab231cc2ca89a72119919012c131c86f931682081c79c0a9c496264e6628", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Custom Query Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "f378da0e-6f34-4d37-97eb-a3871b6c4509", + "kibana.alert.rule.name": "query-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.queryRule", + "kibana.alert.rule.uuid": "fd531ee0-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:03.528Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:54.820Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "YhEToH8BK09aFtXZC1Mt", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert query-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "83fef54f-2751-419a-844e-ce3e9605000c", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:01.193Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:02.426Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "query", + "kibana.alert.rule.description": "a simple query rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "83fef54f-2751-419a-844e-ce3e9605000c", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:54.820Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:54.820Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "5b2dab231cc2ca89a72119919012c131c86f931682081c79c0a9c496264e6628" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "33c030b049a1341e8f20e470adcecc30eb73f30457a5e356c9ab4f22e60b7006", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Custom Query Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "f378da0e-6f34-4d37-97eb-a3871b6c4509", + "kibana.alert.rule.name": "query-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.queryRule", + "kibana.alert.rule.uuid": "fd531ee0-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:03.543Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:55.150Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "YxEToH8BK09aFtXZDFNv", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert query-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "83fef54f-2751-419a-844e-ce3e9605000c", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:01.193Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:02.426Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "query", + "kibana.alert.rule.description": "a simple query rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "83fef54f-2751-419a-844e-ce3e9605000c", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:55.150Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:55.150Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "33c030b049a1341e8f20e470adcecc30eb73f30457a5e356c9ab4f22e60b7006" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "ba93188e82eb3017b92269696dda8fafcc8fc463b07f7cb4ac162a39840520eb", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Custom Query Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "f378da0e-6f34-4d37-97eb-a3871b6c4509", + "kibana.alert.rule.name": "query-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.queryRule", + "kibana.alert.rule.uuid": "fd531ee0-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:03.546Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:55.468Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ZBEToH8BK09aFtXZDVNr", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert query-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "83fef54f-2751-419a-844e-ce3e9605000c", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:01.193Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:02.426Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "query", + "kibana.alert.rule.description": "a simple query rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "83fef54f-2751-419a-844e-ce3e9605000c", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:55.468Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:55.468Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "ba93188e82eb3017b92269696dda8fafcc8fc463b07f7cb4ac162a39840520eb" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "6fbd3dab836cacbaae940d4670fbf6ed7368a78948ae37b8c499d5ecc2c60028", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Custom Query Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "f378da0e-6f34-4d37-97eb-a3871b6c4509", + "kibana.alert.rule.name": "query-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.queryRule", + "kibana.alert.rule.uuid": "fd531ee0-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:03.549Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:55.722Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ZREToH8BK09aFtXZDlOv", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert query-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "83fef54f-2751-419a-844e-ce3e9605000c", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:01.193Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:02.426Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "query", + "kibana.alert.rule.description": "a simple query rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "83fef54f-2751-419a-844e-ce3e9605000c", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:55.722Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:55.722Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "6fbd3dab836cacbaae940d4670fbf6ed7368a78948ae37b8c499d5ecc2c60028" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "b3524204722372966876fd8639b1afbde984db8df3b57c8f6a3ff0858e436a89", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Custom Query Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "f378da0e-6f34-4d37-97eb-a3871b6c4509", + "kibana.alert.rule.name": "query-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.queryRule", + "kibana.alert.rule.uuid": "fd531ee0-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:03.552Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:56.044Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ZhEToH8BK09aFtXZD1P3", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert query-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "83fef54f-2751-419a-844e-ce3e9605000c", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:01.193Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:02.426Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "query", + "kibana.alert.rule.description": "a simple query rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "83fef54f-2751-419a-844e-ce3e9605000c", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:56.044Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:56.044Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "b3524204722372966876fd8639b1afbde984db8df3b57c8f6a3ff0858e436a89" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "13fc52cad9931eade0fb41b0396c66b7ab23e5d270c6c0691d41154d2070cde5", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Custom Query Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "f378da0e-6f34-4d37-97eb-a3871b6c4509", + "kibana.alert.rule.name": "query-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.queryRule", + "kibana.alert.rule.uuid": "fd531ee0-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:03.555Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:56.372Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ZxEToH8BK09aFtXZEVNR", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert query-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "83fef54f-2751-419a-844e-ce3e9605000c", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:01.193Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:02.426Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "query", + "kibana.alert.rule.description": "a simple query rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "83fef54f-2751-419a-844e-ce3e9605000c", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:56.372Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:56.372Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "13fc52cad9931eade0fb41b0396c66b7ab23e5d270c6c0691d41154d2070cde5" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "7e3f263e2ed4da3d88381cbe5460680b84e25973a584f17b76adfe2bb2aa703a", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Custom Query Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "f378da0e-6f34-4d37-97eb-a3871b6c4509", + "kibana.alert.rule.name": "query-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.queryRule", + "kibana.alert.rule.uuid": "fd531ee0-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:03.558Z", + "agent": { + "name": "security-linux-2.example.dev", + "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-2", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.195", + "name": "security-linux-2", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:56.723Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "aBEToH8BK09aFtXZElOb", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-2 created low alert query-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "83fef54f-2751-419a-844e-ce3e9605000c", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:01.193Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:02.426Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "query", + "kibana.alert.rule.description": "a simple query rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "83fef54f-2751-419a-844e-ce3e9605000c", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:56.723Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:56.723Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "7e3f263e2ed4da3d88381cbe5460680b84e25973a584f17b76adfe2bb2aa703a" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "146eff6de5bfb6c98e9ffec98e05589c4efe29ce55245f0b2136ba0a699233e7", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Custom Query Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "f378da0e-6f34-4d37-97eb-a3871b6c4509", + "kibana.alert.rule.name": "query-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.queryRule", + "kibana.alert.rule.uuid": "fd531ee0-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:03.561Z", + "agent": { + "name": "security-linux-3.example.dev", + "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-3", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.196", + "name": "security-linux-3", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:57.047Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "aREToH8BK09aFtXZE1Pf", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-3 created low alert query-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "83fef54f-2751-419a-844e-ce3e9605000c", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:01.193Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:02.426Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "query", + "kibana.alert.rule.description": "a simple query rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "83fef54f-2751-419a-844e-ce3e9605000c", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:57.047Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:57.047Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "146eff6de5bfb6c98e9ffec98e05589c4efe29ce55245f0b2136ba0a699233e7" + } + } +} + +{ + "type": "doc", + "value": { + "_index": ".internal.alerts-security.alerts-default-000001", + "_id": "d7c0195e787bbafe32ae0389b26e1ac73d599f004ba3347bf1f2d76bdcc688a8", + "_score": 1, + "_source": { + "kibana.version": "8.1.0", + "kibana.alert.rule.category": "Custom Query Rule", + "kibana.alert.rule.consumer": "siem", + "kibana.alert.rule.execution.uuid": "f378da0e-6f34-4d37-97eb-a3871b6c4509", + "kibana.alert.rule.name": "query-rule", + "kibana.alert.rule.producer": "siem", + "kibana.alert.rule.rule_type_id": "siem.queryRule", + "kibana.alert.rule.uuid": "fd531ee0-a72e-11ec-bc9e-ed906a2c068e", + "kibana.space_ids": [ + "default" + ], + "kibana.alert.rule.tags": [], + "@timestamp": "2022-03-19T02:48:03.563Z", + "agent": { + "name": "security-linux-1.example.dev", + "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", + "type": "filebeat", + "version": "8.1.0" + }, + "log": { + "file": { + "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" + }, + "offset": 148938 + }, + "cloud": { + "availability_zone": "us-central1-c", + "instance": { + "name": "security-linux-1", + "id": "8995531128842994872" + }, + "provider": "gcp", + "service": { + "name": "GCE" + }, + "machine": { + "type": "g1-small" + }, + "project": { + "id": "elastic-siem" + }, + "account": { + "id": "elastic-siem" + } + }, + "ecs": { + "version": "8.1.0" + }, + "host": { + "hostname": "security-linux-1", + "os": { + "kernel": "4.19.0-18-cloud-amd64", + "codename": "buster", + "name": "Debian GNU/Linux", + "type": "linux", + "family": "debian", + "version": "10 (buster)", + "platform": "debian" + }, + "containerized": false, + "ip": "11.200.0.194", + "name": "security-linux-1", + "architecture": "x86_64" + }, + "service.name": "filebeat", + "message": "Status message.", + "data_stream": { + "namespace": "default", + "type": "logs", + "dataset": "elastic_agent.filebeat" + }, + "event.agent_id_status": "verified", + "event.ingested": "2022-03-19T02:47:57.376Z", + "event.dataset": "elastic_agent.filebeat", + "kibana.alert.ancestors": [ + { + "id": "ahEToH8BK09aFtXZFVMq", + "type": "event", + "index": "events-index-000001", + "depth": 0 + } + ], + "kibana.alert.status": "active", + "kibana.alert.workflow_status": "open", + "kibana.alert.depth": 1, + "kibana.alert.reason": "event on security-linux-1 created low alert query-rule.", + "kibana.alert.severity": "low", + "kibana.alert.risk_score": 21, + "kibana.alert.rule.parameters": { + "description": "a simple query rule", + "risk_score": 21, + "severity": "low", + "license": "", + "author": [], + "false_positives": [], + "from": "now-36000s", + "rule_id": "83fef54f-2751-419a-844e-ce3e9605000c", + "max_signals": 100, + "risk_score_mapping": [], + "severity_mapping": [], + "threat": [], + "to": "now", + "references": [], + "version": 1, + "exceptions_list": [], + "immutable": false, + "type": "query", + "language": "kuery", + "index": [ + "events-index-*" + ], + "query": "*", + "filters": [] + }, + "kibana.alert.rule.actions": [], + "kibana.alert.rule.created_at": "2022-03-19T02:48:01.193Z", + "kibana.alert.rule.created_by": "elastic", + "kibana.alert.rule.enabled": true, + "kibana.alert.rule.interval": "1m", + "kibana.alert.rule.updated_at": "2022-03-19T02:48:02.426Z", + "kibana.alert.rule.updated_by": "elastic", + "kibana.alert.rule.type": "query", + "kibana.alert.rule.description": "a simple query rule", + "kibana.alert.rule.risk_score": 21, + "kibana.alert.rule.severity": "low", + "kibana.alert.rule.license": "", + "kibana.alert.rule.author": [], + "kibana.alert.rule.false_positives": [], + "kibana.alert.rule.from": "now-36000s", + "kibana.alert.rule.rule_id": "83fef54f-2751-419a-844e-ce3e9605000c", + "kibana.alert.rule.max_signals": 100, + "kibana.alert.rule.risk_score_mapping": [], + "kibana.alert.rule.severity_mapping": [], + "kibana.alert.rule.threat": [], + "kibana.alert.rule.to": "now", + "kibana.alert.rule.references": [], + "kibana.alert.rule.version": 1, + "kibana.alert.rule.exceptions_list": [], + "kibana.alert.rule.immutable": false, + "kibana.alert.original_time": "2022-03-19T02:47:57.376Z", + "kibana.alert.original_event.agent_id_status": "verified", + "kibana.alert.original_event.ingested": "2022-03-19T02:47:57.376Z", + "kibana.alert.original_event.dataset": "elastic_agent.filebeat", + "event.kind": "signal", + "kibana.alert.uuid": "d7c0195e787bbafe32ae0389b26e1ac73d599f004ba3347bf1f2d76bdcc688a8" + } + } +} + diff --git a/x-pack/test/functional/es_archives/security_solution/alerts/8.1.0/mappings.json b/x-pack/test/functional/es_archives/security_solution/alerts/8.1.0/mappings.json new file mode 100644 index 0000000000000..bad3451844843 --- /dev/null +++ b/x-pack/test/functional/es_archives/security_solution/alerts/8.1.0/mappings.json @@ -0,0 +1,5250 @@ +{ + "type": "index", + "value": { + "aliases": { + ".alerts-security.alerts-default": { + "is_write_index": true + }, + ".siem-signals-default": { + "is_write_index": false + } + }, + "index": ".internal.alerts-security.alerts-default-000001", + "mappings": { + "dynamic": "false", + "_meta": { + "namespace": "default", + "kibana": { + "version": "8.1.0" + } + }, + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "type": "keyword" + } + } + }, + "ephemeral_id": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "client": { + "properties": { + "address": { + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "availability_zone": { + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "account": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "availability_zone": { + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "provider": { + "type": "keyword" + }, + "region": { + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "project": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "provider": { + "type": "keyword" + }, + "region": { + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "target": { + "properties": { + "account": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "availability_zone": { + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "provider": { + "type": "keyword" + }, + "region": { + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + } + } + }, + "container": { + "properties": { + "id": { + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "type": "keyword" + }, + "tag": { + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "type": "keyword" + }, + "runtime": { + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + } + } + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "digest_algorithm": { + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "subject_name": { + "type": "keyword" + }, + "team_id": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + }, + "sha512": { + "type": "keyword" + }, + "ssdeep": { + "type": "keyword" + } + } + }, + "name": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword" + }, + "company": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "file_version": { + "type": "keyword" + }, + "imphash": { + "type": "keyword" + }, + "original_file_name": { + "type": "keyword" + }, + "product": { + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "type": "keyword" + } + } + }, + "header_flags": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "op_code": { + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "registered_domain": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "type": "keyword" + } + } + }, + "error": { + "properties": { + "code": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "message": { + "type": "match_only_text" + }, + "stack_trace": { + "type": "wildcard" + }, + "type": { + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "type": "keyword" + }, + "agent_id_status": { + "type": "keyword" + }, + "category": { + "type": "keyword" + }, + "code": { + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "type": "keyword" + }, + "module": { + "type": "keyword" + }, + "original": { + "type": "keyword" + }, + "outcome": { + "type": "keyword" + }, + "provider": { + "type": "keyword" + }, + "reason": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "url": { + "type": "keyword" + } + } + }, + "faas": { + "properties": { + "coldstart": { + "type": "boolean" + }, + "execution": { + "type": "keyword" + }, + "trigger": { + "type": "nested", + "properties": { + "request_id": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "subject_name": { + "type": "keyword" + }, + "team_id": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "type": "keyword" + }, + "directory": { + "type": "keyword" + }, + "drive_letter": { + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "type": "keyword" + }, + "byte_order": { + "type": "keyword" + }, + "cpu_type": { + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "type": "keyword" + }, + "class": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "type": "keyword" + }, + "os_abi": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "type": "nested", + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "physical_offset": { + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + } + }, + "segments": { + "type": "nested", + "properties": { + "sections": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "shared_libraries": { + "type": "keyword" + }, + "telfhash": { + "type": "keyword" + } + } + }, + "extension": { + "type": "keyword" + }, + "fork_name": { + "type": "keyword" + }, + "gid": { + "type": "keyword" + }, + "group": { + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + }, + "sha512": { + "type": "keyword" + }, + "ssdeep": { + "type": "keyword" + } + } + }, + "inode": { + "type": "keyword" + }, + "mime_type": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "type": "keyword" + }, + "owner": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword" + }, + "company": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "file_version": { + "type": "keyword" + }, + "imphash": { + "type": "keyword" + }, + "original_file_name": { + "type": "keyword" + }, + "product": { + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword" + }, + "public_key_curve": { + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword" + }, + "signature_algorithm": { + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "version_number": { + "type": "keyword" + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "type": "keyword" + }, + "cpu": { + "properties": { + "usage": { + "type": "scaled_float", + "scaling_factor": 1000 + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "hostname": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "type": "keyword" + }, + "full": { + "type": "keyword" + }, + "kernel": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "platform": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "type": { + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "type": "wildcard" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "type": "keyword" + }, + "method": { + "type": "keyword" + }, + "mime_type": { + "type": "keyword" + }, + "referrer": { + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "type": "wildcard" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "type": "keyword" + } + } + }, + "kibana": { + "properties": { + "alert": { + "properties": { + "action_group": { + "type": "keyword" + }, + "ancestors": { + "properties": { + "depth": { + "type": "long" + }, + "id": { + "type": "keyword" + }, + "index": { + "type": "keyword" + }, + "rule": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "building_block_type": { + "type": "keyword" + }, + "depth": { + "type": "long" + }, + "duration": { + "properties": { + "us": { + "type": "long" + } + } + }, + "end": { + "type": "date" + }, + "group": { + "properties": { + "id": { + "type": "keyword" + }, + "index": { + "type": "integer" + } + } + }, + "original_event": { + "properties": { + "action": { + "type": "keyword" + }, + "agent_id_status": { + "type": "keyword" + }, + "category": { + "type": "keyword" + }, + "code": { + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "type": "keyword" + }, + "duration": { + "type": "keyword" + }, + "end": { + "type": "date" + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "type": "keyword" + }, + "module": { + "type": "keyword" + }, + "original": { + "type": "keyword" + }, + "outcome": { + "type": "keyword" + }, + "provider": { + "type": "keyword" + }, + "reason": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "url": { + "type": "keyword" + } + } + }, + "original_time": { + "type": "date" + }, + "reason": { + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "rule": { + "properties": { + "author": { + "type": "keyword" + }, + "building_block_type": { + "type": "keyword" + }, + "category": { + "type": "keyword" + }, + "consumer": { + "type": "keyword" + }, + "created_at": { + "type": "date" + }, + "created_by": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "enabled": { + "type": "keyword" + }, + "exceptions_list": { + "type": "object" + }, + "execution": { + "properties": { + "uuid": { + "type": "keyword" + } + } + }, + "false_positives": { + "type": "keyword" + }, + "from": { + "type": "keyword" + }, + "immutable": { + "type": "keyword" + }, + "interval": { + "type": "keyword" + }, + "license": { + "type": "keyword" + }, + "max_signals": { + "type": "long" + }, + "name": { + "type": "keyword" + }, + "note": { + "type": "keyword" + }, + "parameters": { + "type": "flattened", + "ignore_above": 4096 + }, + "producer": { + "type": "keyword" + }, + "references": { + "type": "keyword" + }, + "rule_id": { + "type": "keyword" + }, + "rule_name_override": { + "type": "keyword" + }, + "rule_type_id": { + "type": "keyword" + }, + "tags": { + "type": "keyword" + }, + "threat": { + "properties": { + "framework": { + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + } + } + } + } + }, + "timeline_id": { + "type": "keyword" + }, + "timeline_title": { + "type": "keyword" + }, + "timestamp_override": { + "type": "keyword" + }, + "to": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "updated_at": { + "type": "date" + }, + "updated_by": { + "type": "keyword" + }, + "uuid": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "severity": { + "type": "keyword" + }, + "start": { + "type": "date" + }, + "status": { + "type": "keyword" + }, + "system_status": { + "type": "keyword" + }, + "threshold_result": { + "properties": { + "cardinality": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "long" + } + } + }, + "count": { + "type": "long" + }, + "from": { + "type": "date" + }, + "terms": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + } + } + }, + "uuid": { + "type": "keyword" + }, + "workflow_reason": { + "type": "keyword" + }, + "workflow_status": { + "type": "keyword" + }, + "workflow_user": { + "type": "keyword" + } + } + }, + "space_ids": { + "type": "keyword" + }, + "version": { + "type": "version" + } + } + }, + "labels": { + "type": "object" + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "type": "keyword" + } + } + }, + "level": { + "type": "keyword" + }, + "logger": { + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "type": "keyword" + } + } + }, + "function": { + "type": "keyword" + } + } + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "type": "keyword" + } + } + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "type": "keyword" + } + } + } + } + } + } + }, + "message": { + "type": "match_only_text" + }, + "network": { + "properties": { + "application": { + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "type": "keyword" + }, + "direction": { + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "name": { + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "type": "keyword" + }, + "transport": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "zone": { + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "hostname": { + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "zone": { + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "type": "keyword" + }, + "full": { + "type": "keyword" + }, + "kernel": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "platform": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "product": { + "type": "keyword" + }, + "serial_number": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "vendor": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "orchestrator": { + "properties": { + "api_version": { + "type": "keyword" + }, + "cluster": { + "properties": { + "name": { + "type": "keyword" + }, + "url": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "namespace": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "resource": { + "properties": { + "name": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "type": { + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "package": { + "properties": { + "architecture": { + "type": "keyword" + }, + "build_version": { + "type": "keyword" + }, + "checksum": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "install_scope": { + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "subject_name": { + "type": "keyword" + }, + "team_id": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "type": "wildcard" + }, + "elf": { + "properties": { + "architecture": { + "type": "keyword" + }, + "byte_order": { + "type": "keyword" + }, + "cpu_type": { + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "type": "keyword" + }, + "class": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "type": "keyword" + }, + "os_abi": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "type": "nested", + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "physical_offset": { + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + } + }, + "segments": { + "type": "nested", + "properties": { + "sections": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "shared_libraries": { + "type": "keyword" + }, + "telfhash": { + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "type": "keyword" + }, + "executable": { + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + }, + "sha512": { + "type": "keyword" + }, + "ssdeep": { + "type": "keyword" + } + } + }, + "name": { + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "subject_name": { + "type": "keyword" + }, + "team_id": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "type": "wildcard" + }, + "elf": { + "properties": { + "architecture": { + "type": "keyword" + }, + "byte_order": { + "type": "keyword" + }, + "cpu_type": { + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "type": "keyword" + }, + "class": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "type": "keyword" + }, + "os_abi": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "type": "nested", + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "physical_offset": { + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + } + }, + "segments": { + "type": "nested", + "properties": { + "sections": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "shared_libraries": { + "type": "keyword" + }, + "telfhash": { + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "type": "keyword" + }, + "executable": { + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + }, + "sha512": { + "type": "keyword" + }, + "ssdeep": { + "type": "keyword" + } + } + }, + "name": { + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword" + }, + "company": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "file_version": { + "type": "keyword" + }, + "imphash": { + "type": "keyword" + }, + "original_file_name": { + "type": "keyword" + }, + "product": { + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "type": "keyword" + } + } + }, + "title": { + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword" + }, + "company": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "file_version": { + "type": "keyword" + }, + "imphash": { + "type": "keyword" + }, + "original_file_name": { + "type": "keyword" + }, + "product": { + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "type": "keyword" + } + } + }, + "title": { + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "type": "keyword" + } + } + }, + "hive": { + "type": "keyword" + }, + "key": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "type": "keyword" + }, + "hosts": { + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "type": "keyword" + }, + "category": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "license": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "ruleset": { + "type": "keyword" + }, + "uuid": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "address": { + "type": "keyword" + }, + "environment": { + "type": "keyword" + }, + "ephemeral_id": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "address": { + "type": "keyword" + }, + "environment": { + "type": "keyword" + }, + "ephemeral_id": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "state": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "state": { + "type": "keyword" + }, + "target": { + "properties": { + "address": { + "type": "keyword" + }, + "environment": { + "type": "keyword" + }, + "ephemeral_id": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "state": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "signal": { + "properties": { + "ancestors": { + "properties": { + "depth": { + "type": "alias", + "path": "kibana.alert.ancestors.depth" + }, + "id": { + "type": "alias", + "path": "kibana.alert.ancestors.id" + }, + "index": { + "type": "alias", + "path": "kibana.alert.ancestors.index" + }, + "type": { + "type": "alias", + "path": "kibana.alert.ancestors.type" + } + } + }, + "depth": { + "type": "alias", + "path": "kibana.alert.depth" + }, + "group": { + "properties": { + "id": { + "type": "alias", + "path": "kibana.alert.group.id" + }, + "index": { + "type": "alias", + "path": "kibana.alert.group.index" + } + } + }, + "original_event": { + "properties": { + "action": { + "type": "alias", + "path": "kibana.alert.original_event.action" + }, + "category": { + "type": "alias", + "path": "kibana.alert.original_event.category" + }, + "code": { + "type": "alias", + "path": "kibana.alert.original_event.code" + }, + "created": { + "type": "alias", + "path": "kibana.alert.original_event.created" + }, + "dataset": { + "type": "alias", + "path": "kibana.alert.original_event.dataset" + }, + "duration": { + "type": "alias", + "path": "kibana.alert.original_event.duration" + }, + "end": { + "type": "alias", + "path": "kibana.alert.original_event.end" + }, + "hash": { + "type": "alias", + "path": "kibana.alert.original_event.hash" + }, + "id": { + "type": "alias", + "path": "kibana.alert.original_event.id" + }, + "kind": { + "type": "alias", + "path": "kibana.alert.original_event.kind" + }, + "module": { + "type": "alias", + "path": "kibana.alert.original_event.module" + }, + "outcome": { + "type": "alias", + "path": "kibana.alert.original_event.outcome" + }, + "provider": { + "type": "alias", + "path": "kibana.alert.original_event.provider" + }, + "reason": { + "type": "alias", + "path": "kibana.alert.original_event.reason" + }, + "risk_score": { + "type": "alias", + "path": "kibana.alert.original_event.risk_score" + }, + "risk_score_norm": { + "type": "alias", + "path": "kibana.alert.original_event.risk_score_norm" + }, + "sequence": { + "type": "alias", + "path": "kibana.alert.original_event.sequence" + }, + "severity": { + "type": "alias", + "path": "kibana.alert.original_event.severity" + }, + "start": { + "type": "alias", + "path": "kibana.alert.original_event.start" + }, + "timezone": { + "type": "alias", + "path": "kibana.alert.original_event.timezone" + }, + "type": { + "type": "alias", + "path": "kibana.alert.original_event.type" + } + } + }, + "original_time": { + "type": "alias", + "path": "kibana.alert.original_time" + }, + "reason": { + "type": "alias", + "path": "kibana.alert.reason" + }, + "rule": { + "properties": { + "author": { + "type": "alias", + "path": "kibana.alert.rule.author" + }, + "building_block_type": { + "type": "alias", + "path": "kibana.alert.building_block_type" + }, + "created_at": { + "type": "alias", + "path": "kibana.alert.rule.created_at" + }, + "created_by": { + "type": "alias", + "path": "kibana.alert.rule.created_by" + }, + "description": { + "type": "alias", + "path": "kibana.alert.rule.description" + }, + "enabled": { + "type": "alias", + "path": "kibana.alert.rule.enabled" + }, + "false_positives": { + "type": "alias", + "path": "kibana.alert.rule.false_positives" + }, + "from": { + "type": "alias", + "path": "kibana.alert.rule.from" + }, + "id": { + "type": "alias", + "path": "kibana.alert.rule.uuid" + }, + "immutable": { + "type": "alias", + "path": "kibana.alert.rule.immutable" + }, + "interval": { + "type": "alias", + "path": "kibana.alert.rule.interval" + }, + "license": { + "type": "alias", + "path": "kibana.alert.rule.license" + }, + "max_signals": { + "type": "alias", + "path": "kibana.alert.rule.max_signals" + }, + "name": { + "type": "alias", + "path": "kibana.alert.rule.name" + }, + "note": { + "type": "alias", + "path": "kibana.alert.rule.note" + }, + "references": { + "type": "alias", + "path": "kibana.alert.rule.references" + }, + "risk_score": { + "type": "alias", + "path": "kibana.alert.risk_score" + }, + "rule_id": { + "type": "alias", + "path": "kibana.alert.rule.rule_id" + }, + "rule_name_override": { + "type": "alias", + "path": "kibana.alert.rule.rule_name_override" + }, + "severity": { + "type": "alias", + "path": "kibana.alert.severity" + }, + "tags": { + "type": "alias", + "path": "kibana.alert.rule.tags" + }, + "threat": { + "properties": { + "framework": { + "type": "alias", + "path": "kibana.alert.rule.threat.framework" + }, + "tactic": { + "properties": { + "id": { + "type": "alias", + "path": "kibana.alert.rule.threat.tactic.id" + }, + "name": { + "type": "alias", + "path": "kibana.alert.rule.threat.tactic.name" + }, + "reference": { + "type": "alias", + "path": "kibana.alert.rule.threat.tactic.reference" + } + } + }, + "technique": { + "properties": { + "id": { + "type": "alias", + "path": "kibana.alert.rule.threat.technique.id" + }, + "name": { + "type": "alias", + "path": "kibana.alert.rule.threat.technique.name" + }, + "reference": { + "type": "alias", + "path": "kibana.alert.rule.threat.technique.reference" + }, + "subtechnique": { + "properties": { + "id": { + "type": "alias", + "path": "kibana.alert.rule.threat.technique.subtechnique.id" + }, + "name": { + "type": "alias", + "path": "kibana.alert.rule.threat.technique.subtechnique.name" + }, + "reference": { + "type": "alias", + "path": "kibana.alert.rule.threat.technique.subtechnique.reference" + } + } + } + } + } + } + }, + "timeline_id": { + "type": "alias", + "path": "kibana.alert.rule.timeline_id" + }, + "timeline_title": { + "type": "alias", + "path": "kibana.alert.rule.timeline_title" + }, + "timestamp_override": { + "type": "alias", + "path": "kibana.alert.rule.timestamp_override" + }, + "to": { + "type": "alias", + "path": "kibana.alert.rule.to" + }, + "type": { + "type": "alias", + "path": "kibana.alert.rule.type" + }, + "updated_at": { + "type": "alias", + "path": "kibana.alert.rule.updated_at" + }, + "updated_by": { + "type": "alias", + "path": "kibana.alert.rule.updated_by" + }, + "version": { + "type": "alias", + "path": "kibana.alert.rule.version" + } + } + }, + "status": { + "type": "alias", + "path": "kibana.alert.workflow_status" + }, + "threshold_result": { + "properties": { + "cardinality": { + "properties": { + "field": { + "type": "alias", + "path": "kibana.alert.threshold_result.cardinality.field" + }, + "value": { + "type": "alias", + "path": "kibana.alert.threshold_result.cardinality.value" + } + } + }, + "count": { + "type": "alias", + "path": "kibana.alert.threshold_result.count" + }, + "from": { + "type": "alias", + "path": "kibana.alert.threshold_result.from" + }, + "terms": { + "properties": { + "field": { + "type": "alias", + "path": "kibana.alert.threshold_result.terms.field" + }, + "value": { + "type": "alias", + "path": "kibana.alert.threshold_result.terms.value" + } + } + } + } + } + } + }, + "source": { + "properties": { + "address": { + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "tags": { + "type": "keyword" + }, + "threat": { + "properties": { + "enrichments": { + "type": "nested", + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "confidence": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "subject_name": { + "type": "keyword" + }, + "team_id": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "type": "keyword" + }, + "directory": { + "type": "keyword" + }, + "drive_letter": { + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "type": "keyword" + }, + "byte_order": { + "type": "keyword" + }, + "cpu_type": { + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "type": "keyword" + }, + "class": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "type": "keyword" + }, + "os_abi": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "type": "nested", + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "physical_offset": { + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + } + }, + "segments": { + "type": "nested", + "properties": { + "sections": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "shared_libraries": { + "type": "keyword" + }, + "telfhash": { + "type": "keyword" + } + } + }, + "extension": { + "type": "keyword" + }, + "fork_name": { + "type": "keyword" + }, + "gid": { + "type": "keyword" + }, + "group": { + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + }, + "sha512": { + "type": "keyword" + }, + "ssdeep": { + "type": "keyword" + } + } + }, + "inode": { + "type": "keyword" + }, + "mime_type": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "type": "keyword" + }, + "owner": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword" + }, + "company": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "file_version": { + "type": "keyword" + }, + "imphash": { + "type": "keyword" + }, + "original_file_name": { + "type": "keyword" + }, + "product": { + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword" + }, + "public_key_curve": { + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword" + }, + "signature_algorithm": { + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "version_number": { + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "port": { + "type": "long" + }, + "provider": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "type": "keyword" + } + } + }, + "hive": { + "type": "keyword" + }, + "key": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "type": "keyword" + }, + "extension": { + "type": "keyword" + }, + "fragment": { + "type": "keyword" + }, + "full": { + "type": "wildcard" + }, + "original": { + "type": "wildcard" + }, + "password": { + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "type": "keyword" + }, + "registered_domain": { + "type": "keyword" + }, + "scheme": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "username": { + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword" + }, + "public_key_curve": { + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword" + }, + "signature_algorithm": { + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "version_number": { + "type": "keyword" + } + } + } + } + }, + "matched": { + "properties": { + "atomic": { + "type": "keyword" + }, + "field": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "index": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + } + } + }, + "framework": { + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "type": "keyword" + } + } + } + } + }, + "confidence": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "subject_name": { + "type": "keyword" + }, + "team_id": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "type": "keyword" + }, + "directory": { + "type": "keyword" + }, + "drive_letter": { + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "type": "keyword" + }, + "byte_order": { + "type": "keyword" + }, + "cpu_type": { + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flattened" + }, + "header": { + "properties": { + "abi_version": { + "type": "keyword" + }, + "class": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "type": "keyword" + }, + "os_abi": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "imports": { + "type": "flattened" + }, + "sections": { + "type": "nested", + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "physical_offset": { + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + } + }, + "segments": { + "type": "nested", + "properties": { + "sections": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "shared_libraries": { + "type": "keyword" + }, + "telfhash": { + "type": "keyword" + } + } + }, + "extension": { + "type": "keyword" + }, + "fork_name": { + "type": "keyword" + }, + "gid": { + "type": "keyword" + }, + "group": { + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + }, + "sha512": { + "type": "keyword" + }, + "ssdeep": { + "type": "keyword" + } + } + }, + "inode": { + "type": "keyword" + }, + "mime_type": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "type": "keyword" + }, + "owner": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "type": "keyword" + }, + "company": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "file_version": { + "type": "keyword" + }, + "imphash": { + "type": "keyword" + }, + "original_file_name": { + "type": "keyword" + }, + "product": { + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword" + }, + "public_key_curve": { + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword" + }, + "signature_algorithm": { + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "version_number": { + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "postal_code": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "port": { + "type": "long" + }, + "provider": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "type": "keyword" + }, + "strings": { + "type": "wildcard" + }, + "type": { + "type": "keyword" + } + } + }, + "hive": { + "type": "keyword" + }, + "key": { + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "value": { + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "type": "keyword" + }, + "extension": { + "type": "keyword" + }, + "fragment": { + "type": "keyword" + }, + "full": { + "type": "wildcard" + }, + "original": { + "type": "wildcard" + }, + "password": { + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "type": "keyword" + }, + "registered_domain": { + "type": "keyword" + }, + "scheme": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "username": { + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword" + }, + "public_key_curve": { + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword" + }, + "signature_algorithm": { + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "version_number": { + "type": "keyword" + } + } + } + } + }, + "software": { + "properties": { + "alias": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "platforms": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "tactic": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + } + } + } + } + } + } + }, + "tls": { + "properties": { + "cipher": { + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "type": "keyword" + }, + "certificate_chain": { + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + } + } + }, + "issuer": { + "type": "keyword" + }, + "ja3": { + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "type": "keyword" + }, + "subject": { + "type": "keyword" + }, + "supported_ciphers": { + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword" + }, + "public_key_curve": { + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword" + }, + "signature_algorithm": { + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "version_number": { + "type": "keyword" + } + } + } + } + }, + "curve": { + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "type": "keyword" + }, + "certificate_chain": { + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "sha256": { + "type": "keyword" + } + } + }, + "issuer": { + "type": "keyword" + }, + "ja3s": { + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "type": "keyword" + }, + "public_key_curve": { + "type": "keyword" + }, + "public_key_exponent": { + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "type": "keyword" + }, + "signature_algorithm": { + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "type": "keyword" + }, + "country": { + "type": "keyword" + }, + "distinguished_name": { + "type": "keyword" + }, + "locality": { + "type": "keyword" + }, + "organization": { + "type": "keyword" + }, + "organizational_unit": { + "type": "keyword" + }, + "state_or_province": { + "type": "keyword" + } + } + }, + "version_number": { + "type": "keyword" + } + } + } + } + }, + "version": { + "type": "keyword" + }, + "version_protocol": { + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "type": "keyword" + }, + "extension": { + "type": "keyword" + }, + "fragment": { + "type": "keyword" + }, + "full": { + "type": "wildcard" + }, + "original": { + "type": "wildcard" + }, + "password": { + "type": "keyword" + }, + "path": { + "type": "wildcard" + }, + "port": { + "type": "long" + }, + "query": { + "type": "keyword" + }, + "registered_domain": { + "type": "keyword" + }, + "scheme": { + "type": "keyword" + }, + "subdomain": { + "type": "keyword" + }, + "top_level_domain": { + "type": "keyword" + }, + "username": { + "type": "keyword" + } + } + }, + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + } + } + }, + "domain": { + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + } + } + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "type": "keyword" + }, + "email": { + "type": "keyword" + }, + "full_name": { + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "hash": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "roles": { + "type": "keyword" + } + } + } + } + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "name": { + "type": "keyword" + }, + "original": { + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "type": "keyword" + }, + "full": { + "type": "keyword" + }, + "kernel": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "platform": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "version": { + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "category": { + "type": "keyword" + }, + "classification": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "enumeration": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "reference": { + "type": "keyword" + }, + "report_id": { + "type": "keyword" + }, + "scanner": { + "properties": { + "vendor": { + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "type": "keyword" + } + } + }, + "severity": { + "type": "keyword" + } + } + } + } + }, + "settings": { + "index": { + "lifecycle": { + "name": ".alerts-ilm-policy", + "rollover_alias": ".alerts-security.alerts-default" + }, + "routing": { + "allocation": { + "include": { + "_tier_preference": "data_content" + } + } + }, + "mapping": { + "total_fields": { + "limit": "1700" + } + }, + "hidden": "true", + "number_of_shards": "1", + "provided_name": ".internal.alerts-security.alerts-default-000001", + "creation_date": "1647658083872", + "number_of_replicas": "1", + "uuid": "XFfR3HCGQN2d_ccuzoU0kQ", + "version": { + "created": "8010099" + } + } + } + } +} \ No newline at end of file From f67e789dc3a9ba961e70045728e285da85115db8 Mon Sep 17 00:00:00 2001 From: Madison Caldwell Date: Mon, 11 Apr 2022 15:30:55 -0400 Subject: [PATCH 2/2] Compress fixtures --- .../security_solution/alerts/7.16.0/data.json | 3590 -------- .../alerts/7.16.0/data.json.gz | Bin 0 -> 4755 bytes .../alerts/7.16.0/mappings.json | 5819 ------------ .../alerts/7.16.0/mappings.json.gz | Bin 0 -> 9745 bytes .../security_solution/alerts/7.17.0/data.json | 3636 -------- .../alerts/7.17.0/data.json.gz | Bin 0 -> 4744 bytes .../alerts/7.17.0/mappings.json | 5825 ------------ .../alerts/7.17.0/mappings.json.gz | Bin 0 -> 9846 bytes .../security_solution/alerts/8.0.0/data.json | 8127 ---------------- .../alerts/8.0.0/data.json.gz | Bin 0 -> 9231 bytes .../alerts/8.0.0/mappings.json | 5243 ----------- .../alerts/8.0.0/mappings.json.gz | Bin 0 -> 9711 bytes .../security_solution/alerts/8.1.0/data.json | 8186 ----------------- .../alerts/8.1.0/data.json.gz | Bin 0 -> 9500 bytes .../alerts/8.1.0/mappings.json | 5250 ----------- .../alerts/8.1.0/mappings.json.gz | Bin 0 -> 9739 bytes 16 files changed, 45676 deletions(-) delete mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/7.16.0/data.json create mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/7.16.0/data.json.gz delete mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/7.16.0/mappings.json create mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/7.16.0/mappings.json.gz delete mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/data.json create mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/data.json.gz delete mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/mappings.json create mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/mappings.json.gz delete mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/data.json create mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/data.json.gz delete mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/mappings.json create mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/mappings.json.gz delete mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/8.1.0/data.json create mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/8.1.0/data.json.gz delete mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/8.1.0/mappings.json create mode 100644 x-pack/test/functional/es_archives/security_solution/alerts/8.1.0/mappings.json.gz diff --git a/x-pack/test/functional/es_archives/security_solution/alerts/7.16.0/data.json b/x-pack/test/functional/es_archives/security_solution/alerts/7.16.0/data.json deleted file mode 100644 index 9f15ea353570e..0000000000000 --- a/x-pack/test/functional/es_archives/security_solution/alerts/7.16.0/data.json +++ /dev/null @@ -1,3590 +0,0 @@ -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "0bb0c0d5488d757907f6be6e4c27ff698666948e2cf01d53e8fa43958b36c6a8", - "source": { - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "7.16.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.16.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:32.045Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-23T16:50:51.493Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "matched": { - "atomic": "security-linux-1", - "field": "host.name", - "id": "M2yvt38BIyEvspK01XQt", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "P2yvt38BIyEvspK05HSe", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "P2yvt38BIyEvspK05HSe", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "62f9a8c0-aac9-11ec-aa31-c9ea2cb79db7", - "actions": [], - "interval": "1m", - "name": "threat-match-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:47.264Z", - "updated_at": "2022-03-23T16:50:48.396Z", - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "bef9b0da-8c2f-4b82-930f-37ffa1b57fc1", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "reason": "event on security-linux-1 created low alert threat-match-rule.", - "depth": 1, - "parent": { - "id": "P2yvt38BIyEvspK05HSe", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:32.045Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:32.045Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "0dd11069ba6c63ec60ac902d6fb0a8a52c4f5ab20f03babe7b861c6d34431bad", - "source": { - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "7.16.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.16.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:31.654Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-23T16:50:51.495Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "matched": { - "atomic": "security-linux-3", - "field": "host.name", - "id": "NWyvt38BIyEvspK013R3", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "Pmyvt38BIyEvspK043Ri", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "Pmyvt38BIyEvspK043Ri", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "62f9a8c0-aac9-11ec-aa31-c9ea2cb79db7", - "actions": [], - "interval": "1m", - "name": "threat-match-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:47.264Z", - "updated_at": "2022-03-23T16:50:48.396Z", - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "bef9b0da-8c2f-4b82-930f-37ffa1b57fc1", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "reason": "event on security-linux-3 created low alert threat-match-rule.", - "depth": 1, - "parent": { - "id": "Pmyvt38BIyEvspK043Ri", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:31.654Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:31.654Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "999fef09ceb58f30dcbbe2a5fd410f8a22dda6179fa5f1041c7a759a31932ef9", - "source": { - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "7.16.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.16.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:31.330Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-23T16:50:51.496Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "matched": { - "atomic": "security-linux-2", - "field": "host.name", - "id": "NGyvt38BIyEvspK01nQn", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "PWyvt38BIyEvspK04XTd", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "PWyvt38BIyEvspK04XTd", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "62f9a8c0-aac9-11ec-aa31-c9ea2cb79db7", - "actions": [], - "interval": "1m", - "name": "threat-match-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:47.264Z", - "updated_at": "2022-03-23T16:50:48.396Z", - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "bef9b0da-8c2f-4b82-930f-37ffa1b57fc1", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "reason": "event on security-linux-2 created low alert threat-match-rule.", - "depth": 1, - "parent": { - "id": "PWyvt38BIyEvspK04XTd", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:31.330Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:31.330Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "f75bc411e6b0c30c26aa310c1e65ff8430cc0a98ddf74c335941dd7456858e85", - "source": { - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "7.16.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.16.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:31.001Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-23T16:50:51.497Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "matched": { - "atomic": "security-linux-1", - "field": "host.name", - "id": "M2yvt38BIyEvspK01XQt", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "PGyvt38BIyEvspK04HSX", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "PGyvt38BIyEvspK04HSX", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "62f9a8c0-aac9-11ec-aa31-c9ea2cb79db7", - "actions": [], - "interval": "1m", - "name": "threat-match-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:47.264Z", - "updated_at": "2022-03-23T16:50:48.396Z", - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "bef9b0da-8c2f-4b82-930f-37ffa1b57fc1", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "reason": "event on security-linux-1 created low alert threat-match-rule.", - "depth": 1, - "parent": { - "id": "PGyvt38BIyEvspK04HSX", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:31.001Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:31.001Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "b46b35ce011486304a3a1e1b1dc2b772e2b80684a3a8663e9cd101691cff7429", - "source": { - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "7.16.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.16.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:30.665Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-23T16:50:51.498Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "matched": { - "atomic": "security-linux-3", - "field": "host.name", - "id": "NWyvt38BIyEvspK013R3", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "O2yvt38BIyEvspK033RN", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "O2yvt38BIyEvspK033RN", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "62f9a8c0-aac9-11ec-aa31-c9ea2cb79db7", - "actions": [], - "interval": "1m", - "name": "threat-match-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:47.264Z", - "updated_at": "2022-03-23T16:50:48.396Z", - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "bef9b0da-8c2f-4b82-930f-37ffa1b57fc1", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "reason": "event on security-linux-3 created low alert threat-match-rule.", - "depth": 1, - "parent": { - "id": "O2yvt38BIyEvspK033RN", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:30.665Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:30.665Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "570caf7637457b9721fd46ec22166adb57916298bf68ef31df07bd0bbac95d7c", - "source": { - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "7.16.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.16.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:30.353Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-23T16:50:51.499Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "matched": { - "atomic": "security-linux-2", - "field": "host.name", - "id": "NGyvt38BIyEvspK01nQn", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "Omyvt38BIyEvspK03nQB", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "Omyvt38BIyEvspK03nQB", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "62f9a8c0-aac9-11ec-aa31-c9ea2cb79db7", - "actions": [], - "interval": "1m", - "name": "threat-match-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:47.264Z", - "updated_at": "2022-03-23T16:50:48.396Z", - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "bef9b0da-8c2f-4b82-930f-37ffa1b57fc1", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "reason": "event on security-linux-2 created low alert threat-match-rule.", - "depth": 1, - "parent": { - "id": "Omyvt38BIyEvspK03nQB", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:30.353Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:30.353Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "0c7bfb7198c9db281b639b1044c74db2b881e3152ee863e6c9304a6fb5d0e5bb", - "source": { - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "7.16.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.16.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:30.031Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-23T16:50:51.501Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "matched": { - "atomic": "security-linux-1", - "field": "host.name", - "id": "M2yvt38BIyEvspK01XQt", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "OWyvt38BIyEvspK03HTF", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "OWyvt38BIyEvspK03HTF", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "62f9a8c0-aac9-11ec-aa31-c9ea2cb79db7", - "actions": [], - "interval": "1m", - "name": "threat-match-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:47.264Z", - "updated_at": "2022-03-23T16:50:48.396Z", - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "bef9b0da-8c2f-4b82-930f-37ffa1b57fc1", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "reason": "event on security-linux-1 created low alert threat-match-rule.", - "depth": 1, - "parent": { - "id": "OWyvt38BIyEvspK03HTF", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:30.031Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:30.031Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "ae1c6e5c7680cdc986ff52b1913e93ba2a010ea207364d4782550adf180e49ee", - "source": { - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "7.16.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.16.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:29.715Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-23T16:50:51.502Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "matched": { - "atomic": "security-linux-3", - "field": "host.name", - "id": "NWyvt38BIyEvspK013R3", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "OGyvt38BIyEvspK023SI", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "OGyvt38BIyEvspK023SI", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "62f9a8c0-aac9-11ec-aa31-c9ea2cb79db7", - "actions": [], - "interval": "1m", - "name": "threat-match-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:47.264Z", - "updated_at": "2022-03-23T16:50:48.396Z", - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "bef9b0da-8c2f-4b82-930f-37ffa1b57fc1", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "reason": "event on security-linux-3 created low alert threat-match-rule.", - "depth": 1, - "parent": { - "id": "OGyvt38BIyEvspK023SI", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:29.715Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:29.715Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "a73fda6bdb25425c8597f63e2b87b662798ad46f195c47ac4243d9d0b9705dd8", - "source": { - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "7.16.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.16.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:29.387Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-23T16:50:51.503Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "matched": { - "atomic": "security-linux-2", - "field": "host.name", - "id": "NGyvt38BIyEvspK01nQn", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "N2yvt38BIyEvspK02nRK", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "N2yvt38BIyEvspK02nRK", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "62f9a8c0-aac9-11ec-aa31-c9ea2cb79db7", - "actions": [], - "interval": "1m", - "name": "threat-match-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:47.264Z", - "updated_at": "2022-03-23T16:50:48.396Z", - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "bef9b0da-8c2f-4b82-930f-37ffa1b57fc1", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "reason": "event on security-linux-2 created low alert threat-match-rule.", - "depth": 1, - "parent": { - "id": "N2yvt38BIyEvspK02nRK", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:29.387Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:29.387Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "77038fe81327ce7b578e69896fdd1869fab16d13633b5fb0cb7743bae9120ca5", - "source": { - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "7.16.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.16.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:28.994Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-23T16:50:51.504Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "matched": { - "atomic": "security-linux-1", - "field": "host.name", - "id": "M2yvt38BIyEvspK01XQt", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "Nmyvt38BIyEvspK02HTJ", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "Nmyvt38BIyEvspK02HTJ", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "62f9a8c0-aac9-11ec-aa31-c9ea2cb79db7", - "actions": [], - "interval": "1m", - "name": "threat-match-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:47.264Z", - "updated_at": "2022-03-23T16:50:48.396Z", - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "bef9b0da-8c2f-4b82-930f-37ffa1b57fc1", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "reason": "event on security-linux-1 created low alert threat-match-rule.", - "depth": 1, - "parent": { - "id": "Nmyvt38BIyEvspK02HTJ", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:28.994Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:28.994Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "21d26a1ad7b01b28667638d5f8db96f6e94957394efe7a16057948095a445ac4", - "source": { - "@timestamp": "2022-03-23T16:50:48.441Z", - "host.name": "security-linux-1", - "event": { - "kind": "signal" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "8e75aa13-6b35-5d96-b52b-1d62909a9d75", - "type": "event", - "index": "events-index-*", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "8e75aa13-6b35-5d96-b52b-1d62909a9d75", - "type": "event", - "index": "events-index-*", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "60b8b970-aac9-11ec-bb53-fd375b7a173a", - "actions": [], - "interval": "1m", - "name": "threshold-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:44.260Z", - "updated_at": "2022-03-23T16:50:45.341Z", - "description": "a simple threshold rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "b97ae2a4-f188-43b2-b082-69667b563152", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threshold", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threshold": { - "field": [ - "host.name" - ], - "value": 1 - } - }, - "reason": "event created low alert threshold-rule.", - "depth": 1, - "parent": { - "id": "8e75aa13-6b35-5d96-b52b-1d62909a9d75", - "type": "event", - "index": "events-index-*", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:32.045Z", - "threshold_result": { - "terms": [ - { - "field": "host.name", - "value": "security-linux-1" - } - ], - "count": 4, - "from": "2022-03-23T06:50:48.395Z" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "4c2a3865ca7df72e4cc17b5114feb2535b2459fd52f6fbd0669d4884f5956dc2", - "source": { - "@timestamp": "2022-03-23T16:50:48.442Z", - "host.name": "security-linux-2", - "event": { - "kind": "signal" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "9c957c24-8ce5-516b-ba8e-44b582da6579", - "type": "event", - "index": "events-index-*", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "9c957c24-8ce5-516b-ba8e-44b582da6579", - "type": "event", - "index": "events-index-*", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "60b8b970-aac9-11ec-bb53-fd375b7a173a", - "actions": [], - "interval": "1m", - "name": "threshold-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:44.260Z", - "updated_at": "2022-03-23T16:50:45.341Z", - "description": "a simple threshold rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "b97ae2a4-f188-43b2-b082-69667b563152", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threshold", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threshold": { - "field": [ - "host.name" - ], - "value": 1 - } - }, - "reason": "event created low alert threshold-rule.", - "depth": 1, - "parent": { - "id": "9c957c24-8ce5-516b-ba8e-44b582da6579", - "type": "event", - "index": "events-index-*", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:31.330Z", - "threshold_result": { - "terms": [ - { - "field": "host.name", - "value": "security-linux-2" - } - ], - "count": 3, - "from": "2022-03-23T06:50:48.395Z" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "3754896311b1d9f9dee45ecf06aa5160f8cd3d4504ef5c856ba285edd61d059d", - "source": { - "@timestamp": "2022-03-23T16:50:48.442Z", - "host.name": "security-linux-3", - "event": { - "kind": "signal" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "326cc81c-b55f-5b69-8222-e930bcb24692", - "type": "event", - "index": "events-index-*", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "326cc81c-b55f-5b69-8222-e930bcb24692", - "type": "event", - "index": "events-index-*", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "60b8b970-aac9-11ec-bb53-fd375b7a173a", - "actions": [], - "interval": "1m", - "name": "threshold-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:44.260Z", - "updated_at": "2022-03-23T16:50:45.341Z", - "description": "a simple threshold rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "b97ae2a4-f188-43b2-b082-69667b563152", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threshold", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threshold": { - "field": [ - "host.name" - ], - "value": 1 - } - }, - "reason": "event created low alert threshold-rule.", - "depth": 1, - "parent": { - "id": "326cc81c-b55f-5b69-8222-e930bcb24692", - "type": "event", - "index": "events-index-*", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:31.654Z", - "threshold_result": { - "terms": [ - { - "field": "host.name", - "value": "security-linux-3" - } - ], - "count": 3, - "from": "2022-03-23T06:50:48.395Z" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "5cddda6852c5f8b6c32d4bfa5e876aa51884e0c7a2d4faaababf91ec9cb68de7", - "source": { - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "7.16.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.16.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:28.994Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-23T16:50:40.440Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "Nmyvt38BIyEvspK02HTJ", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "Nmyvt38BIyEvspK02HTJ", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "5b7cd9a0-aac9-11ec-bb53-fd375b7a173a", - "actions": [], - "interval": "1m", - "name": "query-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:34.234Z", - "updated_at": "2022-03-23T16:50:36.214Z", - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "1fcc46ae-7e1e-4002-a4e1-e456029cb7ec", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "reason": "event on security-linux-1 created low alert query-rule.", - "depth": 1, - "parent": { - "id": "Nmyvt38BIyEvspK02HTJ", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:28.994Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:28.994Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "5050902fa762858249c32b1d228dd71ca9217ace612b65f9669fb3a5f371ab63", - "source": { - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "7.16.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.16.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:29.387Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-23T16:50:40.477Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "N2yvt38BIyEvspK02nRK", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "N2yvt38BIyEvspK02nRK", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "5b7cd9a0-aac9-11ec-bb53-fd375b7a173a", - "actions": [], - "interval": "1m", - "name": "query-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:34.234Z", - "updated_at": "2022-03-23T16:50:36.214Z", - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "1fcc46ae-7e1e-4002-a4e1-e456029cb7ec", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "reason": "event on security-linux-2 created low alert query-rule.", - "depth": 1, - "parent": { - "id": "N2yvt38BIyEvspK02nRK", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:29.387Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:29.387Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "525833fe5aa3cabce849adf9291b4d4009c25edbe528d5d2add1dc749c00513b", - "source": { - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "7.16.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.16.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:29.715Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-23T16:50:40.499Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "OGyvt38BIyEvspK023SI", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "OGyvt38BIyEvspK023SI", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "5b7cd9a0-aac9-11ec-bb53-fd375b7a173a", - "actions": [], - "interval": "1m", - "name": "query-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:34.234Z", - "updated_at": "2022-03-23T16:50:36.214Z", - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "1fcc46ae-7e1e-4002-a4e1-e456029cb7ec", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "reason": "event on security-linux-3 created low alert query-rule.", - "depth": 1, - "parent": { - "id": "OGyvt38BIyEvspK023SI", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:29.715Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:29.715Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "4f9c5a7581544f9dc1fa4c9f541c7e7573d7460ddeeda1875bee081e6615035b", - "source": { - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "7.16.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.16.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:30.031Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-23T16:50:40.510Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "OWyvt38BIyEvspK03HTF", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "OWyvt38BIyEvspK03HTF", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "5b7cd9a0-aac9-11ec-bb53-fd375b7a173a", - "actions": [], - "interval": "1m", - "name": "query-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:34.234Z", - "updated_at": "2022-03-23T16:50:36.214Z", - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "1fcc46ae-7e1e-4002-a4e1-e456029cb7ec", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "reason": "event on security-linux-1 created low alert query-rule.", - "depth": 1, - "parent": { - "id": "OWyvt38BIyEvspK03HTF", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:30.031Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:30.031Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "d791d45b87a37e3b8a8388d7d6237728aa14ab6ec81bfa84f96457bd42b39e4a", - "source": { - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "7.16.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.16.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:30.353Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-23T16:50:40.533Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "Omyvt38BIyEvspK03nQB", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "Omyvt38BIyEvspK03nQB", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "5b7cd9a0-aac9-11ec-bb53-fd375b7a173a", - "actions": [], - "interval": "1m", - "name": "query-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:34.234Z", - "updated_at": "2022-03-23T16:50:36.214Z", - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "1fcc46ae-7e1e-4002-a4e1-e456029cb7ec", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "reason": "event on security-linux-2 created low alert query-rule.", - "depth": 1, - "parent": { - "id": "Omyvt38BIyEvspK03nQB", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:30.353Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:30.353Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "747a4cfd4dbc1dd3924b341b0d3d94098252579354bf140e1621cb4b8681e911", - "source": { - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "7.16.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.16.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:30.665Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-23T16:50:40.547Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "O2yvt38BIyEvspK033RN", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "O2yvt38BIyEvspK033RN", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "5b7cd9a0-aac9-11ec-bb53-fd375b7a173a", - "actions": [], - "interval": "1m", - "name": "query-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:34.234Z", - "updated_at": "2022-03-23T16:50:36.214Z", - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "1fcc46ae-7e1e-4002-a4e1-e456029cb7ec", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "reason": "event on security-linux-3 created low alert query-rule.", - "depth": 1, - "parent": { - "id": "O2yvt38BIyEvspK033RN", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:30.665Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:30.665Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "5a217bc36610a820dbbb20f7b189065d631038a9dbb33bde1511f0f6a63183d2", - "source": { - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "7.16.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.16.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:31.001Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-23T16:50:40.561Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "PGyvt38BIyEvspK04HSX", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "PGyvt38BIyEvspK04HSX", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "5b7cd9a0-aac9-11ec-bb53-fd375b7a173a", - "actions": [], - "interval": "1m", - "name": "query-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:34.234Z", - "updated_at": "2022-03-23T16:50:36.214Z", - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "1fcc46ae-7e1e-4002-a4e1-e456029cb7ec", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "reason": "event on security-linux-1 created low alert query-rule.", - "depth": 1, - "parent": { - "id": "PGyvt38BIyEvspK04HSX", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:31.001Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:31.001Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "fde1f09c4420ce5747f04ca051bcdc90762394ea019a7cc2cfee8de3bd575a59", - "source": { - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "7.16.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.16.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:31.330Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-23T16:50:40.593Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "PWyvt38BIyEvspK04XTd", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "PWyvt38BIyEvspK04XTd", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "5b7cd9a0-aac9-11ec-bb53-fd375b7a173a", - "actions": [], - "interval": "1m", - "name": "query-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:34.234Z", - "updated_at": "2022-03-23T16:50:36.214Z", - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "1fcc46ae-7e1e-4002-a4e1-e456029cb7ec", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "reason": "event on security-linux-2 created low alert query-rule.", - "depth": 1, - "parent": { - "id": "PWyvt38BIyEvspK04XTd", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:31.330Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:31.330Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "337f39b1fb862a4c6910605b16e6b5b59623219e99dcb7d442cd334229ad3a7e", - "source": { - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "7.16.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.16.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:31.654Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-23T16:50:40.606Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "Pmyvt38BIyEvspK043Ri", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "Pmyvt38BIyEvspK043Ri", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "5b7cd9a0-aac9-11ec-bb53-fd375b7a173a", - "actions": [], - "interval": "1m", - "name": "query-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:34.234Z", - "updated_at": "2022-03-23T16:50:36.214Z", - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "1fcc46ae-7e1e-4002-a4e1-e456029cb7ec", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "reason": "event on security-linux-3 created low alert query-rule.", - "depth": 1, - "parent": { - "id": "Pmyvt38BIyEvspK043Ri", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:31.654Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:31.654Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "index": ".siem-signals-default-000001-7.16.0", - "id": "44f8d6e34631ced611f6588e7f0cdf52ac5647eff09cfbd36a38ad2a7d4bf32f", - "source": { - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "7.16.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.16.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:32.045Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-23T16:50:40.624Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "P2yvt38BIyEvspK05HSe", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "P2yvt38BIyEvspK05HSe", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "5b7cd9a0-aac9-11ec-bb53-fd375b7a173a", - "actions": [], - "interval": "1m", - "name": "query-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-23T16:50:34.234Z", - "updated_at": "2022-03-23T16:50:36.214Z", - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "1fcc46ae-7e1e-4002-a4e1-e456029cb7ec", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "reason": "event on security-linux-1 created low alert query-rule.", - "depth": 1, - "parent": { - "id": "P2yvt38BIyEvspK05HSe", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-23T16:50:32.045Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-23T16:50:32.045Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - diff --git a/x-pack/test/functional/es_archives/security_solution/alerts/7.16.0/data.json.gz b/x-pack/test/functional/es_archives/security_solution/alerts/7.16.0/data.json.gz new file mode 100644 index 0000000000000000000000000000000000000000..11557b383024833f7989c1b59a378409110131de GIT binary patch literal 4755 zcma);XHZj%+J%EOX-4UxS1AJ0LkS>7x*)v-MT&Gn5=to26%axZ6s3f!^ngf7Aan(! z3DR2-l_p3K5D*l&aOa$vZ{|Dq&i%jlUh93EcDu9UW%?xvNuvla!ag9}KXG zf%3S*+Ua(a5#W!VD)AAP07*A1(pDt>p)Up?^lP#;YwUF5*aqZ-aEek*A=o9t19IY(i z!fa2&FK-czPk6m5U*^F+;b148EA4eqKjB;#fMb2dxXV8{l^kO!53Z}=tXxza=sWV4 z!3=`)X(5;L2fur9^r$;b0exPqSutxdTHj_f=qw9()csA*DK~|cQcDK5(7;)xltslk z*ldU5&aCWnzH2>IY&I1>b0BbUQ8o21IUO21OKhCIB@sonms zXJGGLai63_ugkQt?;5{&US&DbSJwrCAC5zP z(OE%m>>FnPk0d_uV8yp4D8r6~{XCcKpEUI6^<0=7`+S93B+#~sm#y*x&ov_+>HBO+ zR#UV2T}Ymi5w*Drc``~NFd4_3dSqrs zWE`@~8Hp)ulBuq6`|*NLUf0tjTYEcg6XBHU=~+E?G%Hc*ts#cUqN;DdP#q>!hva+C z6q%*C8fx*uZsx!sSI7dIbD*uSeH)7#Eo4q$ec0Cf#XF^~#1+kc>b-k3YT!%kgN59+ zmQ0S%T`?7FvAk2&W%%iPXm1Ki`(s#7w?viox5N9(gbLo`X4eN{Ly=V?<#5b}&U+$C zJaV`ERLuhUllx^~*lF}vRio#02eAb1MBpn`bsytUHOEMY%w_D#+Xu=BUiWW3$i|cQ zT7evbFK4~Thbp#LOn(js27;CctBAdes$l^Hp~<9~cbkEI6Ahjimhdqs}H~0Lp*N<$rbdO3(pIhOip64)|LD?ch zWPYCV{x6zT1?}sS;r~!81!C;zOuQ7E35K~m)><+>=aX+ z^=t^A8o1?Q)wF}?betV#Fdd6nS?S**2-!8*)>QIm`<0A!vWgFnAG|b9d3-OD8@5v& zHvYovV^eSZGpI@RWFVhn@x)8Z?c&XZ~cEY^CJ}2AsYT!C)LdAL-)q?HqtACJv+i9-s@O5qD`X8RZXk<) zTG_ni_LU^YrF@8y-Ua5^+x)4g85qXM8MN|be?W{Q?l~%ay*=05ZewbkdQwqrEHbvF zK-E*I__O*q>EVn(~`gny03(gK)TQ* zCfK{g)*Idvf!s$sdk2yKti*G+<`eh}mG-aBn8r%5U#cG&O%l-kPKmG&>5V3kp~y*% z*P6WZ$xxixEwN2G!2pzZ@}9px7{Z#1AxC}fAd)`Aetx-sFdOfW14n*?gO7q1L)veV z6up5A#eO0n>B_fwXkIvgL^Y4Kqn`Jbzd*8vUYKXVLr>hMj!bV6X7(C^Q!TLFrZq)d0-s51`UlV=E$qX-k3 zfHNkU8Yn^2Vd8!_$p;TTc!3ZiO?vKMmOOQsmo$WN8-2NHyCjO#dCEc6WZB_jDZ!%b zTEC-ixFWio?X)HQRSUr~PP#}NQqn<;B5((U`BCu?*JB^lEyF~fyC?Sc9p{syGCGKS z!#{t`V`GJ8Hc%R_9aWdU!b0}R&d+h~reK&2LBAfE?iK}wJRK%z z=83^^am>^tYqlGCo_X_|OFPCNZ4>H(+jB0Es6tBgR$-CrdZ&*o9w5c>#8e&s(Ruw!c8HmFEdPbQ>U=NDVV5 ziqw}~1@(F6;dEXYM zF$|~;9=VivM3o_)qUHP~0>6lFJ)`$>`dxlnsAfZVf{cir_-n(@H)KTkMKxpL&3}w@ z6Eee?@eQe+X9+Olq1uV$s7gA%VR=(h5Hh5s&nNT@NXsDtxd=;hZvr-@Fr&kqA#gr`i^F z1Wa%GyqBXqThV60+5f@CkP_eJ97&XF1H_`Jmofh=KRpUO=Ta6=J|R$@R)3A~$^Cz5 zOb8qo?b0KIhqj+DuMPn=CeVt^H~1wXu_kv;5r{E)AOH) z6m|p|Ypqq~Bu%QhaXlskW~=E8Xt1F&7|mE>yPoQ^xh7r^zlg0*Sa1;zkY}Y!EiV|~ z@h}@zNH_D2>7h_2|8#Cd#;SveTsbqPq7>qu?`}A*wAt;y2&4a-$wH0R-S$)MGb7Uf zanXMnVIoaxxN$uq?EPg#aGJ^K_4cTM&tpa{+6qW&KUA{lVz#GLxm(|sVJzhrbGb+I zU^L=uklqLxsd1I-nSip((81n3Y3sKMv$p$K>uT5PcE=VQ zZ?UlDwuUzYb13N)e=8&V?VFv+)MN2mA#ev}2bYM6J;nANg{!V; zTUE>#H;B|&yYTYn2}wl4{dm`6t6=Z4eyBg!y4XwVypW)FKIhoHvX9UJItO#Ve7h1^ zJ$kDcRl)G5Lei^nWEguLyTs?G&@OyRUWRDVp8mznEOQCu&?A)U)GxaG;vogbt$Q6J zf)))%I}2B=McGDA-gdE0mfeBazH<+!jy;lx6rBZu0qMm{KYwPKzz^rOd@_fsOQEY|S~F&+3ea z+Ew{1G)pG0k-3V$AIAuv+1MVkDBAP4V)Q(H5PRUayq?92QBJWxVGhumiC zu(4QuOublHKIg{E0Q6uu)A9qIU?VJK&vl}x0l<1NvO4(QT2cTn4X^{emiGy~_NI&* zoPKT4?x-E5#IX{vM6U`GdOmJ+HSK`^B~!B@*>#GS@XHtcbq{IAkE?YYd2Pc0qJy9B3s`x=*(S__>j(X=i`QNa|GjsWQg8P?Z z!qwF{AtP4WdR^ogH&ZeoT>Eu>3T^ZgGl~#zNli2RDtX3vy2LA1x}``%EbxU3ml^X_ zE7A3>Lmu06;(%a25eT4HJ7YZ7e=(jtVuCjgK`~r`~M$pV=)zSNCAIS!P9fz`)_|YnkZ93(%k=1 zcxExWnnQ(=XHEW0ILaJU-l$|RoZw{Qfu{Jvn#3o8bD-0rnbh>opHFZ{E18N3>TsGS z&nw^k2VDsz)o=)38UT{!dQSTzF5`dC8GUp4W`XhT?=fubdY#W`Wd&9RMS2jOt_jN` z^hJA?>=kGc-B33{;q9|A39$iqJoM!|$OFlQ*p?nsn@BZ9p|7aMqJS5>06-zoWZ(8u m&8LQ8jkD(dhoqSxBR1N4o#d@b!{pOW0;h5*i7)t7c=~{Q$CEB?}Ue`H`z}#Kcs~nEXJHQJl5j<>u(p#*WS9GcDQF`HYNP||1r|w zfuW|GJ^wJr6=L}L`o-TL=^k*)ZhxjBB){8@q^=f^;UCHGX-^J>Pq6aa4_IID+fUk8 z&%di0@mEB9T%a92iN@c)e*fP^v%jC9fB!x2_ZfFb+~6M71yK&m1j`8NmS7|@d`aRc zgw7p?C-lBG0?>L={XN?#x62ybCGFVka1TMPX?u7E$4mPIYRO-SX$EcDaGDh`L*csF zl8*-k}a8V>CnK}51xWux1TuYP7=55|R1*2IxzqN?igpqe26 zn`E&}P3YwJ+T}U}xm>ae1o9V#rE7y}!lhrrGi1;*mJKbJvTSQu&J$sHNzcH6%UZTH zFKzKrEpPpEFPq_JaqZri@@+XVwTd=~1mfX0qz;&_*$X9MZ$${+X|;1o+A`8|22+%@ zN(~|5EQ~Gd-wHC&l=CowNHz;KEkO=?AkQ7Y^GgQ zXAH^Sflw9yqHP4?PA3bwRb6Lb__yG%8&pQpsZ@u)@kCJ$4jiC@_(X~JICBKaq9(VheA{eE87{7cvlnjr}cL@D#+aTvZ1x20O~nf7HS%Kj+76jN>Zf zdcN4`I@Kvv1`Hi9xH01L5B@*JC&ss9a3-i zn>pn26|TX(MdglwS6{U4(sQAjgra5K3>9Li7+8-{=2(ajTOr3nhg`9h`+kEF zsz;0}+!y;A9pVI1M2hjEoz55KpVptFh+kQkSS8(FPPV0Nybs|~K;DS()GfRd5kPE@ z9rbvi^@*>H`y7|Nn~t^vj>iLRBjel&83hkqItdy8pb0+) zEy;idSrPYMz7(vtjQCs*>72_@Qd)dl(Xx=q6$fn-z@!eD)6J%IgBjh8*QDICC)c!J zrB1-`AL%NxI2NQTB3_>;5yJ=CtBec*h{fV4Wsi~Jj>bHhrm7Q%An>~ZS7Wcu5NID= zg4;WXtTR_XD$6JB0h=!Cm}ljM!1Lfqj(edI4UtZc z9`CtUr?~>{pBfonilL-x=kSHxzNW}<3F*C~LWmc4_BP-@N7EdbdFa3;gq|?)K(y$E zAvjdf%yodc)<;sJZU~M2N|tlCMI3Xrin!Q<;&zeTB?bh`ouum)zlxh2#v@^0^V1u*xU%bYa_H$gwFwhP zJ7S1=nBfZ^qz$>q;vxau-*JIpae;EWnrHz>?VyJGpK>>BY8B9d|CVe53c!fs0!i|I z6i@BK)JYS9-wjxr#*N*!lL=0FFxYTKe*WsBGiP+%H=EeZw9^IH-PyS=uw&8nC%kK; z0n#1c22!HBp!>brvYrsrK>o6tCHIxE9j--sHu9nB)3+=zxsUcj#KU~9W_SZWG<h&`m+BQ<}z`7-a+9yzK%}>L<%YDeA|o2oV4XcDh(kLPq5I9O(XKtwpUdQ&VJP{$V6|xT7@=nQ z>Q}z{m9Kt1>ea8?s0y`8=@6H}P=COz$c!;!#786zKs6KFch#ggtp|jq@$UyHv%CSEs62#s?h^U2jd3$AnLrOtv5K!EfEyIiq#=#{QD5xLrSsK-BA2%F-{#j? zS0lDpr_q`r3?szpFQ0`a94%1TiI>NVuIx-VAIw3qxpt=Gp_glCs-LOmE7#8S4kOpj zG!xFXGq=td9;0^VkufJ1c8_IEk~PQaj#gSdF0sxm?C<)>(^=)$5VnO zBupypmYtFXTRG!2Lvq@RX-fhTzG3?PvRDlqK2#I*sS4I5jL~}`JJjALwlvH>RwtG> zUUO|rE|*ee-AkJeWSa_i%8S$22A4UT7KxT+p6_2zmuu=TS8QJ<0#0n-PAOjth$xaF zf@scHtil131e`Dd%+w1c`FqcY3bfKJ0N;YutSc}BgQ`^2d;d1+e08Ox90sBq%pBpD zGZ{BoNniHKFSsiqM^R3D{Cb2Yh`7PhW`y^Q>`ccAoW5L@UvL*XZs7FwtvsW<5ORX2 zE}Z2TnV{hW3b38}LnVnMKW}e9xgNTj0$qMVNg__LwB@|~0y~p&f~GIJ0wu-#qP!Avgr}`l<{RFb zkQ+Qr5j4-(Bo#M>2#z@RhwVye1Nz!6v;a!mm4qfH#S*<1x$M>o3CN>YK+rK`C2bQE zUPGUs@F2@o0?|t!cKYkcj*F7vjswvS=G?i{#@LOduEbrwT}?%u?I8O^qEk^?qbe3C z00Wc=KM+_2Y!~3vm;u{4o)+e`qxT~FNWoD(M7uhK-Y;QYdUt{(T|Y%f2O<&|T6xq~ zK)a>l2C=6B#JdTX=-N$dZJLpZc@Bi=y?-}YVa&x7BzH@(bO@c4RiXVLI(P2`sz&W$ z)L#X^7u28%t`KbUuHCzVI-9#5jn&-ZegH0tIWi$7j<7rX{tQenuj1uvecXF$i7ZVX8s?-g0`gUWN zZ9#thPS<+y69D}LOe4_xg)bjq5+ntK8WIk;UP-ZqewCY(;D4tM4+8jB{~fq=ad~XX zpJwj3>D7A~#3L@?EB41-!`C6$E@Q(uhH+=RE+=gEYg4wjTA#9|+ayh3Y$odC2#t$Y zd<;`2DO)bycmp%9XxpK=tn7H>vs~_SkcJlU_bd6n9|==VK@rlBJ|nRb94UoTqboe- z7v)Dmj#~zlpmyy}wzbjqr_uO2wVGw$^ zyX_ckH0!{FFzDHG6zTbANI%4kgfqC|NWsmtDGS^c@I9ut80MgNpmFR#q`@_51DeS{ zQdkF#5f&^w;D(4BKvm9YFQDia;u0q)&H+|qSA`9*`aob6uwVgJ9|*VsQ&(d30m*gG z!AaZhMRVz04N39TF1pp=TUZ;_sdpVH^Xy&tcESHY*7wzeLwzOUY7G(O8#!NZNB-pl z{0*PBAnYh-uS^>6f2%DACh0gq3lk!^K;|AU$ncb5Ca+H1LBX+(2TFChA6qEjL#ow& zxjeOQ6+#80O~s;bkqmFclIh5A%sK8$0!XQr#gFY`;N0_$JQX3hDypuliMbZ5w9mqDigrL_3(fDX)=g>3Np2!F2N+7Fee1nxPb5-J8mDmS}T$R|;SI+^QnVC(#u z$+X?EPjhr_lQW6eFm!6=HALv%0k!0>c!3mLr>A4D9^GbFXq>~-X_lGu60^pfUqI8miMXO*3A@XwYR)CF0eh$HlT%l zHlbAnD=9)XL3x$SxrE`8jmioV0Rk&Uv4glG@)4IW!x(1)z=Z`ucuj=&t`?bSBdLIA zipmNFS8C$YFl=wt=QQ6o7le6@`T|l2sal@{Du6+Q`~?y+M?gk2P$Xr*PQ16IO^4bz zVpnXwBrbYI}MTMtA5IPyf zWJbWRWKf21&yegWtueAJyCv|5icN{4i|uXzri9uhQ4J61C6c^J9-mA7^ZQ$_BZiGtV1tu<1 zyNN(Osa_ZmEL9L)xA;|Dmoc)_eT^8yt*UsMs@Ee%z)P}F%+y z+ZIa^N_j9?UEn{G?_oBZ*vz!E%B1JsIiF3t>Li~q%2WfSJH8F1%O zvCv9)Jp$6Bhqf!!`y(2*mOzZJ+lVPd@GCC0rHg+l^S~?7UiNe_UTPMU(ag|PKhjwD zj_6w|!ry=VBNgc%-*h5nVA4Z{vFh52XVOkfKgWzbcl{h8G$aC89J?{TLV)5*yxU#kq9n&f$o{eP|WU{xPV~yO=K*fJ7a`tW5T1_mFHCZHXJ*MRDO6+((hYSh$mBh}146hy?6f znspACTOkUdn@P5?%^q*(Zkk~>y&~Dz_BDx*W|XoYllv(hGJ`uR9WX2R)C`{9{AQwM z?W&s5i#i=f*Ht=b2Bw$}Sn~I&`Npj*3GDKkjbJ4ocCq~ec4pbmmSY=SVKbWRH@4X= z=82HWMK&W7brV=r6HWun-i5XSj0P9b4B`4!v|UbW?QWZ4Tt5?*t~VEIUYN1L9XG?{ zi&a{%=Na8!=syWj(}luEtKJkN3A9_?*6oV4A6%9PPbl1O5!};R*Wp zBAiV1cD8@j6qdij(l*OmVd-1QS78Cb@>E#b*78$W7_hvQDm+#r7dZrltECs04({$j zC-VUE&LX9cPR{XAlF$CI+CrVZ+lkT0F27O$wN@r^Sfe&_$fusuC)M8{)BlLFMFU$* z44D5%6RTw0w7P=G^2@N7Bv{XvL841xde2-c_HraAZ`=hW#5;;YCtA|H6RO8RQ)jVN zYqShC2Y0IO?wI#^5oNyO=>y|Ldnm9*_Bftg(>m9*RzrK3DzU4wPbdcm4p2dSqD0Lx5gIAY>2-*bB^b6oSolNKU>$mx zEU8$8ut$^|hH)2>8lzoN;}fo94pC>bF|A}RL@St9P!(|H?=YvFra+;njTMApe};$) z#e5xlI%+wdjn)UQGT9F{2V^BU*%D%LY;jDxuohQ}bxAr}< zFwcSpKHME~gL|&qM6!TBU=2^0kS3+$HcHVtiOwR+Se!}Ic)>rNynq$To%1#*?>af{x@#-^>a|COpZC5FT>?n%e9^jh^{)H3 z3?H~U2KJ(psXavX`G2>{5y>8%X6_pA%C+N_X+KMsNM)-D0Q~xQbn0M@wChmhP%~G= zvcEnf;?wk*OxA&{#@@=jZO_PX>v6~~icAVN`$Ej4b?UI8m2W3 zik5{8BLjjuRp>@mQhNc?s!z_6PQ;-MnBDn@(cqbn^<;Pv<%!LgSoSqVmY${ePK#Du z+k0)#1O9W=1kKF4bhuy0PnDi9BO_0DW6{x5vo*ozdVDJd_!-41N#Rm?sNT4OM@qR? z#I9bpz^zD)QYp8+7LX|j-h9hqeJ1iOy5HGh#1%Zf<*cDu^!UiHS$n#|gjAuHtCSR7 zP_pG%6_d9cNnMFcI=h;dFHV&~UDS(0=?@DSXeUqADrL}3+=lLYI>$0at5ig~JM4HAeb6O(aDaa<4fVMGVN zW7h}dukW)#uV)F-?}B%64cK)^&DD*iZ_TPVu6uSPEBvn}t|xi6PF-&-_WHDA(V6 z;@NOIpc9utJY%*sHLU71uXEG<-cKO)Mgmeruhg#eDcx6gDAG=7wE?R&*z-*-k_!ZT zi%htKRDr@SIAuF9D$E`z09JOgCcphELeQPWmDDufxTUXVxIDJxPk8U;mllKCFz#&L zhHPv3Mr2##TX7qLVHmPAi#Oz-sO{TYK^gc~|6P#FgxZ6l2w;9V_v~MTdheK<)KE zsW9%Q5JX2m_w7L{6cuI+H3MvUuSvkP8}8);@hQO8>6eg6CUm3}cRTtw5{Qn6Bh|j; z4d@}(QoP3AAp2fF^Q6I|;-_!r^4hOca#riE2Zow1jIPa8*R${F&bOCi>?-eGj!U1O zy&R4yF_(QlLH|~TI4cV&yE)9REJIr$8`_cj-uVB=dX;m&M13V91OQvj1FQ^ z=DC!)jSI;kVg^rlS04Sv`LH6v8~RE0_blk1j=kF*n4IKh?W)U3Za#c+lAE05CN6}W zRjPWj4x^PlonN;I$p>*EFD=C^6QP-KekpwV>sH>H&Dd>^NQNGSsY>tzGy!ekJOf zNQ;)2f$u06$GE5i^D0B^rWlL3O}j2ubctOM4M zgFXqA604W(azeG+4B1g#Cs06q3QUrA0AOUw3vcgMGZ zl&CJ~ey`6&{UBoi5_)Jy;BWOl?ukQsHuCASb381@;BN*mKmxwUpoiFi4>~{gqHXA- z#Nk+*;n~EB+~!sayLOI9#H!Y0*CRuIfa`CP8#)-S_dw8AWU#=u>rC1BmCKhF!gw0{ z>cKtrP8?i73};$oL{kteJ+g*0*v7t@2;F96BR1+n~|oxk&)lPSvHA5#h@nr~c#*ZP4K z1IAXNh5Ca<*T4FD`Sokt*f`U5^99n#0c#f5(YFF|!?S30oqZc1H#>`l>+lP3z_oZA za+{q8^ELXk`0TFPZvx|H-?8DEegtq{&R~OG$@-9NsvnztO~Vm=+bXc{KmM^*Xg|K0 zJfw-B4Hd=-&0b#ioHpCU47@7i1k`Jdf(p|O>R=L^qR9# zxX(7IbK2kPu@9F`CDAq=YBw5KZFTc49X@gO%QEaOksqMxEWB2UOuCnHs&W=LD`fJG zUX7)79>a}tOCTrG3_g(aRo63IuzJ>e@T;jdRT5&N5t*65ODoprh(&<1(=`rVmdZuL zLM8uObniL${J2S8nza#Z$Y|A`N2YQJb*Vu08~#4N=vR zyS9ktw{$MH91O`u>K|RC%k)U%`?l@r)Io52XbY=b$x7sW`7BXBM@r^_W_Ec?Qb zZ*9>QtBKCFq^zrw!oh_esXHyyf$rH)q%<{{iw6B-@35;8+n>G4pLzu;r~_O%)zW3C zWJ+-&FWj5oZI$^jTpnBUr!t`MS9*!ccAuacVN#AYj5}z3$u>4x%SHtBkOfM$Z7m|W zY@)a9BeyK0w)_MMB)ah7L)~~%{rzE_&#Yclu7t`F{USz=Uy3jH zqE2NRj`D$iQ65v3>4wVx+VC^@rhhz!X1LiO6$pHjKN$~D>CI56PuPX`AM`(IBrb#N z-QWh-bqTuISM)jH{)GD=W$bO`9l+-onsz6GcX3rr2T2+Y83_8bvrjt&`$e?Onu7c6 z6QNnVaFgc8+9Wn-7j3!>UKTFdRG0ScD{dzTXyjKwOT z?w({XZb5YMjt+;Qxg?-0g5>N14^ReUFE+@qm1?No8AmwzX$lJN#^Ww)QkO)JHM4Cp30vGjmp^LSf6wR92=ogY&Z~ zQ`yX{ZkWx?+02~&g=I7In&CMOQGBvw6clEbjIv}D6{Q!+=#!b5^;I?en`$pp7uG)f zr22an@7<%tDg-0GmDd^~A#De7b!+j0wuyI{;u^%M&FvV##{s0K_D>B+H64JMI(76a zLW?%QtrqAui}@Cd;r5Cf69ZB>|4P#Uq*C_3>@=y70}xWDItCQF+a7djj6*mh&1s4K zQ`M#!4nPV>8|`_i$-LVqJ-l;oAekE()>P(gig^y3f zTkd>&8uspgyM%HE-H^!}Qp=VD*hNu)z^n2?WyK@Q7xO1s@yLqDj6zmC?kD_78N((N zk0;gNw;r?t9hUJIa4-r!5oK_i@l4&IbQ#WnnIkWh)3D0_xXk!MWW2~tfuM( z_bpB%xaOlt`Ajucmx2RH-qX4B_=NS*yPjz~al@c7#m3|RRHIEq%SJnr%`-CAE$-2d zC~jN8u|g&M9(d^J*Jbm{yMa(W=25wKJr>%(JSL!uu`(?P{ z%foAz+dTdU%yFsj^#wcao<9En42T0^;vVG3WuqwG_gs@bF5k-fb`f2U?B_27!Ob7? z(rrEbQQp4#rmXVr@oaUD@ahe|~&*z?w0_QDxREryuN|wxrQPyLn+%5&*DdM)> z2i7NU(4(THEfYo&N9mzKU8g|DDBm81=5*t8+Q|Ee&)>fC&$E%pbepcA`(ikvUiSF> f?OEA?bJ>~;3FjvB7yl&w`}_X^DQLr4?zjQ~v*sP^ literal 0 HcmV?d00001 diff --git a/x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/data.json b/x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/data.json deleted file mode 100644 index abfee31ed9d11..0000000000000 --- a/x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/data.json +++ /dev/null @@ -1,3636 +0,0 @@ -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "31dfd9156a4b6f6b5b5dbbb9192275d2a129c6bf6c02a8becc2b207aba2c72e8", - "_score": 1, - "_source": { - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "7.17.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.17.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:24.657Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-18T21:10:45.962Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "matched": { - "atomic": "security-linux-1", - "field": "host.name", - "id": "cWjdnn8BW0TS6Ffb-tK_", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "f2jenn8BW0TS6FfbC9LD", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "f2jenn8BW0TS6FfbC9LD", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "dde92c40-a6ff-11ec-a9c9-7bf7f6b6d825", - "actions": [], - "interval": "1m", - "name": "threat-match-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:42.108Z", - "updated_at": "2022-03-18T21:10:43.879Z", - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "ba2d0ca7-9f48-490b-9071-a47646eb5414", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "reason": "event on security-linux-1 created low alert threat-match-rule.", - "depth": 1, - "parent": { - "id": "f2jenn8BW0TS6FfbC9LD", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:24.657Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:24.657Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "7a6b11bce332d72f2c9183f2e6ce7c7c0b315d0c2b9bdd7be3da3baf7e07cdd6", - "_score": 1, - "_source": { - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "7.17.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.17.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:24.403Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-18T21:10:45.966Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "matched": { - "atomic": "security-linux-3", - "field": "host.name", - "id": "c2jdnn8BW0TS6Ffb_tJV", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "fGjenn8BW0TS6FfbCtLM", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "fGjenn8BW0TS6FfbCtLM", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "dde92c40-a6ff-11ec-a9c9-7bf7f6b6d825", - "actions": [], - "interval": "1m", - "name": "threat-match-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:42.108Z", - "updated_at": "2022-03-18T21:10:43.879Z", - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "ba2d0ca7-9f48-490b-9071-a47646eb5414", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "reason": "event on security-linux-3 created low alert threat-match-rule.", - "depth": 1, - "parent": { - "id": "fGjenn8BW0TS6FfbCtLM", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:24.403Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:24.403Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "3b75ccc8c11a7406c33ea4788a3b19304e7ea096960514908a6edecbeda8954d", - "_score": 1, - "_source": { - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "7.17.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.17.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:24.168Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-18T21:10:45.968Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "matched": { - "atomic": "security-linux-2", - "field": "host.name", - "id": "cmjdnn8BW0TS6Ffb_NIH", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "e2jenn8BW0TS6FfbCdLM", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "e2jenn8BW0TS6FfbCdLM", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "dde92c40-a6ff-11ec-a9c9-7bf7f6b6d825", - "actions": [], - "interval": "1m", - "name": "threat-match-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:42.108Z", - "updated_at": "2022-03-18T21:10:43.879Z", - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "ba2d0ca7-9f48-490b-9071-a47646eb5414", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "reason": "event on security-linux-2 created low alert threat-match-rule.", - "depth": 1, - "parent": { - "id": "e2jenn8BW0TS6FfbCdLM", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:24.168Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:24.168Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "544216ab258232e89e74a119cc881845c5091542bf3dcb9cb4b86e01c8d0adbb", - "_score": 1, - "_source": { - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "7.17.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.17.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:23.921Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-18T21:10:45.969Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "matched": { - "atomic": "security-linux-1", - "field": "host.name", - "id": "cWjdnn8BW0TS6Ffb-tK_", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "emjenn8BW0TS6FfbCNLd", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "emjenn8BW0TS6FfbCNLd", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "dde92c40-a6ff-11ec-a9c9-7bf7f6b6d825", - "actions": [], - "interval": "1m", - "name": "threat-match-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:42.108Z", - "updated_at": "2022-03-18T21:10:43.879Z", - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "ba2d0ca7-9f48-490b-9071-a47646eb5414", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "reason": "event on security-linux-1 created low alert threat-match-rule.", - "depth": 1, - "parent": { - "id": "emjenn8BW0TS6FfbCNLd", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:23.921Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:23.921Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "baa027f490cd6f773fed0829e6ae5ce44168ff33399a4c79ba02d4f43cb55b3c", - "_score": 1, - "_source": { - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "7.17.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.17.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:23.344Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-18T21:10:45.970Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "matched": { - "atomic": "security-linux-3", - "field": "host.name", - "id": "c2jdnn8BW0TS6Ffb_tJV", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "eWjenn8BW0TS6FfbB9Lm", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "eWjenn8BW0TS6FfbB9Lm", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "dde92c40-a6ff-11ec-a9c9-7bf7f6b6d825", - "actions": [], - "interval": "1m", - "name": "threat-match-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:42.108Z", - "updated_at": "2022-03-18T21:10:43.879Z", - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "ba2d0ca7-9f48-490b-9071-a47646eb5414", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "reason": "event on security-linux-3 created low alert threat-match-rule.", - "depth": 1, - "parent": { - "id": "eWjenn8BW0TS6FfbB9Lm", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:23.344Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:23.344Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "c8b7576b53cbd54d5fa90ad1087db08424ee00bff008f02551decb14db61e4b7", - "_score": 1, - "_source": { - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "7.17.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.17.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:23.011Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-18T21:10:45.971Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "matched": { - "atomic": "security-linux-2", - "field": "host.name", - "id": "cmjdnn8BW0TS6Ffb_NIH", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "eGjenn8BW0TS6FfbBdKn", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "eGjenn8BW0TS6FfbBdKn", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "dde92c40-a6ff-11ec-a9c9-7bf7f6b6d825", - "actions": [], - "interval": "1m", - "name": "threat-match-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:42.108Z", - "updated_at": "2022-03-18T21:10:43.879Z", - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "ba2d0ca7-9f48-490b-9071-a47646eb5414", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "reason": "event on security-linux-2 created low alert threat-match-rule.", - "depth": 1, - "parent": { - "id": "eGjenn8BW0TS6FfbBdKn", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:23.011Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:23.011Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "0bab7081b4a922419c8362dd23942b486dac5e9592c8721eec7601b200687d59", - "_score": 1, - "_source": { - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "7.17.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.17.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:22.678Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-18T21:10:45.972Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "matched": { - "atomic": "security-linux-1", - "field": "host.name", - "id": "cWjdnn8BW0TS6Ffb-tK_", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "d2jenn8BW0TS6FfbBNJb", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "d2jenn8BW0TS6FfbBNJb", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "dde92c40-a6ff-11ec-a9c9-7bf7f6b6d825", - "actions": [], - "interval": "1m", - "name": "threat-match-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:42.108Z", - "updated_at": "2022-03-18T21:10:43.879Z", - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "ba2d0ca7-9f48-490b-9071-a47646eb5414", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "reason": "event on security-linux-1 created low alert threat-match-rule.", - "depth": 1, - "parent": { - "id": "d2jenn8BW0TS6FfbBNJb", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:22.678Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:22.678Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "23dbc3b93eab372449a1b1897d77dc22d5a517edcb31bb1e53fe89ff727cedd9", - "_score": 1, - "_source": { - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "7.17.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.17.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:22.425Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-18T21:10:45.973Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "matched": { - "atomic": "security-linux-3", - "field": "host.name", - "id": "c2jdnn8BW0TS6Ffb_tJV", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "dmjenn8BW0TS6FfbA9IO", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "dmjenn8BW0TS6FfbA9IO", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "dde92c40-a6ff-11ec-a9c9-7bf7f6b6d825", - "actions": [], - "interval": "1m", - "name": "threat-match-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:42.108Z", - "updated_at": "2022-03-18T21:10:43.879Z", - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "ba2d0ca7-9f48-490b-9071-a47646eb5414", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "reason": "event on security-linux-3 created low alert threat-match-rule.", - "depth": 1, - "parent": { - "id": "dmjenn8BW0TS6FfbA9IO", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:22.425Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:22.425Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "7c79f8e0402c5d2589332a790cd01db7468a2badc07918de7683b293c2e8d2d5", - "_score": 1, - "_source": { - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "7.17.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.17.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:21.850Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-18T21:10:45.974Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "matched": { - "atomic": "security-linux-2", - "field": "host.name", - "id": "cmjdnn8BW0TS6Ffb_NIH", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "dWjenn8BW0TS6FfbAtIS", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "dWjenn8BW0TS6FfbAtIS", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "dde92c40-a6ff-11ec-a9c9-7bf7f6b6d825", - "actions": [], - "interval": "1m", - "name": "threat-match-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:42.108Z", - "updated_at": "2022-03-18T21:10:43.879Z", - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "ba2d0ca7-9f48-490b-9071-a47646eb5414", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "reason": "event on security-linux-2 created low alert threat-match-rule.", - "depth": 1, - "parent": { - "id": "dWjenn8BW0TS6FfbAtIS", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:21.850Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:21.850Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "d2a22b3c06c96b95ba412cf0891a624feff450e07b5572624f45040f023e55e9", - "_score": 1, - "_source": { - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "7.17.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.17.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:21.471Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-18T21:10:45.975Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "matched": { - "atomic": "security-linux-1", - "field": "host.name", - "id": "cWjdnn8BW0TS6Ffb-tK_", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "dGjdnn8BW0TS6Ffb_9Kl", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "dGjdnn8BW0TS6Ffb_9Kl", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "dde92c40-a6ff-11ec-a9c9-7bf7f6b6d825", - "actions": [], - "interval": "1m", - "name": "threat-match-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:42.108Z", - "updated_at": "2022-03-18T21:10:43.879Z", - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "ba2d0ca7-9f48-490b-9071-a47646eb5414", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "reason": "event on security-linux-1 created low alert threat-match-rule.", - "depth": 1, - "parent": { - "id": "dGjdnn8BW0TS6Ffb_9Kl", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:21.471Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:21.471Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "d562cd311acc9f7c21d0c58ce37fd6ce0559f959918ae158a33da0bcb2d4c3f9", - "_score": 1, - "_source": { - "@timestamp": "2022-03-18T21:10:40.883Z", - "host.name": "security-linux-1", - "event": { - "kind": "signal" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "865578ab-d427-554f-81f2-0b14c96229a7", - "type": "event", - "index": "events-index-*", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "865578ab-d427-554f-81f2-0b14c96229a7", - "type": "event", - "index": "events-index-*", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "db2ea020-a6ff-11ec-a34d-a33078cca37b", - "actions": [], - "interval": "1m", - "name": "threshold-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:37.100Z", - "updated_at": "2022-03-18T21:10:38.800Z", - "description": "a simple threshold rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "d36d0212-a9fe-4346-bff0-78b4877ff2d4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threshold", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threshold": { - "field": [ - "host.name" - ], - "value": 1 - } - }, - "reason": "event created low alert threshold-rule.", - "depth": 1, - "parent": { - "id": "865578ab-d427-554f-81f2-0b14c96229a7", - "type": "event", - "index": "events-index-*", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:24.657Z", - "threshold_result": { - "terms": [ - { - "field": "host.name", - "value": "security-linux-1" - } - ], - "count": 4, - "from": "2022-03-18T11:10:40.838Z" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "a7c7ecc631c7a7b5c96ff876cd4252001910bfdfacbd9e295652d4bde7ca5ada", - "_score": 1, - "_source": { - "@timestamp": "2022-03-18T21:10:40.884Z", - "host.name": "security-linux-2", - "event": { - "kind": "signal" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "2ff92aec-17cc-5ed6-9ce4-c02f1281c39f", - "type": "event", - "index": "events-index-*", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "2ff92aec-17cc-5ed6-9ce4-c02f1281c39f", - "type": "event", - "index": "events-index-*", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "db2ea020-a6ff-11ec-a34d-a33078cca37b", - "actions": [], - "interval": "1m", - "name": "threshold-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:37.100Z", - "updated_at": "2022-03-18T21:10:38.800Z", - "description": "a simple threshold rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "d36d0212-a9fe-4346-bff0-78b4877ff2d4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threshold", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threshold": { - "field": [ - "host.name" - ], - "value": 1 - } - }, - "reason": "event created low alert threshold-rule.", - "depth": 1, - "parent": { - "id": "2ff92aec-17cc-5ed6-9ce4-c02f1281c39f", - "type": "event", - "index": "events-index-*", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:24.168Z", - "threshold_result": { - "terms": [ - { - "field": "host.name", - "value": "security-linux-2" - } - ], - "count": 3, - "from": "2022-03-18T11:10:40.838Z" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "bf0fcc35981aa44baaee5ca466e8ee956636c82a3cd9fa9dae48c55603df37b9", - "_score": 1, - "_source": { - "@timestamp": "2022-03-18T21:10:40.884Z", - "host.name": "security-linux-3", - "event": { - "kind": "signal" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "1aa42cf4-ba9e-57d4-9912-1f923a852f0b", - "type": "event", - "index": "events-index-*", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "1aa42cf4-ba9e-57d4-9912-1f923a852f0b", - "type": "event", - "index": "events-index-*", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "db2ea020-a6ff-11ec-a34d-a33078cca37b", - "actions": [], - "interval": "1m", - "name": "threshold-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:37.100Z", - "updated_at": "2022-03-18T21:10:38.800Z", - "description": "a simple threshold rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "d36d0212-a9fe-4346-bff0-78b4877ff2d4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threshold", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threshold": { - "field": [ - "host.name" - ], - "value": 1 - } - }, - "reason": "event created low alert threshold-rule.", - "depth": 1, - "parent": { - "id": "1aa42cf4-ba9e-57d4-9912-1f923a852f0b", - "type": "event", - "index": "events-index-*", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:24.403Z", - "threshold_result": { - "terms": [ - { - "field": "host.name", - "value": "security-linux-3" - } - ], - "count": 3, - "from": "2022-03-18T11:10:40.838Z" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "217fc346273e4a37ef7c4ec55f52409df5d19942854c0e144516d133cc5442bc", - "_score": 1, - "_source": { - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "7.17.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.17.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:21.471Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-18T21:10:31.769Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "dGjdnn8BW0TS6Ffb_9Kl", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "dGjdnn8BW0TS6Ffb_9Kl", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "d6766f40-a6ff-11ec-a9c9-7bf7f6b6d825", - "actions": [], - "interval": "1m", - "name": "query-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:29.079Z", - "updated_at": "2022-03-18T21:10:29.677Z", - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "d5e1bb1d-80e9-445d-b1ec-f63fa5f52e09", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "reason": "event on security-linux-1 created low alert query-rule.", - "depth": 1, - "parent": { - "id": "dGjdnn8BW0TS6Ffb_9Kl", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:21.471Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:21.471Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "5c27171e8a09b61d82bf4428835ea796c37c76b06585aec3208aecbc3bff8848", - "_score": 1, - "_source": { - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "7.17.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.17.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:21.850Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-18T21:10:31.773Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "dWjenn8BW0TS6FfbAtIS", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "dWjenn8BW0TS6FfbAtIS", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "d6766f40-a6ff-11ec-a9c9-7bf7f6b6d825", - "actions": [], - "interval": "1m", - "name": "query-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:29.079Z", - "updated_at": "2022-03-18T21:10:29.677Z", - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "d5e1bb1d-80e9-445d-b1ec-f63fa5f52e09", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "reason": "event on security-linux-2 created low alert query-rule.", - "depth": 1, - "parent": { - "id": "dWjenn8BW0TS6FfbAtIS", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:21.850Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:21.850Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "023cadbb328c1537a3e2f0acee3e4daf4aa2d101f932762a86a5cf42628c9cd9", - "_score": 1, - "_source": { - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "7.17.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.17.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:22.425Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-18T21:10:31.774Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "dmjenn8BW0TS6FfbA9IO", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "dmjenn8BW0TS6FfbA9IO", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "d6766f40-a6ff-11ec-a9c9-7bf7f6b6d825", - "actions": [], - "interval": "1m", - "name": "query-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:29.079Z", - "updated_at": "2022-03-18T21:10:29.677Z", - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "d5e1bb1d-80e9-445d-b1ec-f63fa5f52e09", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "reason": "event on security-linux-3 created low alert query-rule.", - "depth": 1, - "parent": { - "id": "dmjenn8BW0TS6FfbA9IO", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:22.425Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:22.425Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "c900ef94ef10ba2c28e323f79dfb305b3eac2be0a8d8c154e5b520fb02055186", - "_score": 1, - "_source": { - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "7.17.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.17.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:22.678Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-18T21:10:31.775Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "d2jenn8BW0TS6FfbBNJb", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "d2jenn8BW0TS6FfbBNJb", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "d6766f40-a6ff-11ec-a9c9-7bf7f6b6d825", - "actions": [], - "interval": "1m", - "name": "query-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:29.079Z", - "updated_at": "2022-03-18T21:10:29.677Z", - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "d5e1bb1d-80e9-445d-b1ec-f63fa5f52e09", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "reason": "event on security-linux-1 created low alert query-rule.", - "depth": 1, - "parent": { - "id": "d2jenn8BW0TS6FfbBNJb", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:22.678Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:22.678Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "56f8c326f10733ca517549799e59b82349850747998dde7779ca65e711ea4aac", - "_score": 1, - "_source": { - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "7.17.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.17.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:23.011Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-18T21:10:31.776Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "eGjenn8BW0TS6FfbBdKn", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "eGjenn8BW0TS6FfbBdKn", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "d6766f40-a6ff-11ec-a9c9-7bf7f6b6d825", - "actions": [], - "interval": "1m", - "name": "query-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:29.079Z", - "updated_at": "2022-03-18T21:10:29.677Z", - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "d5e1bb1d-80e9-445d-b1ec-f63fa5f52e09", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "reason": "event on security-linux-2 created low alert query-rule.", - "depth": 1, - "parent": { - "id": "eGjenn8BW0TS6FfbBdKn", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:23.011Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:23.011Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "12337125cc40a91dd96b21d4cb62f36e8e5ed11d9772d21950039f8e755d231d", - "_score": 1, - "_source": { - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "7.17.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.17.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:23.344Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-18T21:10:31.777Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "eWjenn8BW0TS6FfbB9Lm", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "eWjenn8BW0TS6FfbB9Lm", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "d6766f40-a6ff-11ec-a9c9-7bf7f6b6d825", - "actions": [], - "interval": "1m", - "name": "query-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:29.079Z", - "updated_at": "2022-03-18T21:10:29.677Z", - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "d5e1bb1d-80e9-445d-b1ec-f63fa5f52e09", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "reason": "event on security-linux-3 created low alert query-rule.", - "depth": 1, - "parent": { - "id": "eWjenn8BW0TS6FfbB9Lm", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:23.344Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:23.344Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "172528411cae0ff2a41f42ce6cabcec7bafd6a9d5238c7016b8b8548675f827c", - "_score": 1, - "_source": { - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "7.17.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.17.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:23.921Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-18T21:10:31.778Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "emjenn8BW0TS6FfbCNLd", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "emjenn8BW0TS6FfbCNLd", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "d6766f40-a6ff-11ec-a9c9-7bf7f6b6d825", - "actions": [], - "interval": "1m", - "name": "query-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:29.079Z", - "updated_at": "2022-03-18T21:10:29.677Z", - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "d5e1bb1d-80e9-445d-b1ec-f63fa5f52e09", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "reason": "event on security-linux-1 created low alert query-rule.", - "depth": 1, - "parent": { - "id": "emjenn8BW0TS6FfbCNLd", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:23.921Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:23.921Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "4d024b3f9134c10ee1acc3ba4899b39a32c714780aa9037435fae372a7a0dd8c", - "_score": 1, - "_source": { - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "7.17.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.17.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:24.168Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-18T21:10:31.779Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "e2jenn8BW0TS6FfbCdLM", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "e2jenn8BW0TS6FfbCdLM", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "d6766f40-a6ff-11ec-a9c9-7bf7f6b6d825", - "actions": [], - "interval": "1m", - "name": "query-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:29.079Z", - "updated_at": "2022-03-18T21:10:29.677Z", - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "d5e1bb1d-80e9-445d-b1ec-f63fa5f52e09", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "reason": "event on security-linux-2 created low alert query-rule.", - "depth": 1, - "parent": { - "id": "e2jenn8BW0TS6FfbCdLM", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:24.168Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:24.168Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "156c5c290ce493043502367b57adb0e9a9761a9c19c861479fb19d5f4147c2c4", - "_score": 1, - "_source": { - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "7.17.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.17.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:24.403Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-18T21:10:31.780Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "fGjenn8BW0TS6FfbCtLM", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "fGjenn8BW0TS6FfbCtLM", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "d6766f40-a6ff-11ec-a9c9-7bf7f6b6d825", - "actions": [], - "interval": "1m", - "name": "query-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:29.079Z", - "updated_at": "2022-03-18T21:10:29.677Z", - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "d5e1bb1d-80e9-445d-b1ec-f63fa5f52e09", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "reason": "event on security-linux-3 created low alert query-rule.", - "depth": 1, - "parent": { - "id": "fGjenn8BW0TS6FfbCtLM", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:24.403Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:24.403Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".siem-signals-default-000001-7.17.0", - "_type": "_doc", - "_id": "09fba1b7d25dd17478a815fb5a0a616f7f09ad8c93bb5404caac1b0f55172e3b", - "_score": 1, - "_source": { - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "7.17.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "7.17.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:24.657Z", - "dataset": "elastic_agent.filebeat", - "kind": "signal" - }, - "service.name": "filebeat", - "message": "Status message.", - "@timestamp": "2022-03-18T21:10:31.782Z", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "signal": { - "_meta": { - "version": 57 - }, - "parents": [ - { - "id": "f2jenn8BW0TS6FfbC9LD", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "ancestors": [ - { - "id": "f2jenn8BW0TS6FfbC9LD", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "status": "open", - "rule": { - "id": "d6766f40-a6ff-11ec-a9c9-7bf7f6b6d825", - "actions": [], - "interval": "1m", - "name": "query-rule", - "tags": [], - "enabled": true, - "created_by": "elastic", - "updated_by": "elastic", - "throttle": null, - "created_at": "2022-03-18T21:10:29.079Z", - "updated_at": "2022-03-18T21:10:29.677Z", - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "output_index": ".siem-signals-default-000001", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "d5e1bb1d-80e9-445d-b1ec-f63fa5f52e09", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "reason": "event on security-linux-1 created low alert query-rule.", - "depth": 1, - "parent": { - "id": "f2jenn8BW0TS6FfbC9LD", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - "original_time": "2022-03-18T21:10:24.657Z", - "original_event": { - "agent_id_status": "verified", - "ingested": "2022-03-18T21:10:24.657Z", - "dataset": "elastic_agent.filebeat" - } - } - } - } -} - diff --git a/x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/data.json.gz b/x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/data.json.gz new file mode 100644 index 0000000000000000000000000000000000000000..e63a4ccc0ab4f8efa6fc6c61d8980086287bdf50 GIT binary patch literal 4744 zcmb7{c{G&$-^XVV(_|ZwJ-Z0mHB8x=u_R0O22sWm#+Eh2*cnTRFi4TyMD{@_Su=?2 z`$WTp$`-z^PKZM_j8{6pX*%bI@h`0@9+Ed`Fua$i!TubLZWUt0;uoa@w;=y z&DYBlu%2)5cv?5Td-H%bNp)R?=G7ci!B{$~u3m8}3e^q4q5Ve9o(;g6&bmGKCN+Bj zY4n)2ujbYx*vhswEZ8G7Ei44K?At7;+SEAdJ^Ppf7FWm}$puZhrRMKp@^%(dZKZsl zQW}cOm^RDhV-iiWSrdnI%Q&UMe9x@0{Z!^Bi<*qpJkRj4YtQ^&H;_HaxX{nq)hTvP zSLka5!TnNuV>Zc(0_h=+GQ&m_VmyMnlM6i6G zyK@-VNjJm|Gx;(pTbhQvls={pfeOgC(%)rTu0C$|<~aCX*`)LExXdthTa zoi9Fbk$)|BHgoV;PASpn3+|y=@~@n$FM=*u+|XIaymMGnc$gJzcg=leV{!@~$*;+L zV+0Xvc0v~9Y-k$p&RVYFU@!W4$ywj54pq-Rm=!jT-XbJ*bz!@DKR2A!-hOHa7(;G`R0g5hNHH7iSR1lz-;KQ=a=^_cv5n+`*byE zE1>vrAaH+4`Uq*16ass?fo!m2@IqH-XaD$R7ZS!$`OU6{>vOPNIjZW!hd6Uz`TEAs zRtmUkSa^!nA6}?Lg1klDHOD?r=fujow&;C@q;m2EGg;tr)#WvF^Xz!``vGrfKgRBO zeDg6WDGQytikzo~$&GaMkDu&)Gr!llVNLGk+~iAemg5S4S#W|+oGq3bcTo71l6mH& zDTFXPk>RaWPdfFRDK2RUPTYfYb!q*Ww&Y- z`fJ~2`46=Oz3%kzAsvGQ8`$N@fb?g39>LK5dy1&f6L9Yg!`Yy~dCZr{;8t_s3w4DX z^Yfr%uHx5cxxrV$Jqzs5l$k@Vr3a@EjNZR3+_%-&+F>Sd*LXeH>SP?RoFEgOSuP}w zhWmf-4(5p}xz~98Yg?a*o1~c_iI;|`CDrqQd51aOa;3v?x8~y#q0!t889n{>w{bL) z82aYw&!6ipZu3nKvkCBxbz!8{z?hni#G9kq&%P^gLPpJH(DCt))s2pL@!9DG*dWPG zFQcZnhnK#0r^z)xiQH8F?wwoYF2Pzyd~f7+n2PyexMujF$?t$#o&EP7gH7%lZ@7X? zPG(4{M>XTPxuos-i(~7dIdW@+UcQ3uqoXHBFY0X~VT^70m`{FDlS=C7NxmNgzaeI~ znnly?wWbxNx68d?QM2^^J0P{$+||tSwc^CsmaGfkkWx~{ZSW}*5fQSE&zeZe9q!N0 z0Y$t-uQkO_xi?#xoiqH)m8mpzFWMcEhSBMcWGKyj zKDS1D^FZFJ<`X&7cGP0ML}sg`l$gQ2-WV3zzc2TV$HzRNV}6RM0#P&l^(TQ(MZ{WB zqJK(fWI1pqBvwUkN841c6LB;X-hWtGq$T42m5c9!rz&0|SNlF~qRERTI*Akpw-kom z>q>l5Vbk~dL37IWAoB+jYJV(kwLOsLDHWDSjy`@9;!rQSnYB!OV340#Ejd31Y?KeL zqit->mC{`%AxSw4(1OqJ990f2HFVYjhdJ+ZJ*ZjL&%KnAmllmRWHS`9brJTylg(;K z)6cmPR~{b}K5b=xHVm`z!ya535Foy@ncJ{SJVMtgnk5zA9(KT4Yt4!ciL8tGV}zCBkfD_G1aS=hjT?3s4eG z)$6GsmvMaf*!7aiwl%SlVW>{>MKy((xqw+`o?On!YIo^D%jQ}WlJ4H|WA68iqKBCR z$xh>0+qha?NCjcn=y1Yyf4TP|JcQTZ;oxb_M$QLb;LmnR&k$GPo?!A@6`7e=RdzY4 z1nWQE*|y%NtywKB$J5?u;e8&VC_|KyrVCManlSPpZ%+if908~t$P{X6dVjmYb&27P z19V8!Kste=n%$MAueqL|TD>6%02l%mx~ri8qyy1S7xhb1VWCN{)zk`|;_Rpk&jUyo z0e;&nu6r{=0N%+nehtfe;dJT^EIraNs;1DLar%WZ?}#gdvVcNr^>J0&2u~S+`nVNU z1S0@>9D&7M9OCVpodn=Fl!%5AmA=zXwV}=tSexE_-@ZHdg|*(9aGBza`-~G6btHQn zQZLx>W6ds`=+f}zG0ce#d6zIEKVmIkM*15kV$Z>Q;AJhR&GGST9F8YEV-| z=^{L5edc{>BPzXqVrl(gZH$3`+JCQ!q%Ji3)Bcyg?9V=@CfSAWsR2k9z?MVq`vqra zRKP>`RA>Qy0Mb-9V2FVhK;kkujiaA$DD5#dKB@`Etv){MoOgD}-!mjBYmk1(y9;!o zi=`4IqOr=K(_sZGWwl6xVHH-ACJ?PPQ`XLzAP{Uh?Z+67c1R;$0)WqQrc)nRP>*-V zMQkkT-(EF7AIcD6L|qugGQLHP*Msx7g)PIP2Ka`SmH&4i`ENUS95x6vL+f7h1S-<* zfBCR>VosA4Ir~*7BfV=OO;81NzVTerog&BQ8EzigkEcpTt|um`^f$ej-YD#31MmXy z6{XTt6ie=#Uy$MP61=8em4G2Vng~Yy+k;G`uqn2l!JTqFRMkE;{#rNS6yG5S0N()s zAf3(vQ~-XI=Oa%VFMj+VFbU!kO{`gFsOu;kyg2QLxV?c_nj1oDvHP+79SH&EfIH+X$?sTUBK_o{KGj}#0+48_0e;CM01{wmnTbR& zUJ4cqKv9$M(@F9`Ji#Mn_-77KC8K&b;Ia%9Qj6o@e-J_#@VqEb|9&+vo7FgWm{(^eRNAqz>war1Tuh<3L`1>E3eF; zeK=(=AGr9Bb@C5DxvVk)yjQ_S~gB(HCqXLVyRZnf-%XmY? zlau)+V>meBK)wDZVRM6nw4yi=Lmr)&H?jdp>FfaS(`-U6Z5|lh{*l^S9!SSack1ga zou4%9o9T%R0pQ6?_pgei38-=*I%2t*F z4eLJ8B=VW`*!$mvrL_-+L&FhdTNZjjm`#CP!Eqtt@>lxIe76&|iXC<@lv6mHW#MSS$%mv@bWdm?B}g6^k<3>xj33&BC1eL8|Ebc)>Jux3u%?aL{s~?1A~!so#3MeKC>! zyuA1y-5v+w(NWE9!r-mmV_kPI_%6p&{N&Yj@#k<)>{y$gV{6(=MVpp1*IP$FUwtORlk_d)BldZe+vvTz)2St87Oy=W{JelVYzg%=5h+Fzt6v0Wf3N$S9&69O(nAOl=W~Et= zVG#pGMi$~$DHk9s&BKI9{)AXl(noM)q3Vk|)3(tAR)Od^RQb)aJ%nY47NSo!L`Re^ z5P{c4>?1CkHiNBtlD`%msAHvB!Fa^8xl6$OELT>Ar}_tU&jX}sFUYx^DGc9;!VV5< z1lRQNN!U-su)eg7z(;qZX*S|IS?KPi)>DdqMs*e>2(>?nYs-*^z>SB%RGHxX&B5#YZ;+RC9!K8{~sYEO#%|!n|HQ0+|Bf zh_2ReB*l~W8zbI89)S_rzt&3$)~T1x2XlT*ktb<22aS2C=yw5I6)=5n1(a=kS$2^i zdskuC?wmmtiU4MD-T8^Wc&*FMK<}Df0;j;MVsN_eO|jkFjlxPGlnRZZO!7z}b)?qm zBu7%8PVz@Why_q@qY>|#?~z-;V9;3}0m_N&Z>IlEdJ>JP-={&?G4f+)E>** zZU+4POJQBEFRhXI7=P|lbnM-b!pfr48C@wbP}-QVC)6ImCqY#4e<}UDyv@0aP7N#c zMVa<5#sIjBWRoTq-G`6SlD&Q&TlG4I@D4&bHg)g-eHR;rxSHA(bdr3uU#4am5Iw+h zx(1KTE_6RCWJAnetQp`jHSbg>vic{2|G5{vTHT h4j&UGdz~9QWUhr;0_9JKv0%TSJQ~X;C&U5){{g?#?@9mw literal 0 HcmV?d00001 diff --git a/x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/mappings.json b/x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/mappings.json deleted file mode 100644 index 5b241ee374260..0000000000000 --- a/x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/mappings.json +++ /dev/null @@ -1,5825 +0,0 @@ -{ - "type": "index", - "value": { - "aliases": { - ".siem-signals-default": { - "is_write_index": true - } - }, - "index": ".siem-signals-default-000001-7.17.0", - "mappings": { - "dynamic": "false", - "_meta": { - "version": 57, - "aliases_version": 1 - }, - "properties": { - "@timestamp": { - "type": "date" - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "ephemeral_id": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - } - } - } - } - }, - "client": { - "properties": { - "address": { - "type": "keyword", - "ignore_above": 1024 - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "geo": { - "properties": { - "city_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "continent_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "continent_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "country_iso_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "country_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "location": { - "type": "geo_point" - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "postal_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "region_iso_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "region_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "timezone": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "type": "keyword", - "ignore_above": 1024 - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "subdomain": { - "type": "keyword", - "ignore_above": 1024 - }, - "top_level_domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "user": { - "properties": { - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "email": { - "type": "keyword", - "ignore_above": 1024 - }, - "full_name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "group": { - "properties": { - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "hash": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "roles": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "cloud": { - "properties": { - "account": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "availability_zone": { - "type": "keyword", - "ignore_above": 1024 - }, - "instance": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "machine": { - "properties": { - "type": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "project": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "provider": { - "type": "keyword", - "ignore_above": 1024 - }, - "region": { - "type": "keyword", - "ignore_above": 1024 - }, - "service": { - "properties": { - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "status": { - "type": "keyword", - "ignore_above": 1024 - }, - "subject_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "container": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "image": { - "properties": { - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "tag": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "labels": { - "type": "object" - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "runtime": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "data_stream": { - "properties": { - "dataset": { - "type": "keyword" - }, - "namespace": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "address": { - "type": "keyword", - "ignore_above": 1024 - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "geo": { - "properties": { - "city_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "continent_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "continent_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "country_iso_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "country_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "location": { - "type": "geo_point" - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "postal_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "region_iso_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "region_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "timezone": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "type": "keyword", - "ignore_above": 1024 - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "subdomain": { - "type": "keyword", - "ignore_above": 1024 - }, - "top_level_domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "user": { - "properties": { - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "email": { - "type": "keyword", - "ignore_above": 1024 - }, - "full_name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "group": { - "properties": { - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "hash": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "roles": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "dll": { - "properties": { - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "signing_id": { - "type": "keyword", - "ignore_above": 1024 - }, - "status": { - "type": "keyword", - "ignore_above": 1024 - }, - "subject_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "team_id": { - "type": "keyword", - "ignore_above": 1024 - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "hash": { - "properties": { - "md5": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha1": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha256": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha512": { - "type": "keyword", - "ignore_above": 1024 - }, - "ssdeep": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "path": { - "type": "keyword", - "ignore_above": 1024 - }, - "pe": { - "properties": { - "architecture": { - "type": "keyword", - "ignore_above": 1024 - }, - "company": { - "type": "keyword", - "ignore_above": 1024 - }, - "description": { - "type": "keyword", - "ignore_above": 1024 - }, - "file_version": { - "type": "keyword", - "ignore_above": 1024 - }, - "imphash": { - "type": "keyword", - "ignore_above": 1024 - }, - "original_file_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "product": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "dns": { - "properties": { - "answers": { - "properties": { - "class": { - "type": "keyword", - "ignore_above": 1024 - }, - "data": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "ttl": { - "type": "long" - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "header_flags": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "op_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "question": { - "properties": { - "class": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "registered_domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "subdomain": { - "type": "keyword", - "ignore_above": 1024 - }, - "top_level_domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "ecs": { - "properties": { - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "error": { - "properties": { - "code": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "message": { - "type": "text", - "norms": false - }, - "stack_trace": { - "type": "keyword", - "index": false, - "doc_values": false, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "event": { - "properties": { - "action": { - "type": "keyword", - "ignore_above": 1024 - }, - "agent_id_status": { - "type": "keyword", - "ignore_above": 1024 - }, - "category": { - "type": "keyword", - "ignore_above": 1024 - }, - "code": { - "type": "keyword", - "ignore_above": 1024 - }, - "created": { - "type": "date" - }, - "dataset": { - "type": "keyword", - "ignore_above": 1024 - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "ingested": { - "type": "date" - }, - "kind": { - "type": "keyword", - "ignore_above": 1024 - }, - "module": { - "type": "keyword", - "ignore_above": 1024 - }, - "original": { - "type": "keyword", - "index": false, - "doc_values": false - }, - "outcome": { - "type": "keyword", - "ignore_above": 1024 - }, - "provider": { - "type": "keyword", - "ignore_above": 1024 - }, - "reason": { - "type": "keyword", - "ignore_above": 1024 - }, - "reference": { - "type": "keyword", - "ignore_above": 1024 - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "url": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "type": "keyword", - "ignore_above": 1024 - }, - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "signing_id": { - "type": "keyword", - "ignore_above": 1024 - }, - "status": { - "type": "keyword", - "ignore_above": 1024 - }, - "subject_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "team_id": { - "type": "keyword", - "ignore_above": 1024 - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "type": "keyword", - "ignore_above": 1024 - }, - "directory": { - "type": "keyword", - "ignore_above": 1024 - }, - "drive_letter": { - "type": "keyword", - "ignore_above": 1 - }, - "elf": { - "properties": { - "architecture": { - "type": "keyword", - "ignore_above": 1024 - }, - "byte_order": { - "type": "keyword", - "ignore_above": 1024 - }, - "cpu_type": { - "type": "keyword", - "ignore_above": 1024 - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flattened" - }, - "header": { - "properties": { - "abi_version": { - "type": "keyword", - "ignore_above": 1024 - }, - "class": { - "type": "keyword", - "ignore_above": 1024 - }, - "data": { - "type": "keyword", - "ignore_above": 1024 - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "type": "keyword", - "ignore_above": 1024 - }, - "os_abi": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "imports": { - "type": "flattened" - }, - "sections": { - "type": "nested", - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "physical_offset": { - "type": "keyword", - "ignore_above": 1024 - }, - "physical_size": { - "type": "long" - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - } - }, - "segments": { - "type": "nested", - "properties": { - "sections": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "shared_libraries": { - "type": "keyword", - "ignore_above": 1024 - }, - "telfhash": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "extension": { - "type": "keyword", - "ignore_above": 1024 - }, - "gid": { - "type": "keyword", - "ignore_above": 1024 - }, - "group": { - "type": "keyword", - "ignore_above": 1024 - }, - "hash": { - "properties": { - "md5": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha1": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha256": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha512": { - "type": "keyword", - "ignore_above": 1024 - }, - "ssdeep": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "inode": { - "type": "keyword", - "ignore_above": 1024 - }, - "mime_type": { - "type": "keyword", - "ignore_above": 1024 - }, - "mode": { - "type": "keyword", - "ignore_above": 1024 - }, - "mtime": { - "type": "date" - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "owner": { - "type": "keyword", - "ignore_above": 1024 - }, - "path": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "pe": { - "properties": { - "architecture": { - "type": "keyword", - "ignore_above": 1024 - }, - "company": { - "type": "keyword", - "ignore_above": 1024 - }, - "description": { - "type": "keyword", - "ignore_above": 1024 - }, - "file_version": { - "type": "keyword", - "ignore_above": 1024 - }, - "imphash": { - "type": "keyword", - "ignore_above": 1024 - }, - "original_file_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "product": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "uid": { - "type": "keyword", - "ignore_above": 1024 - }, - "x509": { - "properties": { - "alternative_names": { - "type": "keyword", - "ignore_above": 1024 - }, - "issuer": { - "properties": { - "common_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "country": { - "type": "keyword", - "ignore_above": 1024 - }, - "distinguished_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "locality": { - "type": "keyword", - "ignore_above": 1024 - }, - "organization": { - "type": "keyword", - "ignore_above": 1024 - }, - "organizational_unit": { - "type": "keyword", - "ignore_above": 1024 - }, - "state_or_province": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "type": "keyword", - "ignore_above": 1024 - }, - "public_key_curve": { - "type": "keyword", - "ignore_above": 1024 - }, - "public_key_exponent": { - "type": "long", - "index": false, - "doc_values": false - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "type": "keyword", - "ignore_above": 1024 - }, - "signature_algorithm": { - "type": "keyword", - "ignore_above": 1024 - }, - "subject": { - "properties": { - "common_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "country": { - "type": "keyword", - "ignore_above": 1024 - }, - "distinguished_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "locality": { - "type": "keyword", - "ignore_above": 1024 - }, - "organization": { - "type": "keyword", - "ignore_above": 1024 - }, - "organizational_unit": { - "type": "keyword", - "ignore_above": 1024 - }, - "state_or_province": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "version_number": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "geo": { - "properties": { - "city_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "continent_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "country_iso_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "country_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "location": { - "type": "geo_point" - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "region_iso_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "region_name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "group": { - "properties": { - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "hash": { - "properties": { - "md5": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha1": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha256": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha512": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "host": { - "properties": { - "architecture": { - "type": "keyword", - "ignore_above": 1024 - }, - "cpu": { - "properties": { - "usage": { - "type": "scaled_float", - "scaling_factor": 1000 - } - } - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "geo": { - "properties": { - "city_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "continent_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "continent_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "country_iso_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "country_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "location": { - "type": "geo_point" - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "postal_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "region_iso_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "region_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "timezone": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "hostname": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "ip": { - "type": "ip" - }, - "mac": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "type": "long" - } - } - } - } - }, - "os": { - "properties": { - "family": { - "type": "keyword", - "ignore_above": 1024 - }, - "full": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "kernel": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "caseless": { - "type": "keyword", - "ignore_above": 1024, - "normalizer": "lowercase" - }, - "text": { - "type": "text", - "norms": false - } - } - }, - "platform": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "email": { - "type": "keyword", - "ignore_above": 1024 - }, - "full_name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "group": { - "properties": { - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "hash": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "roles": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "method": { - "type": "keyword", - "ignore_above": 1024 - }, - "mime_type": { - "type": "keyword", - "ignore_above": 1024 - }, - "referrer": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "response": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "mime_type": { - "type": "keyword", - "ignore_above": 1024 - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "interface": { - "properties": { - "alias": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "kibana": { - "properties": { - "alert": { - "properties": { - "ancestors": { - "properties": { - "depth": { - "type": "alias", - "path": "signal.ancestors.depth" - }, - "id": { - "type": "alias", - "path": "signal.ancestors.id" - }, - "index": { - "type": "alias", - "path": "signal.ancestors.index" - }, - "type": { - "type": "alias", - "path": "signal.ancestors.type" - } - } - }, - "depth": { - "type": "alias", - "path": "signal.depth" - }, - "original_event": { - "properties": { - "action": { - "type": "alias", - "path": "signal.original_event.action" - }, - "category": { - "type": "alias", - "path": "signal.original_event.category" - }, - "code": { - "type": "alias", - "path": "signal.original_event.code" - }, - "created": { - "type": "alias", - "path": "signal.original_event.created" - }, - "dataset": { - "type": "alias", - "path": "signal.original_event.dataset" - }, - "duration": { - "type": "alias", - "path": "signal.original_event.duration" - }, - "end": { - "type": "alias", - "path": "signal.original_event.end" - }, - "hash": { - "type": "alias", - "path": "signal.original_event.hash" - }, - "id": { - "type": "alias", - "path": "signal.original_event.id" - }, - "kind": { - "type": "alias", - "path": "signal.original_event.kind" - }, - "module": { - "type": "alias", - "path": "signal.original_event.module" - }, - "outcome": { - "type": "alias", - "path": "signal.original_event.outcome" - }, - "provider": { - "type": "alias", - "path": "signal.original_event.provider" - }, - "reason": { - "type": "alias", - "path": "signal.original_event.reason" - }, - "risk_score": { - "type": "alias", - "path": "signal.original_event.risk_score" - }, - "risk_score_norm": { - "type": "alias", - "path": "signal.original_event.risk_score_norm" - }, - "sequence": { - "type": "alias", - "path": "signal.original_event.sequence" - }, - "severity": { - "type": "alias", - "path": "signal.original_event.severity" - }, - "start": { - "type": "alias", - "path": "signal.original_event.start" - }, - "timezone": { - "type": "alias", - "path": "signal.original_event.timezone" - }, - "type": { - "type": "alias", - "path": "signal.original_event.type" - } - } - }, - "original_time": { - "type": "alias", - "path": "signal.original_time" - }, - "reason": { - "type": "alias", - "path": "signal.reason" - }, - "risk_score": { - "type": "alias", - "path": "signal.rule.risk_score" - }, - "rule": { - "properties": { - "author": { - "type": "alias", - "path": "signal.rule.author" - }, - "building_block_type": { - "type": "alias", - "path": "signal.rule.building_block_type" - }, - "created_at": { - "type": "alias", - "path": "signal.rule.created_at" - }, - "created_by": { - "type": "alias", - "path": "signal.rule.created_by" - }, - "description": { - "type": "alias", - "path": "signal.rule.description" - }, - "enabled": { - "type": "alias", - "path": "signal.rule.enabled" - }, - "false_positives": { - "type": "alias", - "path": "signal.rule.false_positives" - }, - "from": { - "type": "alias", - "path": "signal.rule.from" - }, - "immutable": { - "type": "alias", - "path": "signal.rule.immutable" - }, - "index": { - "type": "alias", - "path": "signal.rule.index" - }, - "interval": { - "type": "alias", - "path": "signal.rule.interval" - }, - "language": { - "type": "alias", - "path": "signal.rule.language" - }, - "license": { - "type": "alias", - "path": "signal.rule.license" - }, - "max_signals": { - "type": "alias", - "path": "signal.rule.max_signals" - }, - "name": { - "type": "alias", - "path": "signal.rule.name" - }, - "note": { - "type": "alias", - "path": "signal.rule.note" - }, - "query": { - "type": "alias", - "path": "signal.rule.query" - }, - "references": { - "type": "alias", - "path": "signal.rule.references" - }, - "risk_score_mapping": { - "properties": { - "field": { - "type": "alias", - "path": "signal.rule.risk_score_mapping.field" - }, - "operator": { - "type": "alias", - "path": "signal.rule.risk_score_mapping.operator" - }, - "value": { - "type": "alias", - "path": "signal.rule.risk_score_mapping.value" - } - } - }, - "rule_id": { - "type": "alias", - "path": "signal.rule.rule_id" - }, - "rule_name_override": { - "type": "alias", - "path": "signal.rule.rule_name_override" - }, - "saved_id": { - "type": "alias", - "path": "signal.rule.saved_id" - }, - "severity_mapping": { - "properties": { - "field": { - "type": "alias", - "path": "signal.rule.severity_mapping.field" - }, - "operator": { - "type": "alias", - "path": "signal.rule.severity_mapping.operator" - }, - "severity": { - "type": "alias", - "path": "signal.rule.severity_mapping.severity" - }, - "value": { - "type": "alias", - "path": "signal.rule.severity_mapping.value" - } - } - }, - "tags": { - "type": "alias", - "path": "signal.rule.tags" - }, - "threat": { - "properties": { - "framework": { - "type": "alias", - "path": "signal.rule.threat.framework" - }, - "tactic": { - "properties": { - "id": { - "type": "alias", - "path": "signal.rule.threat.tactic.id" - }, - "name": { - "type": "alias", - "path": "signal.rule.threat.tactic.name" - }, - "reference": { - "type": "alias", - "path": "signal.rule.threat.tactic.reference" - } - } - }, - "technique": { - "properties": { - "id": { - "type": "alias", - "path": "signal.rule.threat.technique.id" - }, - "name": { - "type": "alias", - "path": "signal.rule.threat.technique.name" - }, - "reference": { - "type": "alias", - "path": "signal.rule.threat.technique.reference" - }, - "subtechnique": { - "properties": { - "id": { - "type": "alias", - "path": "signal.rule.threat.technique.subtechnique.id" - }, - "name": { - "type": "alias", - "path": "signal.rule.threat.technique.subtechnique.name" - }, - "reference": { - "type": "alias", - "path": "signal.rule.threat.technique.subtechnique.reference" - } - } - } - } - } - } - }, - "threat_index": { - "type": "alias", - "path": "signal.rule.threat_index" - }, - "threat_indicator_path": { - "type": "alias", - "path": "signal.rule.threat_indicator_path" - }, - "threat_language": { - "type": "alias", - "path": "signal.rule.threat_language" - }, - "threat_mapping": { - "properties": { - "entries": { - "properties": { - "field": { - "type": "alias", - "path": "signal.rule.threat_mapping.entries.field" - }, - "type": { - "type": "alias", - "path": "signal.rule.threat_mapping.entries.type" - }, - "value": { - "type": "alias", - "path": "signal.rule.threat_mapping.entries.value" - } - } - } - } - }, - "threat_query": { - "type": "alias", - "path": "signal.rule.threat_query" - }, - "threshold": { - "properties": { - "field": { - "type": "alias", - "path": "signal.rule.threshold.field" - }, - "value": { - "type": "alias", - "path": "signal.rule.threshold.value" - } - } - }, - "timeline_id": { - "type": "alias", - "path": "signal.rule.timeline_id" - }, - "timeline_title": { - "type": "alias", - "path": "signal.rule.timeline_title" - }, - "to": { - "type": "alias", - "path": "signal.rule.to" - }, - "type": { - "type": "alias", - "path": "signal.rule.type" - }, - "updated_at": { - "type": "alias", - "path": "signal.rule.updated_at" - }, - "updated_by": { - "type": "alias", - "path": "signal.rule.updated_by" - }, - "uuid": { - "type": "alias", - "path": "signal.rule.id" - }, - "version": { - "type": "alias", - "path": "signal.rule.version" - } - } - }, - "severity": { - "type": "alias", - "path": "signal.rule.severity" - }, - "threshold_result": { - "properties": { - "cardinality": { - "properties": { - "field": { - "type": "alias", - "path": "signal.threshold_result.cardinality.field" - }, - "value": { - "type": "alias", - "path": "signal.threshold_result.cardinality.value" - } - } - }, - "count": { - "type": "alias", - "path": "signal.threshold_result.count" - }, - "from": { - "type": "alias", - "path": "signal.threshold_result.from" - }, - "terms": { - "properties": { - "field": { - "type": "alias", - "path": "signal.threshold_result.terms.field" - }, - "value": { - "type": "alias", - "path": "signal.threshold_result.terms.value" - } - } - } - } - }, - "workflow_status": { - "type": "alias", - "path": "signal.status" - } - } - } - } - }, - "labels": { - "type": "object" - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "level": { - "type": "keyword", - "ignore_above": 1024 - }, - "logger": { - "type": "keyword", - "ignore_above": 1024 - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "integer" - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "function": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "original": { - "type": "keyword", - "index": false, - "doc_values": false - }, - "syslog": { - "properties": { - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "priority": { - "type": "long" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - } - } - }, - "message": { - "type": "text", - "norms": false - }, - "network": { - "properties": { - "application": { - "type": "keyword", - "ignore_above": 1024 - }, - "bytes": { - "type": "long" - }, - "community_id": { - "type": "keyword", - "ignore_above": 1024 - }, - "direction": { - "type": "keyword", - "ignore_above": 1024 - }, - "forwarded_ip": { - "type": "ip" - }, - "iana_number": { - "type": "keyword", - "ignore_above": 1024 - }, - "inner": { - "properties": { - "vlan": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "packets": { - "type": "long" - }, - "protocol": { - "type": "keyword", - "ignore_above": 1024 - }, - "transport": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "vlan": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "observer": { - "properties": { - "egress": { - "properties": { - "interface": { - "properties": { - "alias": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "vlan": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "zone": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "geo": { - "properties": { - "city_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "continent_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "continent_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "country_iso_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "country_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "location": { - "type": "geo_point" - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "postal_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "region_iso_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "region_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "timezone": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "hostname": { - "type": "keyword", - "ignore_above": 1024 - }, - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "vlan": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "zone": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "os": { - "properties": { - "family": { - "type": "keyword", - "ignore_above": 1024 - }, - "full": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "kernel": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "platform": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "product": { - "type": "keyword", - "ignore_above": 1024 - }, - "serial_number": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "vendor": { - "type": "keyword", - "ignore_above": 1024 - }, - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "orchestrator": { - "properties": { - "api_version": { - "type": "keyword", - "ignore_above": 1024 - }, - "cluster": { - "properties": { - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "url": { - "type": "keyword", - "ignore_above": 1024 - }, - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "namespace": { - "type": "keyword", - "ignore_above": 1024 - }, - "organization": { - "type": "keyword", - "ignore_above": 1024 - }, - "resource": { - "properties": { - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "organization": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - } - } - }, - "os": { - "properties": { - "family": { - "type": "keyword", - "ignore_above": 1024 - }, - "full": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "kernel": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "platform": { - "type": "keyword", - "ignore_above": 1024 - }, - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "package": { - "properties": { - "architecture": { - "type": "keyword", - "ignore_above": 1024 - }, - "build_version": { - "type": "keyword", - "ignore_above": 1024 - }, - "checksum": { - "type": "keyword", - "ignore_above": 1024 - }, - "description": { - "type": "keyword", - "ignore_above": 1024 - }, - "install_scope": { - "type": "keyword", - "ignore_above": 1024 - }, - "installed": { - "type": "date" - }, - "license": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "path": { - "type": "keyword", - "ignore_above": 1024 - }, - "reference": { - "type": "keyword", - "ignore_above": 1024 - }, - "size": { - "type": "long" - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "pe": { - "properties": { - "company": { - "type": "keyword", - "ignore_above": 1024 - }, - "description": { - "type": "keyword", - "ignore_above": 1024 - }, - "file_version": { - "type": "keyword", - "ignore_above": 1024 - }, - "original_file_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "product": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "process": { - "properties": { - "args": { - "type": "keyword", - "ignore_above": 1024 - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "signing_id": { - "type": "keyword", - "ignore_above": 1024 - }, - "status": { - "type": "keyword", - "ignore_above": 1024 - }, - "subject_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "team_id": { - "type": "keyword", - "ignore_above": 1024 - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "elf": { - "properties": { - "architecture": { - "type": "keyword", - "ignore_above": 1024 - }, - "byte_order": { - "type": "keyword", - "ignore_above": 1024 - }, - "cpu_type": { - "type": "keyword", - "ignore_above": 1024 - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flattened" - }, - "header": { - "properties": { - "abi_version": { - "type": "keyword", - "ignore_above": 1024 - }, - "class": { - "type": "keyword", - "ignore_above": 1024 - }, - "data": { - "type": "keyword", - "ignore_above": 1024 - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "type": "keyword", - "ignore_above": 1024 - }, - "os_abi": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "imports": { - "type": "flattened" - }, - "sections": { - "type": "nested", - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "physical_offset": { - "type": "keyword", - "ignore_above": 1024 - }, - "physical_size": { - "type": "long" - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - } - }, - "segments": { - "type": "nested", - "properties": { - "sections": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "shared_libraries": { - "type": "keyword", - "ignore_above": 1024 - }, - "telfhash": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "entity_id": { - "type": "keyword", - "ignore_above": 1024 - }, - "executable": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "exit_code": { - "type": "long" - }, - "hash": { - "properties": { - "md5": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha1": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha256": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha512": { - "type": "keyword", - "ignore_above": 1024 - }, - "ssdeep": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "parent": { - "properties": { - "args": { - "type": "keyword", - "ignore_above": 1024 - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "signing_id": { - "type": "keyword", - "ignore_above": 1024 - }, - "status": { - "type": "keyword", - "ignore_above": 1024 - }, - "subject_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "team_id": { - "type": "keyword", - "ignore_above": 1024 - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "elf": { - "properties": { - "architecture": { - "type": "keyword", - "ignore_above": 1024 - }, - "byte_order": { - "type": "keyword", - "ignore_above": 1024 - }, - "cpu_type": { - "type": "keyword", - "ignore_above": 1024 - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flattened" - }, - "header": { - "properties": { - "abi_version": { - "type": "keyword", - "ignore_above": 1024 - }, - "class": { - "type": "keyword", - "ignore_above": 1024 - }, - "data": { - "type": "keyword", - "ignore_above": 1024 - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "type": "keyword", - "ignore_above": 1024 - }, - "os_abi": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "imports": { - "type": "flattened" - }, - "sections": { - "type": "nested", - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "physical_offset": { - "type": "keyword", - "ignore_above": 1024 - }, - "physical_size": { - "type": "long" - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - } - }, - "segments": { - "type": "nested", - "properties": { - "sections": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "shared_libraries": { - "type": "keyword", - "ignore_above": 1024 - }, - "telfhash": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "entity_id": { - "type": "keyword", - "ignore_above": 1024 - }, - "executable": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "exit_code": { - "type": "long" - }, - "hash": { - "properties": { - "md5": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha1": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha256": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha512": { - "type": "keyword", - "ignore_above": 1024 - }, - "ssdeep": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "pe": { - "properties": { - "architecture": { - "type": "keyword", - "ignore_above": 1024 - }, - "company": { - "type": "keyword", - "ignore_above": 1024 - }, - "description": { - "type": "keyword", - "ignore_above": 1024 - }, - "file_version": { - "type": "keyword", - "ignore_above": 1024 - }, - "imphash": { - "type": "keyword", - "ignore_above": 1024 - }, - "original_file_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "product": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "pgid": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "ppid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "thread": { - "properties": { - "id": { - "type": "long" - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "title": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "uptime": { - "type": "long" - }, - "working_directory": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - } - } - }, - "pe": { - "properties": { - "architecture": { - "type": "keyword", - "ignore_above": 1024 - }, - "company": { - "type": "keyword", - "ignore_above": 1024 - }, - "description": { - "type": "keyword", - "ignore_above": 1024 - }, - "file_version": { - "type": "keyword", - "ignore_above": 1024 - }, - "imphash": { - "type": "keyword", - "ignore_above": 1024 - }, - "original_file_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "product": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "pgid": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "ppid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "thread": { - "properties": { - "id": { - "type": "long" - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "title": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "uptime": { - "type": "long" - }, - "working_directory": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "type": "keyword", - "ignore_above": 1024 - }, - "strings": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "hive": { - "type": "keyword", - "ignore_above": 1024 - }, - "key": { - "type": "keyword", - "ignore_above": 1024 - }, - "path": { - "type": "keyword", - "ignore_above": 1024 - }, - "value": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "related": { - "properties": { - "hash": { - "type": "keyword", - "ignore_above": 1024 - }, - "hosts": { - "type": "keyword", - "ignore_above": 1024 - }, - "ip": { - "type": "ip" - }, - "user": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "rule": { - "properties": { - "author": { - "type": "keyword", - "ignore_above": 1024 - }, - "category": { - "type": "keyword", - "ignore_above": 1024 - }, - "description": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "license": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "reference": { - "type": "keyword", - "ignore_above": 1024 - }, - "ruleset": { - "type": "keyword", - "ignore_above": 1024 - }, - "uuid": { - "type": "keyword", - "ignore_above": 1024 - }, - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "server": { - "properties": { - "address": { - "type": "keyword", - "ignore_above": 1024 - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "geo": { - "properties": { - "city_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "continent_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "continent_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "country_iso_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "country_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "location": { - "type": "geo_point" - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "postal_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "region_iso_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "region_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "timezone": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "type": "keyword", - "ignore_above": 1024 - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "subdomain": { - "type": "keyword", - "ignore_above": 1024 - }, - "top_level_domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "user": { - "properties": { - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "email": { - "type": "keyword", - "ignore_above": 1024 - }, - "full_name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "group": { - "properties": { - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "hash": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "roles": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "service": { - "properties": { - "ephemeral_id": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "node": { - "properties": { - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "state": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "signal": { - "properties": { - "_meta": { - "properties": { - "version": { - "type": "long" - } - } - }, - "ancestors": { - "properties": { - "depth": { - "type": "long" - }, - "id": { - "type": "keyword" - }, - "index": { - "type": "keyword" - }, - "rule": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "depth": { - "type": "integer" - }, - "group": { - "properties": { - "id": { - "type": "keyword" - }, - "index": { - "type": "integer" - } - } - }, - "original_event": { - "properties": { - "action": { - "type": "keyword" - }, - "category": { - "type": "keyword" - }, - "code": { - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "kind": { - "type": "keyword" - }, - "module": { - "type": "keyword" - }, - "original": { - "type": "keyword", - "index": false, - "doc_values": false - }, - "outcome": { - "type": "keyword" - }, - "provider": { - "type": "keyword" - }, - "reason": { - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "original_signal": { - "type": "object", - "dynamic": "false", - "enabled": false - }, - "original_time": { - "type": "date" - }, - "parent": { - "properties": { - "depth": { - "type": "long" - }, - "id": { - "type": "keyword" - }, - "index": { - "type": "keyword" - }, - "rule": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "parents": { - "properties": { - "depth": { - "type": "long" - }, - "id": { - "type": "keyword" - }, - "index": { - "type": "keyword" - }, - "rule": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "reason": { - "type": "keyword" - }, - "rule": { - "properties": { - "author": { - "type": "keyword" - }, - "building_block_type": { - "type": "keyword" - }, - "created_at": { - "type": "date" - }, - "created_by": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "enabled": { - "type": "keyword" - }, - "false_positives": { - "type": "keyword" - }, - "filters": { - "type": "object" - }, - "from": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "immutable": { - "type": "keyword" - }, - "index": { - "type": "keyword" - }, - "interval": { - "type": "keyword" - }, - "language": { - "type": "keyword" - }, - "license": { - "type": "keyword" - }, - "max_signals": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "note": { - "type": "text" - }, - "output_index": { - "type": "keyword" - }, - "query": { - "type": "keyword" - }, - "references": { - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_mapping": { - "properties": { - "field": { - "type": "keyword" - }, - "operator": { - "type": "keyword" - }, - "value": { - "type": "keyword" - } - } - }, - "rule_id": { - "type": "keyword" - }, - "rule_name_override": { - "type": "keyword" - }, - "saved_id": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "severity_mapping": { - "properties": { - "field": { - "type": "keyword" - }, - "operator": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "value": { - "type": "keyword" - } - } - }, - "size": { - "type": "keyword" - }, - "tags": { - "type": "keyword" - }, - "threat": { - "properties": { - "framework": { - "type": "keyword" - }, - "tactic": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - } - } - }, - "technique": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - }, - "subtechnique": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - } - } - } - } - } - } - }, - "threat_filters": { - "type": "object" - }, - "threat_index": { - "type": "keyword" - }, - "threat_indicator_path": { - "type": "keyword" - }, - "threat_language": { - "type": "keyword" - }, - "threat_mapping": { - "properties": { - "entries": { - "properties": { - "field": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "value": { - "type": "keyword" - } - } - } - } - }, - "threat_query": { - "type": "keyword" - }, - "threshold": { - "properties": { - "field": { - "type": "keyword" - }, - "value": { - "type": "float" - } - } - }, - "timeline_id": { - "type": "keyword" - }, - "timeline_title": { - "type": "keyword" - }, - "timestamp_override": { - "type": "keyword" - }, - "to": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "updated_at": { - "type": "date" - }, - "updated_by": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "status": { - "type": "keyword" - }, - "threshold_count": { - "type": "float" - }, - "threshold_result": { - "properties": { - "cardinality": { - "properties": { - "field": { - "type": "keyword" - }, - "value": { - "type": "long" - } - } - }, - "count": { - "type": "long" - }, - "from": { - "type": "date" - }, - "terms": { - "properties": { - "field": { - "type": "keyword" - }, - "value": { - "type": "keyword" - } - } - } - } - } - } - }, - "source": { - "properties": { - "address": { - "type": "keyword", - "ignore_above": 1024 - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "geo": { - "properties": { - "city_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "continent_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "continent_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "country_iso_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "country_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "location": { - "type": "geo_point" - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "postal_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "region_iso_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "region_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "timezone": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "type": "keyword", - "ignore_above": 1024 - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "subdomain": { - "type": "keyword", - "ignore_above": 1024 - }, - "top_level_domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "user": { - "properties": { - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "email": { - "type": "keyword", - "ignore_above": 1024 - }, - "full_name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "group": { - "properties": { - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "hash": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "roles": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "span": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "tags": { - "type": "keyword", - "ignore_above": 1024 - }, - "threat": { - "properties": { - "enrichments": { - "type": "nested", - "properties": { - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - } - } - } - } - }, - "confidence": { - "type": "keyword", - "ignore_above": 1024 - }, - "description": { - "type": "keyword", - "ignore_above": 1024 - }, - "email": { - "properties": { - "address": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "type": "keyword", - "ignore_above": 1024 - }, - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "signing_id": { - "type": "keyword", - "ignore_above": 1024 - }, - "status": { - "type": "keyword", - "ignore_above": 1024 - }, - "subject_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "team_id": { - "type": "keyword", - "ignore_above": 1024 - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "type": "keyword", - "ignore_above": 1024 - }, - "directory": { - "type": "keyword", - "ignore_above": 1024 - }, - "drive_letter": { - "type": "keyword", - "ignore_above": 1 - }, - "elf": { - "properties": { - "architecture": { - "type": "keyword", - "ignore_above": 1024 - }, - "byte_order": { - "type": "keyword", - "ignore_above": 1024 - }, - "cpu_type": { - "type": "keyword", - "ignore_above": 1024 - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flattened" - }, - "header": { - "properties": { - "abi_version": { - "type": "keyword", - "ignore_above": 1024 - }, - "class": { - "type": "keyword", - "ignore_above": 1024 - }, - "data": { - "type": "keyword", - "ignore_above": 1024 - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "type": "keyword", - "ignore_above": 1024 - }, - "os_abi": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "imports": { - "type": "flattened" - }, - "sections": { - "type": "nested", - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "physical_offset": { - "type": "keyword", - "ignore_above": 1024 - }, - "physical_size": { - "type": "long" - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - } - }, - "segments": { - "type": "nested", - "properties": { - "sections": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "shared_libraries": { - "type": "keyword", - "ignore_above": 1024 - }, - "telfhash": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "extension": { - "type": "keyword", - "ignore_above": 1024 - }, - "gid": { - "type": "keyword", - "ignore_above": 1024 - }, - "group": { - "type": "keyword", - "ignore_above": 1024 - }, - "inode": { - "type": "keyword", - "ignore_above": 1024 - }, - "mime_type": { - "type": "keyword", - "ignore_above": 1024 - }, - "mode": { - "type": "keyword", - "ignore_above": 1024 - }, - "mtime": { - "type": "date" - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "owner": { - "type": "keyword", - "ignore_above": 1024 - }, - "path": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "uid": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "continent_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "continent_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "country_iso_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "country_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "location": { - "type": "geo_point" - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "postal_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "region_iso_code": { - "type": "keyword", - "ignore_above": 1024 - }, - "region_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "timezone": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "hash": { - "properties": { - "md5": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha1": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha256": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha512": { - "type": "keyword", - "ignore_above": 1024 - }, - "ssdeep": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "modified_at": { - "type": "date" - }, - "pe": { - "properties": { - "architecture": { - "type": "keyword", - "ignore_above": 1024 - }, - "company": { - "type": "keyword", - "ignore_above": 1024 - }, - "description": { - "type": "keyword", - "ignore_above": 1024 - }, - "file_version": { - "type": "keyword", - "ignore_above": 1024 - }, - "imphash": { - "type": "keyword", - "ignore_above": 1024 - }, - "original_file_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "product": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "port": { - "type": "long" - }, - "provider": { - "type": "keyword", - "ignore_above": 1024 - }, - "reference": { - "type": "keyword", - "ignore_above": 1024 - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "type": "keyword", - "ignore_above": 1024 - }, - "strings": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "hive": { - "type": "keyword", - "ignore_above": 1024 - }, - "key": { - "type": "keyword", - "ignore_above": 1024 - }, - "path": { - "type": "keyword", - "ignore_above": 1024 - }, - "value": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "url": { - "properties": { - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "extension": { - "type": "keyword", - "ignore_above": 1024 - }, - "fragment": { - "type": "keyword", - "ignore_above": 1024 - }, - "full": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "original": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "password": { - "type": "keyword", - "ignore_above": 1024 - }, - "path": { - "type": "keyword", - "ignore_above": 1024 - }, - "port": { - "type": "long" - }, - "query": { - "type": "keyword", - "ignore_above": 1024 - }, - "registered_domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "scheme": { - "type": "keyword", - "ignore_above": 1024 - }, - "subdomain": { - "type": "keyword", - "ignore_above": 1024 - }, - "top_level_domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "username": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "type": "keyword", - "ignore_above": 1024 - }, - "issuer": { - "properties": { - "common_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "country": { - "type": "keyword", - "ignore_above": 1024 - }, - "distinguished_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "locality": { - "type": "keyword", - "ignore_above": 1024 - }, - "organization": { - "type": "keyword", - "ignore_above": 1024 - }, - "organizational_unit": { - "type": "keyword", - "ignore_above": 1024 - }, - "state_or_province": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "type": "keyword", - "ignore_above": 1024 - }, - "public_key_curve": { - "type": "keyword", - "ignore_above": 1024 - }, - "public_key_exponent": { - "type": "long", - "index": false, - "doc_values": false - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "type": "keyword", - "ignore_above": 1024 - }, - "signature_algorithm": { - "type": "keyword", - "ignore_above": 1024 - }, - "subject": { - "properties": { - "common_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "country": { - "type": "keyword", - "ignore_above": 1024 - }, - "distinguished_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "locality": { - "type": "keyword", - "ignore_above": 1024 - }, - "organization": { - "type": "keyword", - "ignore_above": 1024 - }, - "organizational_unit": { - "type": "keyword", - "ignore_above": 1024 - }, - "state_or_province": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "version_number": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "matched": { - "properties": { - "atomic": { - "type": "keyword", - "ignore_above": 1024 - }, - "field": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "index": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "framework": { - "type": "keyword", - "ignore_above": 1024 - }, - "group": { - "properties": { - "alias": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "reference": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "software": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "platforms": { - "type": "keyword", - "ignore_above": 1024 - }, - "reference": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "tactic": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "reference": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "technique": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "reference": { - "type": "keyword", - "ignore_above": 1024 - }, - "subtechnique": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "reference": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - } - } - }, - "tls": { - "properties": { - "cipher": { - "type": "keyword", - "ignore_above": 1024 - }, - "client": { - "properties": { - "certificate": { - "type": "keyword", - "ignore_above": 1024 - }, - "certificate_chain": { - "type": "keyword", - "ignore_above": 1024 - }, - "hash": { - "properties": { - "md5": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha1": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha256": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "issuer": { - "type": "keyword", - "ignore_above": 1024 - }, - "ja3": { - "type": "keyword", - "ignore_above": 1024 - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "server_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "subject": { - "type": "keyword", - "ignore_above": 1024 - }, - "supported_ciphers": { - "type": "keyword", - "ignore_above": 1024 - }, - "x509": { - "properties": { - "alternative_names": { - "type": "keyword", - "ignore_above": 1024 - }, - "issuer": { - "properties": { - "common_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "country": { - "type": "keyword", - "ignore_above": 1024 - }, - "distinguished_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "locality": { - "type": "keyword", - "ignore_above": 1024 - }, - "organization": { - "type": "keyword", - "ignore_above": 1024 - }, - "organizational_unit": { - "type": "keyword", - "ignore_above": 1024 - }, - "state_or_province": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "type": "keyword", - "ignore_above": 1024 - }, - "public_key_curve": { - "type": "keyword", - "ignore_above": 1024 - }, - "public_key_exponent": { - "type": "long", - "index": false, - "doc_values": false - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "type": "keyword", - "ignore_above": 1024 - }, - "signature_algorithm": { - "type": "keyword", - "ignore_above": 1024 - }, - "subject": { - "properties": { - "common_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "country": { - "type": "keyword", - "ignore_above": 1024 - }, - "distinguished_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "locality": { - "type": "keyword", - "ignore_above": 1024 - }, - "organization": { - "type": "keyword", - "ignore_above": 1024 - }, - "organizational_unit": { - "type": "keyword", - "ignore_above": 1024 - }, - "state_or_province": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "version_number": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "curve": { - "type": "keyword", - "ignore_above": 1024 - }, - "established": { - "type": "boolean" - }, - "next_protocol": { - "type": "keyword", - "ignore_above": 1024 - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "certificate": { - "type": "keyword", - "ignore_above": 1024 - }, - "certificate_chain": { - "type": "keyword", - "ignore_above": 1024 - }, - "hash": { - "properties": { - "md5": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha1": { - "type": "keyword", - "ignore_above": 1024 - }, - "sha256": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "issuer": { - "type": "keyword", - "ignore_above": 1024 - }, - "ja3s": { - "type": "keyword", - "ignore_above": 1024 - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "subject": { - "type": "keyword", - "ignore_above": 1024 - }, - "x509": { - "properties": { - "alternative_names": { - "type": "keyword", - "ignore_above": 1024 - }, - "issuer": { - "properties": { - "common_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "country": { - "type": "keyword", - "ignore_above": 1024 - }, - "distinguished_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "locality": { - "type": "keyword", - "ignore_above": 1024 - }, - "organization": { - "type": "keyword", - "ignore_above": 1024 - }, - "organizational_unit": { - "type": "keyword", - "ignore_above": 1024 - }, - "state_or_province": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "type": "keyword", - "ignore_above": 1024 - }, - "public_key_curve": { - "type": "keyword", - "ignore_above": 1024 - }, - "public_key_exponent": { - "type": "long", - "index": false, - "doc_values": false - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "type": "keyword", - "ignore_above": 1024 - }, - "signature_algorithm": { - "type": "keyword", - "ignore_above": 1024 - }, - "subject": { - "properties": { - "common_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "country": { - "type": "keyword", - "ignore_above": 1024 - }, - "distinguished_name": { - "type": "keyword", - "ignore_above": 1024 - }, - "locality": { - "type": "keyword", - "ignore_above": 1024 - }, - "organization": { - "type": "keyword", - "ignore_above": 1024 - }, - "organizational_unit": { - "type": "keyword", - "ignore_above": 1024 - }, - "state_or_province": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "version_number": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "version": { - "type": "keyword", - "ignore_above": 1024 - }, - "version_protocol": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "trace": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "transaction": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "url": { - "properties": { - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "extension": { - "type": "keyword", - "ignore_above": 1024 - }, - "fragment": { - "type": "keyword", - "ignore_above": 1024 - }, - "full": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "original": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "password": { - "type": "keyword", - "ignore_above": 1024 - }, - "path": { - "type": "keyword", - "ignore_above": 1024 - }, - "port": { - "type": "long" - }, - "query": { - "type": "keyword", - "ignore_above": 1024 - }, - "registered_domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "scheme": { - "type": "keyword", - "ignore_above": 1024 - }, - "subdomain": { - "type": "keyword", - "ignore_above": 1024 - }, - "top_level_domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "username": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "user": { - "properties": { - "changes": { - "properties": { - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "email": { - "type": "keyword", - "ignore_above": 1024 - }, - "full_name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "group": { - "properties": { - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "hash": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "roles": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "effective": { - "properties": { - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "email": { - "type": "keyword", - "ignore_above": 1024 - }, - "full_name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "group": { - "properties": { - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "hash": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "roles": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "email": { - "type": "keyword", - "ignore_above": 1024 - }, - "full_name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "group": { - "properties": { - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "hash": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "roles": { - "type": "keyword", - "ignore_above": 1024 - }, - "target": { - "properties": { - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "email": { - "type": "keyword", - "ignore_above": 1024 - }, - "full_name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "group": { - "properties": { - "domain": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "hash": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "roles": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "user_agent": { - "properties": { - "device": { - "properties": { - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - }, - "original": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "os": { - "properties": { - "family": { - "type": "keyword", - "ignore_above": 1024 - }, - "full": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "kernel": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "platform": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "vlan": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "name": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "vulnerability": { - "properties": { - "category": { - "type": "keyword", - "ignore_above": 1024 - }, - "classification": { - "type": "keyword", - "ignore_above": 1024 - }, - "description": { - "type": "keyword", - "ignore_above": 1024, - "fields": { - "text": { - "type": "text", - "norms": false - } - } - }, - "enumeration": { - "type": "keyword", - "ignore_above": 1024 - }, - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "reference": { - "type": "keyword", - "ignore_above": 1024 - }, - "report_id": { - "type": "keyword", - "ignore_above": 1024 - }, - "scanner": { - "properties": { - "vendor": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "score": { - "properties": { - "base": { - "type": "float" - }, - "environmental": { - "type": "float" - }, - "temporal": { - "type": "float" - }, - "version": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "severity": { - "type": "keyword", - "ignore_above": 1024 - } - } - } - } - }, - "settings": { - "index": { - "lifecycle": { - "name": ".siem-signals-default", - "rollover_alias": ".siem-signals-default" - }, - "routing": { - "allocation": { - "include": { - "_tier_preference": "data_content" - } - } - }, - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "number_of_shards": "1", - "provided_name": ".siem-signals-default-000001", - "creation_date": "1647637827326", - "number_of_replicas": "1", - "uuid": "-jizlh0yQvSM5OkirjN63Q", - "version": { - "created": "7170099" - } - } - } - } -} \ No newline at end of file diff --git a/x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/mappings.json.gz b/x-pack/test/functional/es_archives/security_solution/alerts/7.17.0/mappings.json.gz new file mode 100644 index 0000000000000000000000000000000000000000..fb737e83c010dacdb1347235cd72f8acf1459236 GIT binary patch literal 9846 zcmV-+CW+Y}iwFo^XH;SU18re&aA|I5b1rIgZ*BnXUE7k|IFfy@ujr`fw!`Hf+uQRr zKd`$ou^+&INJv5#Zze&x$`k$X3xJZUC;|z9!iADi5fkHg}_WRq%$GK*2Uq78NpGRxEro|m4lO9~)$-Qx;(sLY6TS~^%-NS6cy zkzrdB2O)GE&_AKKqv3(pgY4gvgL1j8!BbKX)dqJE)Uv5}kKlZpZii~}6H&#abq7wd z112bJ51aJ4Ex~0W2Qd=EFPAJv3PwC9qcBdV=_*b{uvqCsmj_?|nT9=RH$q+#OO}a> zqQkvxf!rUG**4Xo6W=Sh>jdO{%SsT4Uud?j38oR3dJ9jGLEBh7Xt=Hm_9rwk()h(Nu_d;^7yhcDPw`7IH#gGatOu=;Y*0 zO-aodOqMrAYzProVW?^MnvuSVxeg-8$!OSU^JyEVq?GYq zXoq)fHREooBZg@2fUAl>n>qk-tDA*fs;(0->|5~H70LtYRI*E7d!tAv2To8ze5BNL zDzQT+rCGg>7Uj>FUU}6kz*>yJ4@*yRhl?zr+|Uo3fYfNyW+gu0GUOD8Uap+#cCr$p z5lkbf61d`bm{AU3JCab|4rS?uVc&x?Em^N!*9=OIXQK6iyG%TBjov4pt$YNzu`WCe zpL($4x4%dIKFTpwzAC?D6JwBmCY61gQhDry37!wKe^2du&2YJuVDnxsG{r@d;r;B{ zDNPg8=jbs|1W4k`Mr=*tor&27$q$~~>`1CL)>R#+w8S&nw3OuP^NQ9#}Z z|I`h<69GW1j~#WmZ^{GP8P_>3*)VNW_c$C6FpZ3}C!`fTaBd}d#4UY=yRNZ{2@duK z16@oN?t4Y}F=$B!EXb0$_xw4dongf1d`ib!hJw=U+oH)cQCzWCJ_4B3A#=Lkl&&$O z+wq#1NA_S__A6Hj815roc@@Wu6j{LZi5yY9YdV>c!2_{S93}5C(&T7Ni)qRRu?Pac z8gMam$_jzz(IvRPa>^=m^{ujeQtz-XSx3Jr&jemqcQ;g13}u)T0@QJJe@($i2AVga zEY4vQ8c`qU=IHR2X?2PeX!q1e|D5%CBX; ztQ5O(K|aN9#G!rTu^Ud5h+LQaYM_T;Rj~s1Y6$7rb`7Nt79Ba@ti+T$lE`4?sN62$ zhtZ<|c#2}iM%8Dt`Uyg4hb)Y_T1K27L7rVCPKgG={3NM{#VA}z zpa6_0ERZPgNAjszm^!I^@Vg!h)3|ondNjdFF9s8?$nIZNbmoMP{bA#WxoK4ac2^Fr z3hbB-eTTU=3Lx$NwI?|$vu3-MTh=3D>d8-|RkGg+>)~3YqXV0&x_rwFll^Q@L>#Q= zVush_UBwQ!ch;m~ffHJHcsVYAKYPT3kV>-YP^VsD-?ou*8z#i}0s8Nmp8CS>V1IEU z7u0rvJaMWNTKAMv%1uhSfk>}0<%ZOuA|onNVU<0{i$gmQq3g}8!P1_ZAM@gzeki$2 zu$nz{8=+#!K}cp~nR&qOq-JmAnHD#@p2Mz^}58QRKYEhbpa9qD|?4c^Kl zK^KnM4x5tX8C$Rnl{+R6(Y-7(bTYah8R!j2K6Hmjg4i1f9<@-U^c?U(Qrly|AJJg51bPUZi7EOAL^Jv8>-2l0 z>2Hqu^C|K9!fltr)e8?~l#00e5)(GK_;UZZ`z2BMyS)&S`?tN2lKZoRyy&L4t7rf_ zw>(@C?I5G0Gt3T(Y8?}hJ(G`_z&@sjN+l8g1kXO(BA(eI@P7JaD~nvrh-nMYOQzIe zq|9D2(co0=s?HDi466IVlwalhSQmP`mzf%PsQ{1EQv)wE;W`|M)WFNpd{P6i)WAy) zO^8*&6vR;VaBie2S)f&~F=YcSlH~9X$e;)&4Jqu8>Skv)gD(~onY5i2NA?NKaGFIW zskf*iWt>1k-bTzdVd-}@seoO0CT(lG68i8BOzv8W_Jg-e4S>L0k{ zSS*wHR=>yE649-^jMfC9A0bYieCC&Mus~reULG#Gvejii=!0TY?@Y@}FZIrpexodX$ zNEqJf6L8>e7f4jg zDdkH65lJyb5X~{g${!#>zzP$=^j&!WRsoPb#1$Uxj2TtAJ z$}zeVAuD+D##wHWaT->j0NbfMRDwwK`}P8q?WL<|(B&4CAYuhe+0M%?up=2OXzHe0 zZn2%{Sb+n&bh$-$CS(Oq+1JZ0xFZ=mXi#S^$MD`rErh7*`Q;1eNY4r^&{E7T$}=HL zc*)*v^Djps!s*^PseyNho4c4ACo*i(!qBfINBu z1Qj!u($+EICG^=153*b-5ViDSroRq!KWiCoIT7V#j)PkrjLksGg6HyW%7*vZ_Hs@H zIvJ%Us$zybFhGIu9f3u_HXd$`39yajZJ{qadM&c|6fD(4v?+b){Q}l$bSp^0^^>(t zPk7-%BahkwXqQy%Aa;!h@ovP$hqlvNt7@QpojoCX8{ZC=A9L{t$=*^d96|?aS7B7lDp9=~)T!Xtf;tax2a4oa?m~Bh={UNbxdFY5tzS!D?BG2GD`=(>iwiJ`q3ysl z$~5+?!8EcehY%R1_W7{F3pC@{mbQ&!BXM6_=pBKjW`hc~EfdWkfCkd7cus_FfR7l@ zRz2ex@{c1~QIMZjx)$XSR*y;fw|yli=pkn?73;e$zkpo$5WIJSTH~J90lT!Z{!wjFUliC zWThLX^v&ijo(1{!8(rhcj{wvQFwQ{f7e4&~iy$ay)DVBb)k=yf^t0R?1^*j$coM+3 z>hHjEr=Fk6h z*PO<^9$*q`x4Y>aOf+lHlhEkdVixiFr%yk`goHJ?e&2wHX;l`uGvI4XZz0SXGP-@#w;Z41Hd}4x*6*NB~f-_|H;er&86*g|}Pzd0+bR0&& zZV$p@7SDZb+p_tQjb%XGar)zUa}W>Ef9nfKlxTxz;eKa)&Db(j{>$dldIHv+*b=F1 ztSvhM7`$SYKPuUUD~oV-Us;5$@lIY^)j6p#M`pbYS{ePEC$ZL?${0O(Y7Ov zi3(%Wpc__-(yOuW3!%OBE8I(ZCsxNQYIof_rM)ru)IPOCIrhRiht*YNT!g?V-?HT`#LZe<+dizBS=I zsh~IXnVp~!tZS3HfsX|zV7r4hc@sttpdG6FwviX^b5Bifrgu+Bar(5U_Ks?^JHOhS zO^>_7j2nU%v9cGL{!J(ffSL{3J9JwFhPk0y2weI`2-=>lB{Wbulxu+wGgN}Re9 zy8w~85<8kt>Pnot63d|l?n1=lgAEmpVM( z!dpr`lD*Qlx*QnaD~3FbO}xh)VH#CHpH?_4Jgy6AnHC?UVs@))x_pm&DyvGP@l%t` zEAmSxb2;>MnLjg{wmWojuC8@*CjJ`wR<6AI2;JMEn*0nGNWpaaX6WRzTkQ@Fb9q{A z6Mrn;fEOzF49E*_u%+JY89)k!Bv8HdsgXRdcJ0pMw84ODmDcAWY)G!<-SykLSOTT? zmd?frw!_s1w6J>C&d#k#p`MS9v%xmNcNIs-$bqy#F1`YBPB&3gk3}~Q; z%7CqSZ{Acbs>6s~q4^R|^a{%5&wZN& z?YOm7OWSHI9Z;#Cje0~YU5KY7p}NQvX|%tRT8PW-5?-RwmnIYOvITi!TE<3IcC7Ur ze%TICD?HD{d1*Hus3+754T8A}q8b*z@N^k1JKdIuQe4ZLr^!a$V+6b;qlmN(?TBAyO_Jgz4H0w@shf$^qAnpFOCplBu zo9(v8MjSL8CWXywhRA*=tcPonjt*?9s3;VX_cKiPvpo@Uu%3$QHQx!y6F&59^JQHq1^6KzqSHmY~KbfA%b6Uu54ZWOPL2=h%(vJ!g#6J zP+BuXReXtK-P@z5ScE@+`5KG#mnW4->6vt2U@S{paZK83>!+BJ$Clkka=(S%KB$!P z{ca`D-7+C>UT;n7dJ#{VNJgLwW`a&>=~jRgKi0ZqCM3LzUZ8s>FciJJCM+P>eG?c9 z=+2p7S+p%7*N(;Li{)yKyJrF+53UcTre48uw9PFb3|V z2_m^m2_gZzmL`J(=2nOT=w=d6m{yNBb2m*e>t2y~*z`5=KgBG?I6C)JJY*VoR6Jlt z?x_hpwfRj)%h**lp%-*Hw63do&@@aj93IUP-1Y#t`i!wIHXwtpzpKdK ztEmWZ5l$eQ8{8rPvx)gh?KYeM@^5ukyAgu}QM(m`Ls7dK14Dt_j-H?_K4z)lnDjH* zQmMo8Z_;+H&W{X_1xyT|Y zTrR!X3~==bDwzk6cV;DhRC11kmVD-y)f)QjT`r75cKMY8sFgB_#U3@0L+*M_A7uZ2 zU;c-;E$ZoPVZi!7idZG>p;a|R7GL^JlAs;i29c7&)SkIm>}5|5&bSLmhz%5kPOzeR z2UHH8md@a)mS`So4xUt1?wIp+;cdRc)C9Y(MbFUtYNw!oeZ%ZZhpVg&bRVcsLeBQp z&f)C{5({45G)&s-T^1t^TO*X85P1Zeds@Q~XkWywCTicDTOC^Fer=@967?+|R84Uv zAkFnZO+O10Od~FjwsGaN8k^@x7`A&(z=5_;@uc4V$^R@v!X%$wYcW-68y4zg(Nu_p zxusH1>uVvTp4O?SwZr+Op4O?SwH(^bbctP5eL^}paDo!zBc(CiS%P8f zgMmLp4%T9X(UOXJ2zx-ep&vE@snMp*N_@a&$SJC9HoBdxglGiQ2&x3G_#I}H<1{Gb zy|KJ7?0bl~kgV6PYX&99Gtv6MT_&Cg7eBdntybXe}yXx^9$kVa!NmUJK%ZNSX#Ka6_Ee5@n=GjC6fL~LZs)EJ$X`BYgB8$42 z=40}+oi$8w7(c*arzH6}?cqQkQgJI3O=Oq0|P9 z_F%^jH7_pU?JZL74w3~5+u#(>fl*=RKmo8~kR|o)7ZHMT5*Jcad}CL>n&Nz4lkf1^ zOD`=1wSL%`ybbZJ;TsXpYTt_86g1NigBiRb_e4$K)&k1Fx9ab_BoitxhRlQc;W)B; z4eD)Rl5@EwQq@KZs8OwobQ%bTXkOrLf1* zy^(+q-0vIZTV8=4Vl2fg>F?Z$GUz`go5`3T^WdEK7-8VyLmjjcE+$`O7smRT{ zzf|NV6}bruAr-kvMQ$9HC zYTWbG``KD(1?W?}!8Nyv)G}%_f_M(Jl+Grs_A~H5$cJuVLAAv`;$Ily1IO@~v$4r< z3@oj0fbj6wLs%~W;&~E6}MWCcuog9|~D(zOtjOsFh0^(C(k*pcY<@`DaI)OVRQ(#HmQYD?B zSAwo-d1Q1QIpD0sl$t9&ivTV{hs&+YJJg_m`Q-WNY>dZaWQ?-*-K+y{-VRW~jg^7r zERefu3whC6C1RLMnUKaW+;wIprff?l`QjR1nToT=$Z#`RoGbA>+7L~5`q@uxw}AMO z?Ka?lnpF|w<|WdqbL&K|=%2iP;5^CZb&PAVgb$nDY%q*jS2w+Lo1TqHZW6lTWwAcs ztKBb}Cp3mj&Fw*|Soc(Xp<1sAGG@DkZOn3yq-l(#Gf|C3y z4y~c3WqrWg{cBHhRA$X~tFAdMIb$Zuj2qjYB#*u;nvzJj~|cZUs+3JibS- zmspQ?DnIt@S>IQQ#kDrUvx*(L&ZFda@9YteRV~S;Lz?;k=ifv(bWmJwfuOCxV1aL! znX>T&F*XVjswdC*DQ-RP!mheR;tI>8Mk zv^$&tOI~j&?UR0#mOsk!x2W&Mdam(Uu2#0t=$R8>%R_RY_ER%5!Chv$V!ZKD_W2&K z)Z7Bq6^@V2pbl|-ki2ejTyvTe5&z}Or$3!o;CbiB8c|-OgD=ZEi(ZkwAM_EfHWr?| zsVXz?y?8vj?c^9*a}!t##^jl5IFNqNIQ`8mF%J#`nv<;ytVMCp^#Mj@Hq^vQB#v6| zjaSIYgeiYvi{TrvVAc)I(AJ_x(-nCXjMN5i8*`uUa$4=MDM_BO7m=ZI$FxSeSM|i3 zQ4OmbyaCOJZl%`bcOZF%q1wVQBlH;<-5!ei)G^y|vbULyI_thGpmXuek# ztTpQoL7R%m`pBK120Sb}w&O?Oa*O zOCtA+XgPk)zufXZm2o)AJNj9^kJY9dYX57(&)`h|a12e8*&h@LoXH=J2gvkhDAdRA z#`_EX5l7f%n z=q(^FZID}%i~?Xwl2MY3R)h22BqQS>vz6MZFKxdHDa5^%8MB?hZtGqivUa8??f!l_ zR*hdM-%zy48(BuZd-NUdhspu+(I%B_?a9`jZ0+!8>$A1Tv7z3Iu|1-(JDHi2GUW?f zQl^qJwHloFrc5O>v;4tiW=>}2_%AG(nU_q@YKr_XNk(2_CdnvCMnO?Jk&N!l%&hLJ z;oekxS~|b>;Ro5jC-L4Ln(aa`;#->55D01A^VF@`3tA`Md5LQfr?R%A2OkGen%X@z zpwzSnV)D|_iwMo00kT@4Y!-bMiza);j)?&!oPVWd07@yl-*$@9$Q}sEOC19W-Q@_X zGR8ifk@~X4?x`xv40|92lnr)I&7cghd!j&D-ynBrKa(oqbhJIHcT#Oy>$nDMEBkc} zVMbY1ao;axeqDOWJdr+k`habRHudmQQp&W@bHAy(YuamTX93LF~!>J|4^b;M9T)d zlJzSxlr`?qhDfq4;MgKW@vaFJJC~QJ@5ee8q2hE4+~*x>UDCTz0S4DY#kNSWl@E02 zptAKosPS0UEYRHg9M$!*iZusZ7fpa_9adYg&*kaB+SzPSuf2V@WrL_$y$oC*NY~Un zeqXBBEFG8Pifs?4L$34s?=izA&+GGc+daJh|05se+i zUD=NxdxEPEBI&m5KNNV2hH}c2xn-nmcun(Dn>fXfr1x{z3>@brc~tTYNhwQa)5y!A zkRF$eofMvJ_m1`P40@F1O-;E`#8P^wP}@q-(S{w5OmVxhHLXNG;^WgN_V=hIGG^0d z%{J@zs1qYTKD}GwN0B{Pyrr|s*Y^Xb_G$9Nyu)G*vtq2z_4xGlAK$+I@$J7pfBWO} z*GDM^#>h)1hs;q7gJABDAO0dg%l)UCZnORh#&M|L^br2S^>eAiB8%02AXm$N&HU literal 0 HcmV?d00001 diff --git a/x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/data.json b/x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/data.json deleted file mode 100644 index c38f2265a4b08..0000000000000 --- a/x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/data.json +++ /dev/null @@ -1,8127 +0,0 @@ -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "f749117366e32b88f62b01f8fc9070480e06e604fe6413b8a4dbf38910823a4d", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Indicator Match Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "threat-match-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.indicatorRule", - "kibana.alert.rule.uuid": "d2e9b850-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:37.854Z", - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "feed": {}, - "matched": { - "atomic": "security-linux-1", - "field": "host.name", - "id": "FCC8nn8Bx5kiROf39Q9q", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:20.775Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "ICC9nn8Bx5kiROf3Bw9I", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-1 created low alert threat-match-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:35.289Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:36.803Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "threat_match", - "kibana.alert.rule.description": "a simple threat match rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:20.775Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:20.775Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "f749117366e32b88f62b01f8fc9070480e06e604fe6413b8a4dbf38910823a4d" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "ab8e0e674e9220cacec30eef777be624dd8f84b989c04c00b8f8b3361e76063c", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Indicator Match Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "threat-match-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.indicatorRule", - "kibana.alert.rule.uuid": "d2e9b850-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:37.857Z", - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "feed": {}, - "matched": { - "atomic": "security-linux-3", - "field": "host.name", - "id": "FiC8nn8Bx5kiROf39w-A", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:20.199Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "HyC9nn8Bx5kiROf3Bg8J", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-3 created low alert threat-match-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:35.289Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:36.803Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "threat_match", - "kibana.alert.rule.description": "a simple threat match rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:20.199Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:20.199Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "ab8e0e674e9220cacec30eef777be624dd8f84b989c04c00b8f8b3361e76063c" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "84155febd44edb828ee2f2a58066c695d8aba500fbba24f3127559f22e8cd9d1", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Indicator Match Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "threat-match-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.indicatorRule", - "kibana.alert.rule.uuid": "d2e9b850-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:37.860Z", - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "feed": {}, - "matched": { - "atomic": "security-linux-2", - "field": "host.name", - "id": "FSC8nn8Bx5kiROf39g9R", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:19.858Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "HiC9nn8Bx5kiROf3Aw_G", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-2 created low alert threat-match-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:35.289Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:36.803Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "threat_match", - "kibana.alert.rule.description": "a simple threat match rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:19.858Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.858Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "84155febd44edb828ee2f2a58066c695d8aba500fbba24f3127559f22e8cd9d1" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "fbeb58a2b777a9852c9500ea45b53133b74341dd5b479ee14bc16927fc40c14c", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Indicator Match Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "threat-match-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.indicatorRule", - "kibana.alert.rule.uuid": "d2e9b850-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:37.862Z", - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "feed": {}, - "matched": { - "atomic": "security-linux-1", - "field": "host.name", - "id": "FCC8nn8Bx5kiROf39Q9q", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:19.515Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "HSC9nn8Bx5kiROf3Ag9w", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-1 created low alert threat-match-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:35.289Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:36.803Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "threat_match", - "kibana.alert.rule.description": "a simple threat match rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:19.515Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.515Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "fbeb58a2b777a9852c9500ea45b53133b74341dd5b479ee14bc16927fc40c14c" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "78b60c6a3c736c62d0439f07fc587bc6b79a6a9f682ffbb3f95c3c12422d8524", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Indicator Match Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "threat-match-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.indicatorRule", - "kibana.alert.rule.uuid": "d2e9b850-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:37.866Z", - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "feed": {}, - "matched": { - "atomic": "security-linux-3", - "field": "host.name", - "id": "FiC8nn8Bx5kiROf39w-A", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:19.281Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "HCC9nn8Bx5kiROf3AQ8d", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-3 created low alert threat-match-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:35.289Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:36.803Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "threat_match", - "kibana.alert.rule.description": "a simple threat match rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:19.281Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.281Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "78b60c6a3c736c62d0439f07fc587bc6b79a6a9f682ffbb3f95c3c12422d8524" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "fb6c54a130268bc365c0f92b231369c57869544c115c9df86dfb5e7de2c64901", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Indicator Match Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "threat-match-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.indicatorRule", - "kibana.alert.rule.uuid": "d2e9b850-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:37.868Z", - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "feed": {}, - "matched": { - "atomic": "security-linux-2", - "field": "host.name", - "id": "FSC8nn8Bx5kiROf39g9R", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:18.959Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "GyC9nn8Bx5kiROf3AA80", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-2 created low alert threat-match-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:35.289Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:36.803Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "threat_match", - "kibana.alert.rule.description": "a simple threat match rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:18.959Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.959Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "fb6c54a130268bc365c0f92b231369c57869544c115c9df86dfb5e7de2c64901" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "15673548fc038cd5e0db2a6b10f42402f144aa5fb7840da6b83901af6dc20514", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Indicator Match Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "threat-match-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.indicatorRule", - "kibana.alert.rule.uuid": "d2e9b850-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:37.870Z", - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "feed": {}, - "matched": { - "atomic": "security-linux-1", - "field": "host.name", - "id": "FCC8nn8Bx5kiROf39Q9q", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:18.632Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "GiC8nn8Bx5kiROf3_g_t", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-1 created low alert threat-match-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:35.289Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:36.803Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "threat_match", - "kibana.alert.rule.description": "a simple threat match rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:18.632Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.632Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "15673548fc038cd5e0db2a6b10f42402f144aa5fb7840da6b83901af6dc20514" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "87b0b0b35babe61d801337f6787c1b0b091ed182fd7cc1537bab5edd55e45c5e", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Indicator Match Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "threat-match-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.indicatorRule", - "kibana.alert.rule.uuid": "d2e9b850-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:37.873Z", - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "feed": {}, - "matched": { - "atomic": "security-linux-3", - "field": "host.name", - "id": "FiC8nn8Bx5kiROf39w-A", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:18.031Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "GSC8nn8Bx5kiROf3_Q-m", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-3 created low alert threat-match-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:35.289Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:36.803Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "threat_match", - "kibana.alert.rule.description": "a simple threat match rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:18.031Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.031Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "87b0b0b35babe61d801337f6787c1b0b091ed182fd7cc1537bab5edd55e45c5e" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "eba57f5f68f5b30a23e61e072e590557cecf61587981bb5a4cf3ae3aae7d1924", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Indicator Match Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "threat-match-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.indicatorRule", - "kibana.alert.rule.uuid": "d2e9b850-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:37.875Z", - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "feed": {}, - "matched": { - "atomic": "security-linux-2", - "field": "host.name", - "id": "FSC8nn8Bx5kiROf39g9R", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:17.429Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "GCC8nn8Bx5kiROf3-w9Q", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-2 created low alert threat-match-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:35.289Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:36.803Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "threat_match", - "kibana.alert.rule.description": "a simple threat match rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:17.429Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:17.429Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "eba57f5f68f5b30a23e61e072e590557cecf61587981bb5a4cf3ae3aae7d1924" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "a85253a6a45c8ce93f8c72b5926b501025503a857984f899ecee9469680ae199", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Indicator Match Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "threat-match-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.indicatorRule", - "kibana.alert.rule.uuid": "d2e9b850-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:37.877Z", - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "threat": { - "enrichments": [ - { - "indicator": {}, - "feed": {}, - "matched": { - "atomic": "security-linux-1", - "field": "host.name", - "id": "FCC8nn8Bx5kiROf39Q9q", - "index": "threat-index-000001", - "type": "indicator_match_rule" - } - } - ] - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:17.054Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "FyC8nn8Bx5kiROf3-A_I", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-1 created low alert threat-match-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple threat match rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threat_match", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threat_query": "*", - "threat_mapping": [ - { - "entries": [ - { - "field": "host.name", - "type": "mapping", - "value": "host.name" - } - ] - } - ], - "threat_language": "kuery", - "threat_index": [ - "threat-index-*" - ], - "threat_indicator_path": "threat.indicator" - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:35.289Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:36.803Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "threat_match", - "kibana.alert.rule.description": "a simple threat match rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "f3d8da21-5340-40e1-a8ce-6dce11fb2fc4", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:17.054Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:17.054Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "a85253a6a45c8ce93f8c72b5926b501025503a857984f899ecee9469680ae199" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "9d6cbb26fd21cf18390de874d9aa36630a649a467ede0895ec2ba7c99340b9a3", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Threshold Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "threshold-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.thresholdRule", - "kibana.alert.rule.uuid": "d110d9a0-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:34.812Z", - "host.name": "security-linux-1", - "kibana.alert.ancestors": [ - { - "id": "6b00b0e4-854d-5689-8a81-01cf8af209a6", - "type": "event", - "index": "events-index-*", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event created low alert threshold-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple threshold rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "abb98471-6bfd-4cdc-b0af-da9bc74ca9d1", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threshold", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threshold": { - "field": [ - "host.name" - ], - "value": 1 - } - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:32.284Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:33.770Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "threshold", - "kibana.alert.rule.description": "a simple threshold rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "abb98471-6bfd-4cdc-b0af-da9bc74ca9d1", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:20.775Z", - "kibana.alert.threshold_result": { - "terms": [ - { - "field": "host.name", - "value": "security-linux-1" - } - ], - "count": 4, - "from": "2022-03-18T10:34:34.219Z" - }, - "event.kind": "signal", - "kibana.alert.uuid": "9d6cbb26fd21cf18390de874d9aa36630a649a467ede0895ec2ba7c99340b9a3" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "edfb451406abe4740f6d99b44b7bc6d2ce32d394c0adf2001fd25011641789dd", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Threshold Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "threshold-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.thresholdRule", - "kibana.alert.rule.uuid": "d110d9a0-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:34.813Z", - "host.name": "security-linux-2", - "kibana.alert.ancestors": [ - { - "id": "7ab8b94f-87d5-560e-aa7b-32daa6ab5f72", - "type": "event", - "index": "events-index-*", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event created low alert threshold-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple threshold rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "abb98471-6bfd-4cdc-b0af-da9bc74ca9d1", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threshold", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threshold": { - "field": [ - "host.name" - ], - "value": 1 - } - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:32.284Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:33.770Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "threshold", - "kibana.alert.rule.description": "a simple threshold rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "abb98471-6bfd-4cdc-b0af-da9bc74ca9d1", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:19.858Z", - "kibana.alert.threshold_result": { - "terms": [ - { - "field": "host.name", - "value": "security-linux-2" - } - ], - "count": 3, - "from": "2022-03-18T10:34:34.219Z" - }, - "event.kind": "signal", - "kibana.alert.uuid": "edfb451406abe4740f6d99b44b7bc6d2ce32d394c0adf2001fd25011641789dd" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "5edc68060103d782e59a622cbfcf8cb3a183f3b21f2c9ab221983031d0cd4e64", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Threshold Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "threshold-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.thresholdRule", - "kibana.alert.rule.uuid": "d110d9a0-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:34.815Z", - "host.name": "security-linux-3", - "kibana.alert.ancestors": [ - { - "id": "c69a9b05-0217-58e5-8d09-64a60ef11c70", - "type": "event", - "index": "events-index-*", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event created low alert threshold-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple threshold rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "abb98471-6bfd-4cdc-b0af-da9bc74ca9d1", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "threshold", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [], - "threshold": { - "field": [ - "host.name" - ], - "value": 1 - } - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:32.284Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:33.770Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "threshold", - "kibana.alert.rule.description": "a simple threshold rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "abb98471-6bfd-4cdc-b0af-da9bc74ca9d1", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:20.199Z", - "kibana.alert.threshold_result": { - "terms": [ - { - "field": "host.name", - "value": "security-linux-3" - } - ], - "count": 3, - "from": "2022-03-18T10:34:34.219Z" - }, - "event.kind": "signal", - "kibana.alert.uuid": "5edc68060103d782e59a622cbfcf8cb3a183f3b21f2c9ab221983031d0cd4e64" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "c0e6bc0a2ed86d7f3488f72ee128ff4ac677b3ea5c8128775dd0a6ba5fa94e57", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:31.973Z", - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:17.054Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "FyC8nn8Bx5kiROf3-A_I", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-1 created low alert eql-rule.", - "kibana.alert.building_block_type": "default", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:17.054Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:17.054Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "c0e6bc0a2ed86d7f3488f72ee128ff4ac677b3ea5c8128775dd0a6ba5fa94e57", - "kibana.alert.group.id": "e45b101ca1b2c07d2b2bf1a040e5b9547a7490cad591cd1bec669f2a05ae6815", - "kibana.alert.group.index": 0 - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "f00619b71b4bb83e3c4b23644e428fba0656f8935847c9dfa1038fb13271ea82", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:31.975Z", - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:17.429Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "GCC8nn8Bx5kiROf3-w9Q", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-2 created low alert eql-rule.", - "kibana.alert.building_block_type": "default", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:17.429Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:17.429Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "f00619b71b4bb83e3c4b23644e428fba0656f8935847c9dfa1038fb13271ea82", - "kibana.alert.group.id": "e45b101ca1b2c07d2b2bf1a040e5b9547a7490cad591cd1bec669f2a05ae6815", - "kibana.alert.group.index": 1 - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "e45b101ca1b2c07d2b2bf1a040e5b9547a7490cad591cd1bec669f2a05ae6815", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:31.977Z", - "agent": { - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 2, - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "event": { - "kind": "signal" - }, - "kibana.alert.ancestors": [ - { - "id": "FyC8nn8Bx5kiROf3-A_I", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - { - "id": "c0e6bc0a2ed86d7f3488f72ee128ff4ac677b3ea5c8128775dd0a6ba5fa94e57", - "type": "signal", - "index": "", - "depth": 1, - "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" - }, - { - "id": "GCC8nn8Bx5kiROf3-w9Q", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - { - "id": "f00619b71b4bb83e3c4b23644e428fba0656f8935847c9dfa1038fb13271ea82", - "type": "signal", - "index": "", - "depth": 1, - "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" - } - ], - "kibana.alert.reason": "event created low alert eql-rule.", - "kibana.alert.rule.actions": [], - "kibana.alert.original_time": "2022-03-18T20:34:17.054Z", - "kibana.alert.group.id": "e45b101ca1b2c07d2b2bf1a040e5b9547a7490cad591cd1bec669f2a05ae6815" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "eb8b8fe02c5fa92b62ea4016abf309e0825515e2859f7790435d328ce4fa24f1", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:31.980Z", - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:17.429Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "GCC8nn8Bx5kiROf3-w9Q", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-2 created low alert eql-rule.", - "kibana.alert.building_block_type": "default", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:17.429Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:17.429Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "eb8b8fe02c5fa92b62ea4016abf309e0825515e2859f7790435d328ce4fa24f1", - "kibana.alert.group.id": "01d8eb6ffb62a7e43eab94b4e81d323f637b3e873468958e93d21b0a634070a9", - "kibana.alert.group.index": 0 - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "b71ae13a141ecf7bda96cbd450e021b82627e9a6232b3fd2bad1227162f8095d", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:31.983Z", - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:18.031Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "GSC8nn8Bx5kiROf3_Q-m", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-3 created low alert eql-rule.", - "kibana.alert.building_block_type": "default", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:18.031Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.031Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "b71ae13a141ecf7bda96cbd450e021b82627e9a6232b3fd2bad1227162f8095d", - "kibana.alert.group.id": "01d8eb6ffb62a7e43eab94b4e81d323f637b3e873468958e93d21b0a634070a9", - "kibana.alert.group.index": 1 - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "01d8eb6ffb62a7e43eab94b4e81d323f637b3e873468958e93d21b0a634070a9", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:31.984Z", - "agent": { - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 2, - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "event": { - "kind": "signal" - }, - "kibana.alert.ancestors": [ - { - "id": "GCC8nn8Bx5kiROf3-w9Q", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - { - "id": "eb8b8fe02c5fa92b62ea4016abf309e0825515e2859f7790435d328ce4fa24f1", - "type": "signal", - "index": "", - "depth": 1, - "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" - }, - { - "id": "GSC8nn8Bx5kiROf3_Q-m", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - { - "id": "b71ae13a141ecf7bda96cbd450e021b82627e9a6232b3fd2bad1227162f8095d", - "type": "signal", - "index": "", - "depth": 1, - "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" - } - ], - "kibana.alert.reason": "event created low alert eql-rule.", - "kibana.alert.rule.actions": [], - "kibana.alert.original_time": "2022-03-18T20:34:17.429Z", - "kibana.alert.group.id": "01d8eb6ffb62a7e43eab94b4e81d323f637b3e873468958e93d21b0a634070a9" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "f757a7a330f9750adee240bac8ceba9f6d6e0c3d51f5e53e3868d53abdc48833", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:31.987Z", - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:18.031Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "GSC8nn8Bx5kiROf3_Q-m", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-3 created low alert eql-rule.", - "kibana.alert.building_block_type": "default", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:18.031Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.031Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "f757a7a330f9750adee240bac8ceba9f6d6e0c3d51f5e53e3868d53abdc48833", - "kibana.alert.group.id": "ca3adb3e0ccdbc711c616970d17d150773b8f1d3cc2d7644c4e3b451ad2b26d6", - "kibana.alert.group.index": 0 - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "d8e4b2e592b397f293976c113fd9f54f2f548064dbde4e5635f6c6ee74c94906", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:31.990Z", - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:18.632Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "GiC8nn8Bx5kiROf3_g_t", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-1 created low alert eql-rule.", - "kibana.alert.building_block_type": "default", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:18.632Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.632Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "d8e4b2e592b397f293976c113fd9f54f2f548064dbde4e5635f6c6ee74c94906", - "kibana.alert.group.id": "ca3adb3e0ccdbc711c616970d17d150773b8f1d3cc2d7644c4e3b451ad2b26d6", - "kibana.alert.group.index": 1 - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "ca3adb3e0ccdbc711c616970d17d150773b8f1d3cc2d7644c4e3b451ad2b26d6", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:31.991Z", - "agent": { - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 2, - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "event": { - "kind": "signal" - }, - "kibana.alert.ancestors": [ - { - "id": "GSC8nn8Bx5kiROf3_Q-m", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - { - "id": "f757a7a330f9750adee240bac8ceba9f6d6e0c3d51f5e53e3868d53abdc48833", - "type": "signal", - "index": "", - "depth": 1, - "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" - }, - { - "id": "GiC8nn8Bx5kiROf3_g_t", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - { - "id": "d8e4b2e592b397f293976c113fd9f54f2f548064dbde4e5635f6c6ee74c94906", - "type": "signal", - "index": "", - "depth": 1, - "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" - } - ], - "kibana.alert.reason": "event created low alert eql-rule.", - "kibana.alert.rule.actions": [], - "kibana.alert.original_time": "2022-03-18T20:34:18.031Z", - "kibana.alert.group.id": "ca3adb3e0ccdbc711c616970d17d150773b8f1d3cc2d7644c4e3b451ad2b26d6" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "e1b786c09f1c1c09292e6d5282a2547da980da8f815a04cc8596fb2781456216", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:31.995Z", - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:18.632Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "GiC8nn8Bx5kiROf3_g_t", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-1 created low alert eql-rule.", - "kibana.alert.building_block_type": "default", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:18.632Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.632Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "e1b786c09f1c1c09292e6d5282a2547da980da8f815a04cc8596fb2781456216", - "kibana.alert.group.id": "b2424ad051869deff238429e2ea164314c1819592ced333c01a96a5401b120ad", - "kibana.alert.group.index": 0 - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "818488b97e8141b9ea320d423ab97a2051eeee17406f62048829376d92fdcc77", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:31.997Z", - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:18.959Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "GyC9nn8Bx5kiROf3AA80", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-2 created low alert eql-rule.", - "kibana.alert.building_block_type": "default", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:18.959Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.959Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "818488b97e8141b9ea320d423ab97a2051eeee17406f62048829376d92fdcc77", - "kibana.alert.group.id": "b2424ad051869deff238429e2ea164314c1819592ced333c01a96a5401b120ad", - "kibana.alert.group.index": 1 - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "b2424ad051869deff238429e2ea164314c1819592ced333c01a96a5401b120ad", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:31.998Z", - "agent": { - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 2, - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "event": { - "kind": "signal" - }, - "kibana.alert.ancestors": [ - { - "id": "GiC8nn8Bx5kiROf3_g_t", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - { - "id": "e1b786c09f1c1c09292e6d5282a2547da980da8f815a04cc8596fb2781456216", - "type": "signal", - "index": "", - "depth": 1, - "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" - }, - { - "id": "GyC9nn8Bx5kiROf3AA80", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - { - "id": "818488b97e8141b9ea320d423ab97a2051eeee17406f62048829376d92fdcc77", - "type": "signal", - "index": "", - "depth": 1, - "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" - } - ], - "kibana.alert.reason": "event created low alert eql-rule.", - "kibana.alert.rule.actions": [], - "kibana.alert.original_time": "2022-03-18T20:34:18.632Z", - "kibana.alert.group.id": "b2424ad051869deff238429e2ea164314c1819592ced333c01a96a5401b120ad" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "92c0a5b141e5cd2a3815741071655bfc0a5d96295d1b74e1cab9f081746c7b05", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:32.001Z", - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:18.959Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "GyC9nn8Bx5kiROf3AA80", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-2 created low alert eql-rule.", - "kibana.alert.building_block_type": "default", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:18.959Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.959Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "92c0a5b141e5cd2a3815741071655bfc0a5d96295d1b74e1cab9f081746c7b05", - "kibana.alert.group.id": "ccc0db82489ea49940db561d9542b307e96f6abf5e2bb220160d7b6ae4ef5196", - "kibana.alert.group.index": 0 - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "930d8122b24659e376b54776039cec1aa15168386774d05c04a813ee5fa8f182", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:32.004Z", - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:19.281Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "HCC9nn8Bx5kiROf3AQ8d", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-3 created low alert eql-rule.", - "kibana.alert.building_block_type": "default", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:19.281Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.281Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "930d8122b24659e376b54776039cec1aa15168386774d05c04a813ee5fa8f182", - "kibana.alert.group.id": "ccc0db82489ea49940db561d9542b307e96f6abf5e2bb220160d7b6ae4ef5196", - "kibana.alert.group.index": 1 - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "ccc0db82489ea49940db561d9542b307e96f6abf5e2bb220160d7b6ae4ef5196", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:32.005Z", - "agent": { - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 2, - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "event": { - "kind": "signal" - }, - "kibana.alert.ancestors": [ - { - "id": "GyC9nn8Bx5kiROf3AA80", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - { - "id": "92c0a5b141e5cd2a3815741071655bfc0a5d96295d1b74e1cab9f081746c7b05", - "type": "signal", - "index": "", - "depth": 1, - "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" - }, - { - "id": "HCC9nn8Bx5kiROf3AQ8d", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - { - "id": "930d8122b24659e376b54776039cec1aa15168386774d05c04a813ee5fa8f182", - "type": "signal", - "index": "", - "depth": 1, - "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" - } - ], - "kibana.alert.reason": "event created low alert eql-rule.", - "kibana.alert.rule.actions": [], - "kibana.alert.original_time": "2022-03-18T20:34:18.959Z", - "kibana.alert.group.id": "ccc0db82489ea49940db561d9542b307e96f6abf5e2bb220160d7b6ae4ef5196" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "763d6d9a7d0314e994e34160765496398bb950c0deb718c677e25a7d4ae9bd74", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:32.009Z", - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:19.281Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "HCC9nn8Bx5kiROf3AQ8d", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-3 created low alert eql-rule.", - "kibana.alert.building_block_type": "default", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:19.281Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.281Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "763d6d9a7d0314e994e34160765496398bb950c0deb718c677e25a7d4ae9bd74", - "kibana.alert.group.id": "9d0a89f1a45655e7b36929f5022dd7a45454ed165a1c1bebd4a2cfec63e0bb94", - "kibana.alert.group.index": 0 - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "4363d5a52b18d06083720524d7881fc8eecd19888a96dcdf2976c2f7d49dda5f", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:32.011Z", - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:19.515Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "HSC9nn8Bx5kiROf3Ag9w", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-1 created low alert eql-rule.", - "kibana.alert.building_block_type": "default", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:19.515Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.515Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "4363d5a52b18d06083720524d7881fc8eecd19888a96dcdf2976c2f7d49dda5f", - "kibana.alert.group.id": "9d0a89f1a45655e7b36929f5022dd7a45454ed165a1c1bebd4a2cfec63e0bb94", - "kibana.alert.group.index": 1 - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "9d0a89f1a45655e7b36929f5022dd7a45454ed165a1c1bebd4a2cfec63e0bb94", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:32.012Z", - "agent": { - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 2, - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "event": { - "kind": "signal" - }, - "kibana.alert.ancestors": [ - { - "id": "HCC9nn8Bx5kiROf3AQ8d", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - { - "id": "763d6d9a7d0314e994e34160765496398bb950c0deb718c677e25a7d4ae9bd74", - "type": "signal", - "index": "", - "depth": 1, - "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" - }, - { - "id": "HSC9nn8Bx5kiROf3Ag9w", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - { - "id": "4363d5a52b18d06083720524d7881fc8eecd19888a96dcdf2976c2f7d49dda5f", - "type": "signal", - "index": "", - "depth": 1, - "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" - } - ], - "kibana.alert.reason": "event created low alert eql-rule.", - "kibana.alert.rule.actions": [], - "kibana.alert.original_time": "2022-03-18T20:34:19.281Z", - "kibana.alert.group.id": "9d0a89f1a45655e7b36929f5022dd7a45454ed165a1c1bebd4a2cfec63e0bb94" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "a13cfd03267db8839879a55b581b1940a9b175d51f68f6f6dd5f7eed0b6f2fa5", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:32.022Z", - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:19.515Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "HSC9nn8Bx5kiROf3Ag9w", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-1 created low alert eql-rule.", - "kibana.alert.building_block_type": "default", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:19.515Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.515Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "a13cfd03267db8839879a55b581b1940a9b175d51f68f6f6dd5f7eed0b6f2fa5", - "kibana.alert.group.id": "e7c043b7ff78df30b930a01744e9824b7de03f39075cf747394cf85806db0eec", - "kibana.alert.group.index": 0 - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "3caaf3a51113942a7064dcf5895cd94e7caa81ca3fddda4a1806a580f0f566fd", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:32.024Z", - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:19.858Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "HiC9nn8Bx5kiROf3Aw_G", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-2 created low alert eql-rule.", - "kibana.alert.building_block_type": "default", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:19.858Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.858Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "3caaf3a51113942a7064dcf5895cd94e7caa81ca3fddda4a1806a580f0f566fd", - "kibana.alert.group.id": "e7c043b7ff78df30b930a01744e9824b7de03f39075cf747394cf85806db0eec", - "kibana.alert.group.index": 1 - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "e7c043b7ff78df30b930a01744e9824b7de03f39075cf747394cf85806db0eec", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:32.024Z", - "agent": { - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 2, - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "event": { - "kind": "signal" - }, - "kibana.alert.ancestors": [ - { - "id": "HSC9nn8Bx5kiROf3Ag9w", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - { - "id": "a13cfd03267db8839879a55b581b1940a9b175d51f68f6f6dd5f7eed0b6f2fa5", - "type": "signal", - "index": "", - "depth": 1, - "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" - }, - { - "id": "HiC9nn8Bx5kiROf3Aw_G", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - { - "id": "3caaf3a51113942a7064dcf5895cd94e7caa81ca3fddda4a1806a580f0f566fd", - "type": "signal", - "index": "", - "depth": 1, - "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" - } - ], - "kibana.alert.reason": "event created low alert eql-rule.", - "kibana.alert.rule.actions": [], - "kibana.alert.original_time": "2022-03-18T20:34:19.515Z", - "kibana.alert.group.id": "e7c043b7ff78df30b930a01744e9824b7de03f39075cf747394cf85806db0eec" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "aaea2a77dba200c71cebfdceadf441f67204e0a7537e873ea8835ae3dce9d698", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:32.028Z", - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:19.858Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "HiC9nn8Bx5kiROf3Aw_G", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-2 created low alert eql-rule.", - "kibana.alert.building_block_type": "default", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:19.858Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.858Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "aaea2a77dba200c71cebfdceadf441f67204e0a7537e873ea8835ae3dce9d698", - "kibana.alert.group.id": "ea15b1c3b655cf6174112f26888d8386437bc6436259085639f3803adc5e000c", - "kibana.alert.group.index": 0 - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "d451bbf6d3cbc1b479b2a75708d45790b6d5d676f055f57685dc8c25cd681dec", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:32.030Z", - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:20.199Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "HyC9nn8Bx5kiROf3Bg8J", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-3 created low alert eql-rule.", - "kibana.alert.building_block_type": "default", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:20.199Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:20.199Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "d451bbf6d3cbc1b479b2a75708d45790b6d5d676f055f57685dc8c25cd681dec", - "kibana.alert.group.id": "ea15b1c3b655cf6174112f26888d8386437bc6436259085639f3803adc5e000c", - "kibana.alert.group.index": 1 - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "ea15b1c3b655cf6174112f26888d8386437bc6436259085639f3803adc5e000c", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:32.031Z", - "agent": { - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 2, - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "event": { - "kind": "signal" - }, - "kibana.alert.ancestors": [ - { - "id": "HiC9nn8Bx5kiROf3Aw_G", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - { - "id": "aaea2a77dba200c71cebfdceadf441f67204e0a7537e873ea8835ae3dce9d698", - "type": "signal", - "index": "", - "depth": 1, - "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" - }, - { - "id": "HyC9nn8Bx5kiROf3Bg8J", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - { - "id": "d451bbf6d3cbc1b479b2a75708d45790b6d5d676f055f57685dc8c25cd681dec", - "type": "signal", - "index": "", - "depth": 1, - "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" - } - ], - "kibana.alert.reason": "event created low alert eql-rule.", - "kibana.alert.rule.actions": [], - "kibana.alert.original_time": "2022-03-18T20:34:19.858Z", - "kibana.alert.group.id": "ea15b1c3b655cf6174112f26888d8386437bc6436259085639f3803adc5e000c" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "34a93e78ff1b49b11bcbfc72162e0737393c63de0e20135685462b46edf94760", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:32.034Z", - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:20.199Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "HyC9nn8Bx5kiROf3Bg8J", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-3 created low alert eql-rule.", - "kibana.alert.building_block_type": "default", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:20.199Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:20.199Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "34a93e78ff1b49b11bcbfc72162e0737393c63de0e20135685462b46edf94760", - "kibana.alert.group.id": "46af66366386e15dee577091f6eb77c5fba3782e346c0dc157888417f9898b54", - "kibana.alert.group.index": 0 - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "30b43dbbe130f75f33e8370cd9ca30a1476767700644cfb6ee35d63099176b43", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:32.036Z", - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:20.775Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "ICC9nn8Bx5kiROf3Bw9I", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-1 created low alert eql-rule.", - "kibana.alert.building_block_type": "default", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:20.775Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:20.775Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "30b43dbbe130f75f33e8370cd9ca30a1476767700644cfb6ee35d63099176b43", - "kibana.alert.group.id": "46af66366386e15dee577091f6eb77c5fba3782e346c0dc157888417f9898b54", - "kibana.alert.group.index": 1 - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "46af66366386e15dee577091f6eb77c5fba3782e346c0dc157888417f9898b54", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Event Correlation Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "eql-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.eqlRule", - "kibana.alert.rule.uuid": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:32.037Z", - "agent": { - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 2, - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple eql rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "eql", - "language": "eql", - "index": [ - "events-index-*" - ], - "query": "sequence [any where true] [any where true]", - "filters": [] - }, - "kibana.alert.rule.created_at": "2022-03-18T20:34:29.279Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:30.740Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "eql", - "kibana.alert.rule.description": "a simple eql rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "332b09a5-aa2b-4833-940a-182d26e2fc95", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "event": { - "kind": "signal" - }, - "kibana.alert.ancestors": [ - { - "id": "HyC9nn8Bx5kiROf3Bg8J", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - { - "id": "34a93e78ff1b49b11bcbfc72162e0737393c63de0e20135685462b46edf94760", - "type": "signal", - "index": "", - "depth": 1, - "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" - }, - { - "id": "ICC9nn8Bx5kiROf3Bw9I", - "type": "event", - "index": "events-index-000001", - "depth": 0 - }, - { - "id": "30b43dbbe130f75f33e8370cd9ca30a1476767700644cfb6ee35d63099176b43", - "type": "signal", - "index": "", - "depth": 1, - "rule": "cf44cc30-a6fa-11ec-99b4-4d95ca76f836" - } - ], - "kibana.alert.reason": "event created low alert eql-rule.", - "kibana.alert.rule.actions": [], - "kibana.alert.original_time": "2022-03-18T20:34:20.199Z", - "kibana.alert.group.id": "46af66366386e15dee577091f6eb77c5fba3782e346c0dc157888417f9898b54" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "cadfed124e07778b37d1ffa03da091888fb760a8a98420defc9ce11a3707b7ad", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Custom Query Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "query-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.queryRule", - "kibana.alert.rule.uuid": "cd388170-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:28.793Z", - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:17.054Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "FyC8nn8Bx5kiROf3-A_I", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-1 created low alert query-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:26.274Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:27.703Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "query", - "kibana.alert.rule.description": "a simple query rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:17.054Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:17.054Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "cadfed124e07778b37d1ffa03da091888fb760a8a98420defc9ce11a3707b7ad" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "c89ab9cbcf9ea0217688746df8d25a8209cf6c062ebc315a7459f711dfd082e5", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Custom Query Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "query-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.queryRule", - "kibana.alert.rule.uuid": "cd388170-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:28.797Z", - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:17.429Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "GCC8nn8Bx5kiROf3-w9Q", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-2 created low alert query-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:26.274Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:27.703Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "query", - "kibana.alert.rule.description": "a simple query rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:17.429Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:17.429Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "c89ab9cbcf9ea0217688746df8d25a8209cf6c062ebc315a7459f711dfd082e5" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "23eb02e3f54112825511fd7b18258d288efda15484a73a73464005ec72e53a94", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Custom Query Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "query-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.queryRule", - "kibana.alert.rule.uuid": "cd388170-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:28.801Z", - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:18.031Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "GSC8nn8Bx5kiROf3_Q-m", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-3 created low alert query-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:26.274Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:27.703Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "query", - "kibana.alert.rule.description": "a simple query rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:18.031Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.031Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "23eb02e3f54112825511fd7b18258d288efda15484a73a73464005ec72e53a94" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "7c2a1ffb2653dcc26dad5384523d9f54570b79a269ac395c91c6bbd94bcbe92c", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Custom Query Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "query-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.queryRule", - "kibana.alert.rule.uuid": "cd388170-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:28.806Z", - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:18.632Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "GiC8nn8Bx5kiROf3_g_t", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-1 created low alert query-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:26.274Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:27.703Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "query", - "kibana.alert.rule.description": "a simple query rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:18.632Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.632Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "7c2a1ffb2653dcc26dad5384523d9f54570b79a269ac395c91c6bbd94bcbe92c" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "d8a91e57b73ce6d51c5aea108438917d0540dd22ed11cf1b8b6f771883c9541a", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Custom Query Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "query-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.queryRule", - "kibana.alert.rule.uuid": "cd388170-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:28.811Z", - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:18.959Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "GyC9nn8Bx5kiROf3AA80", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-2 created low alert query-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:26.274Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:27.703Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "query", - "kibana.alert.rule.description": "a simple query rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:18.959Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:18.959Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "d8a91e57b73ce6d51c5aea108438917d0540dd22ed11cf1b8b6f771883c9541a" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "3606946f7925b4cd1550e3c924f2096960407810c1e163019aa4afd0855c3bc6", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Custom Query Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "query-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.queryRule", - "kibana.alert.rule.uuid": "cd388170-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:28.815Z", - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:19.281Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "HCC9nn8Bx5kiROf3AQ8d", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-3 created low alert query-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:26.274Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:27.703Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "query", - "kibana.alert.rule.description": "a simple query rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:19.281Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.281Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "3606946f7925b4cd1550e3c924f2096960407810c1e163019aa4afd0855c3bc6" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "f49b6b07230c727f3afac02cfa02ab9950a663f6f657713526dcc9b40e4cddbd", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Custom Query Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "query-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.queryRule", - "kibana.alert.rule.uuid": "cd388170-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:28.818Z", - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:19.515Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "HSC9nn8Bx5kiROf3Ag9w", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-1 created low alert query-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:26.274Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:27.703Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "query", - "kibana.alert.rule.description": "a simple query rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:19.515Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.515Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "f49b6b07230c727f3afac02cfa02ab9950a663f6f657713526dcc9b40e4cddbd" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "892746def295d2f050f9d7ea518f3d1936a31446a0daf992e97d6f30396656fb", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Custom Query Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "query-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.queryRule", - "kibana.alert.rule.uuid": "cd388170-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:28.822Z", - "agent": { - "name": "security-linux-2.example.dev", - "id": "87c417dd-08d6-4e24-ad69-285cb8de84e9", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-2", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.195", - "name": "security-linux-2", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:19.858Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "HiC9nn8Bx5kiROf3Aw_G", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-2 created low alert query-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:26.274Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:27.703Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "query", - "kibana.alert.rule.description": "a simple query rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:19.858Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:19.858Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "892746def295d2f050f9d7ea518f3d1936a31446a0daf992e97d6f30396656fb" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "0739643bae7ae40e27b67340c9f38333fc497d1c10d1eb806001b9380355d77d", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Custom Query Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "query-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.queryRule", - "kibana.alert.rule.uuid": "cd388170-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:28.825Z", - "agent": { - "name": "security-linux-3.example.dev", - "id": "06851da1-73e7-41e3-97d6-ff1d62c98dc5", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-3", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.196", - "name": "security-linux-3", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:20.199Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "HyC9nn8Bx5kiROf3Bg8J", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-3 created low alert query-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:26.274Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:27.703Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "query", - "kibana.alert.rule.description": "a simple query rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:20.199Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:20.199Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "0739643bae7ae40e27b67340c9f38333fc497d1c10d1eb806001b9380355d77d" - } - } -} - -{ - "type": "doc", - "value": { - "_index": ".internal.alerts-security.alerts-default", - "_id": "fa86b2e41c2f118a5499ee514a989bb5352e18b7c2f8fbfe57ef55c6fecfaff2", - "_score": 1, - "_source": { - "kibana.version": "8.0.0", - "kibana.alert.rule.category": "Custom Query Rule", - "kibana.alert.rule.consumer": "siem", - "kibana.alert.rule.name": "query-rule", - "kibana.alert.rule.producer": "siem", - "kibana.alert.rule.rule_type_id": "siem.queryRule", - "kibana.alert.rule.uuid": "cd388170-a6fa-11ec-99b4-4d95ca76f836", - "kibana.space_ids": [ - "default" - ], - "kibana.alert.rule.tags": [], - "@timestamp": "2022-03-18T20:34:28.828Z", - "agent": { - "name": "security-linux-1.example.dev", - "id": "d8f66724-3cf2-437c-b124-6ac9fb0e2311", - "type": "filebeat", - "version": "8.0.0" - }, - "log": { - "file": { - "path": "/opt/Elastic/Agent/data/elastic-agent-a13c93/logs/default/filebeat-20220301-3.ndjson" - }, - "offset": 148938 - }, - "cloud": { - "availability_zone": "us-central1-c", - "instance": { - "name": "security-linux-1", - "id": "8995531128842994872" - }, - "provider": "gcp", - "service": { - "name": "GCE" - }, - "machine": { - "type": "g1-small" - }, - "project": { - "id": "elastic-siem" - }, - "account": { - "id": "elastic-siem" - } - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "security-linux-1", - "os": { - "kernel": "4.19.0-18-cloud-amd64", - "codename": "buster", - "name": "Debian GNU/Linux", - "type": "linux", - "family": "debian", - "version": "10 (buster)", - "platform": "debian" - }, - "containerized": false, - "ip": "11.200.0.194", - "name": "security-linux-1", - "architecture": "x86_64" - }, - "service.name": "filebeat", - "message": "Status message.", - "data_stream": { - "namespace": "default", - "type": "logs", - "dataset": "elastic_agent.filebeat" - }, - "event.agent_id_status": "verified", - "event.ingested": "2022-03-18T20:34:20.775Z", - "event.dataset": "elastic_agent.filebeat", - "kibana.alert.ancestors": [ - { - "id": "ICC9nn8Bx5kiROf3Bw9I", - "type": "event", - "index": "events-index-000001", - "depth": 0 - } - ], - "kibana.alert.status": "active", - "kibana.alert.workflow_status": "open", - "kibana.alert.depth": 1, - "kibana.alert.reason": "event on security-linux-1 created low alert query-rule.", - "kibana.alert.severity": "low", - "kibana.alert.risk_score": 21, - "kibana.alert.rule.parameters": { - "description": "a simple query rule", - "risk_score": 21, - "severity": "low", - "license": "", - "author": [], - "false_positives": [], - "from": "now-36000s", - "rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", - "max_signals": 100, - "risk_score_mapping": [], - "severity_mapping": [], - "threat": [], - "to": "now", - "references": [], - "version": 1, - "exceptions_list": [], - "immutable": false, - "type": "query", - "language": "kuery", - "index": [ - "events-index-*" - ], - "query": "*", - "filters": [] - }, - "kibana.alert.rule.actions": [], - "kibana.alert.rule.created_at": "2022-03-18T20:34:26.274Z", - "kibana.alert.rule.created_by": "elastic", - "kibana.alert.rule.enabled": true, - "kibana.alert.rule.interval": "1m", - "kibana.alert.rule.updated_at": "2022-03-18T20:34:27.703Z", - "kibana.alert.rule.updated_by": "elastic", - "kibana.alert.rule.type": "query", - "kibana.alert.rule.description": "a simple query rule", - "kibana.alert.rule.risk_score": 21, - "kibana.alert.rule.severity": "low", - "kibana.alert.rule.license": "", - "kibana.alert.rule.author": [], - "kibana.alert.rule.false_positives": [], - "kibana.alert.rule.from": "now-36000s", - "kibana.alert.rule.rule_id": "5f3b6410-f299-4a28-84a4-a9db7e1e1bc4", - "kibana.alert.rule.max_signals": 100, - "kibana.alert.rule.risk_score_mapping": [], - "kibana.alert.rule.severity_mapping": [], - "kibana.alert.rule.threat": [], - "kibana.alert.rule.to": "now", - "kibana.alert.rule.references": [], - "kibana.alert.rule.version": 1, - "kibana.alert.rule.exceptions_list": [], - "kibana.alert.rule.immutable": false, - "kibana.alert.original_time": "2022-03-18T20:34:20.775Z", - "kibana.alert.original_event.agent_id_status": "verified", - "kibana.alert.original_event.ingested": "2022-03-18T20:34:20.775Z", - "kibana.alert.original_event.dataset": "elastic_agent.filebeat", - "event.kind": "signal", - "kibana.alert.uuid": "fa86b2e41c2f118a5499ee514a989bb5352e18b7c2f8fbfe57ef55c6fecfaff2" - } - } -} - diff --git a/x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/data.json.gz b/x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/data.json.gz new file mode 100644 index 0000000000000000000000000000000000000000..26952621f10e4bce828d8cb5e86504a8715be539 GIT binary patch literal 9231 zcmbt(c{r5O-@c-xL|H-zHOQ7V+k|AvI}V%U1R=Oq3;ijErqi zNW;uf%4B~Z)pvP+*Z2J`*YBS*&o$S1&N-jY{kiXRpY!mF&y@&2Bm-B}WXRTWtxtZK40{O3Vk z)KuEhqRBK5_ba&^VyKt`sA2|rq?r$Yl8MBDHGOIELWpcPgN7dO=qIF`Ua}fozoPvcTvv+mq7nd^}ys_T?Dsk-Aq2827JZ6Ss zJo{4L$P?Ck+2pcR^vu-M&bm4^zuPd#A$#CrX(=e=#quQNC{&DgM- z!p}8hB(+7$t2|{EuiXi- z3^lzrNz}H_9s6P!$9dJDCRJQxX0{2=H!Qc0iQoE(HwBN?+gau#MwC%e`A+wPVHCor zoHsUT!aGp#W@!3?S7DI%d~sRgOGQTE+X1ika+tpV$O$+fTpw+9eL(9iUG=YSkG({f zn3?bDZ{#kAW^Bp~)uo<(fU<~#w_t+eNzrIq{L=JxpI;wg;IIu{Exqhx`IM0QB(7Mv5J}gDj#B9aeSju`j}nMDaUGwY!8S&Dj^ivRW|cgIM}u4K{h!I>7Ll* z&vVeK@Sc+`G;g+sySatE#`$`?4-R*4ag#^rhA(5N&c{NDwcU`#PuC*Ry)*j^wj!M@ zrKImc2bTNWp3|szj`_qp_ACBa&xc_`1}VNuV2IV7Ak}`P^+z_-WzRw;(q{&LNioPG zPua52_#9?(OC>eGWu|`pVB~Q3OW4rm(K$CmS=?Gq9XiVjm-zTD?daU}dk&r9gBfG` zgP@>%100!e9zQShcJeNKIr-Z{|5KRC_K1u~EwQGoBEWY1BXIWVGc+qov-3xe2fqxwkn!EYy4qTFu{k}Z?6&Lf55iU`Qz%A= zwuwi_se0g5P4pLo_fy~A9HQDK%UY8rlxy?ngy7d!%ZOnu=&VSm%2#Czf`nF#ixXwk zShb3@>1%#SdPfTja>MNFA4qNY9uCchHXKgBS}&}S^?Eq|#{A)y)4M4){#S!f1{5ta z{ECVjH`mu?_xG@Y$nR@a1*@NhtDitE2CrpL3H5W!2*o6?e1+&cg zt7VE7mBr062(u}|+jmPik0I2EKjqER8hRvw_+}U3*-UJYK7k*T*Y(^n+5AXQK%daknGFY+@%S}O^t4Yxw_LKVIT&s8gu_Q>E|#Yf#0Mr+W-ee`+lk}>eG}J} z;d-%BmzMnCz)aj{vb$o|b*h!~N|jdvCtTw*BARlWY82&e2TkOOn68oIs^zA40lyIG|@N3bOA z83G%UjnBm6%|~V(d&=f-z0~yy3{c9dK|X-OHh(Py;~$fi@3K*d#>Bjrt!AC5nabX6 zEIFgsL@}~@VijwR4}RXTzM)d>I_MaGU>ao-zGp1mVq`p2J9?JGAGMw7(3TN^+0T-7 z^D!`@bT(raZ%BGkStp_O>#oZuw94S)*H( ziz|$s8cu62?_Scj&ynxehB>mrQ1UZMQ)fLlOdi-w`1d`-RJYmn9Kh~*OwxCTx!j=L zWw=UOf!YrCZ+|+F{7Jlf#XzXPm1Fu0Lt?(Ym+<&gzBW15xN~rb#=3sn{lopWef?K; zn~P4py;JTu{gD`bw(%X#AT$iOFL$F% zmeja4JIyjRH1hgvkmsWskJfuZd9WPvl*dT>7RH~FTB+T)H^5O%npm0(-n&HF!%%Ix z?NgpM+|FMhJhs(ow4scyR{9KRUl7=_@2pYFSNa?pM%hLC*E?-|o5BaAY8hFA2H5FJ zu3VDW7ILc&G1BXDt~)<>ku&;K2~CDiT8-4jAC`J!CE-1DqC^1{lQu6?l@Hc<^$n9lvx5f%i}B z_nF%74!4d9wTH`v>tv-S-YWijR$A!wV6KdMML|`3Pk{s_~d^7!D8Ytxx`XpjJ|`MDvN$|7`)9r8N!K{{=L|L zTl?;s1Eo=b;!VVun>-&Ni(eor{$Q>T+UnC?%*0uO-9TrW)Fl=8+LsWp+7oOtnuMoK zLWZBHP16a`GpRREXaehLehq$iSsKX0?zO1eG~NqYF76j4(GQZdR8AeW`%~6q$1Y@T zAM`SyZKp|&FlAi53tcw+;M|@s*^xV93c;WI5yc{-?Y1%DBxM6-9f(l@FZ~#&j7dO zJ_YwWIC}Fput5fKZgy}lITWn}1z!ZUf``4f!@bB4Za|+llJBQ8?xC%D$U7x9BEQ^! zvLd0*DEejvy{u!A{gxCV^X{FuOrlcMN5yh7ZtyWMAeswf7Jm0(>1&rR;&Tnh1Ky){ z%fTOZf0@b+9fq@*+20RR160}0|LDbaPg-;>0}Wd4@aW~=W!7HSef=uhKWCP@Zdch* zVau7q_9s6`oe~s_0PS1-XsP6{S;l!OqM5v+#(cS{Q*KwZL^>&N(wk!g_80hE9=h}BfPx}qrJ;agCzpI)kU zcEB*|CO^(WCCeTmMaS{b@=x7QAs-}j0F@b%@eZeRE^bgpHX#%L`u!kJ1Zk@79eGL3fKiQ7vCSnxN5$E=(|G`B{-UVC-an2LU*iS~^UVdL|5>j!5 zSSCKz-^eK|t#1tWnO)q_K)oI$mTVNoQdc{d=0i%CN1&Z3I1G~S&7#!SQW|L@9Y zfV@*^vPS(X$jMRl=Ts=oQIR_q9s8{a&HjIjheA?)g6|zB;{_;>i5P=_=7zZ*EuErG zMleeug2unQhdbI>mbQTq5<+z1;54l`_bPopei4M}vljL0zoIZ@{eMVKvAh!ckfa-h zpSL}rf&*X1d16@%W^th6mfe(1Tk^Ig;0qe%$=NotH==pHZVK{G$!`U3f6kja zhu6-szw_+sExN?%K>-Pc?z>B&nF_U55pF&&z}v#D zsnA|BXg=jT5}m3#^}UU+?sEL9PBut{Ii?!nUE-D{bT+$TmDN{p6shjdgxCJJ2LlQT z)OfFVlyMTdbcGDTv^dGC`%5Ji2NM?RSQ26tVfXbWMEU#mhTonjX8Zr&G{$Ea<8nAAh8G^h7!9dNAuA%A=l_5XJX@TK`&x zPEC@mau@A~Q_9Whb91E)s#4QngXV9&Z7fuE-i^I_Z(^^|kWm>n&|#qy$ms!>ZRe6L ztJu41XJ@v5BA;**XV&b^QO_{FlgfJ9R*1G=-%1205BAC%6oxDpN`RI^OG z+}HLtw7huvr_fagX_$IzF+CoR8#0g#Gf}?oZ%~EII;T;M8$Yvt*5Jmekrt-QF)2ZF z=lM-#({-=-zLEs%Jlf8MmbyTniA6-fx5h`jG{E1;iq3)!u(BhaT(5C+zxW#d8Shty zgS1I`{Fp`&(p)}3fDX*lbfieQC!QPlovp^pmBXJew_DR5M|*Av;)cs&sLN~uzDNiG zqfQ)+njhf6&IQf8?)_eFC26DE)MzKU zq$B!Xge#uoG9{ErQWo<}YgPn0oVf3;kXh23Lc8p(y0Dq4TBH25YfC=9!a{ z74Je`&vI5r^nJdnV|RdU5?-8QeU`UN4(t^lw^1yo6kOZ&OqMPKnR~VM#k`V08)un| zDyWu2m0|YGl6pGA%+h0y)nezZG>7%HE(6{P5JxD!ZT;S5b2W($mRDyc@yi>HOkGsi zp3-kr5+^h59}E3%P91VZ9`@7mQ0wvSCxvPqmKOt$lpxx!`v7{u%u;j-0s(0-x>*9~ z5p?dfc*+a@t9h*XhHpl#u0ANyPQR_GtNwQk*nwzf3-fq#gQ3KnSBbQfKe5pu# zud9(6Je4^^Y!VIiR^I`Ho#ZV4iF2@LnDfde33IFwmS4_g4rZi*;};BSkP&)iDtGz| zknKM=?~Ov95PrCgK2v+kH?j~{ncLyJ7AE)=S(0GUustUwM`O)irk!!cH1RwrubmEt0#c?M&S zxSg{TYUu^?!?0&V0rD?Y+p`BBhF4}nB3xIN7yMU`JM)#Iu8CBMFl?&KqY}Z_<$w!DrD{275%c*W?%8$ z>BQV6Crorc^kLzbI3%#@m92AY2i?gCX?~w&j6voFdYJIaVs8!{W;$qV^wGogPIDu# zgA`NGraea-mmPaa%#tc0A(b!nQ{Jmy&GW9ts`Z##c7Q&u*C_AvknwchVW_16mT zo;lx z;=rdd9Kbtnv0ThMZmc;gT^o53;M5CE_Qh%lKe)WP&quS+ZZ>U%OGF5=%qYfqGL7|$ zgRLXVY_yI`?ZZVt%dA{haAKGGcN(!@dCQ-_zAW%k2P7cOmR6ma+?kUZuhkU5(g3re zI%3G;wFtPUFuJ|5{^>FF()EVT?rDo`GXSCt#-zXkIa zK*SLeBPkejB$?z(X^XBazg51k5tc;wL94^jP~RLHDl+XNfeaO!_STYL;t2LhW6p%k z>(iBD)yfKtKM1`t4m_=GMD#+wk~izD>99 zPF`{Yt>2V?T&@BiDt+>tUZpk}VblFVL#zdd?g?I|v&*gnU5Ej_ z6QmfcKkApmXAU=fDNiqPf_NPM`>Z3`(eT>k237pAQg*x8qvrHm71~d4pl^GrjI~sX zdB#+P3B6R<_LG^vtFL+D#Mvk6UYQcI3Whu1mgOp(8;m4IVjyM?%faa}0VC`$V%14$ zx|bcaNzwBVFNK(AQeU#}j0x1FW!!SpXgMo%XQjNj-@B;cLh}2Yk@!bhcLfC$NMWp-$hxuPjHbg0C_jBhmn@y05tZq70h|lcIELerrsT z=qLO*+OuqrN2PQdB0BcU%q5W+ClE>1dJBKq38GbF`K`RrPmu|tA^aL*g~)W_e`-2= zalIPEf4|So^%kmyDb>O2Q_4@nI0tWD+|VvY2-*nXF?oVWhW@govw!UJ0Q-oF{V%Hk zYDI=IybW89OgvT!Y*Z@6VJ2h1W6)U%rE`;h5ni`S6S_EZDwvJ5vl>?VrE(nl(%AjB z8}{^*g$d3D%G*q`XB19!GYdI|ePL09l(Drf<@u%rxL!8w@*awQc-i%VGlM|Mxr*yO z@|E_{Sr*mD2ly%O@es!&J5hoB@&6%w{AmEI61hojb@_6(9Uq3FeQE$YcxTlkjE>yM zCTbtxRrBu2kHbf&Xwr?NfK*U$1}Wsh&3~E@j#6x`1}6hu)Qt%78t8E>0sWsrdIEst z`wx(Y2|ptKo3Ri9xClqK{yV@WvGF4Ns(OX?EBUmN+lW30u_UxmIjUSDUJ?x z{lc1AemcpI(k$SQz)J7^G-`+(&~7T@4zlsVF*x9{sP#B=dZ;`8k_liG?;h;jfrwx* zy~I;M`}p>YQbOq^@NSO@M>+xciBtx4?^@V|fFq=Bx$FGPr&<#dpZxS9ojhaG`P^Qh zSot_zqGR)l8>(ZufD*ivJ20!Q;}RnS%f5PEExo7zT=i8t|KSe{kDf~^esb1M6`>md z>6SnNzLSU*`SY>xQ2Y$R;tl*FH_b;$vo3Yhm@f6@!a7!IsYlGILUMe+ogeYz@R!w3 zABHuJw#J7qoFt~;J`A(DIl1VZEkLF|hlgVJ7^YGBU=E=3RKkV7X7Ls{e}-pzI~eVC zhcv4s-1~8u`iZsNuT-}cUO>kXzu81js!|D88?Haeu>FOL3Dcr;x)j@N98UQ0LFkA~ z#BrYEfH|arzxCZwGbrO(c}R{(`0U1iKNm}&-L*%_S<%GEongFZJbDRK;@icm1VF&WnGCKHdXRBJ?_*Z<#%w5wmHLVrXg)zYFd zY)5;F)I*KNtJXV%2uXp9o`{9%sPDD*V@y|Ao3l9ITGLCVaX#t-EJV`yZq;Q*Yoc1XA6;E15pdsa@L04#^(?kp&1TY_w}1#6?eI{P*VQ)+5x z^p{_k7QKX)8osvEM-BY80#3DXsPjr`-ON3(sWgv&pPTc_Ktt*f6wgqAw4I*bCZ%nI z8(=v=C&7k#PO*QwdF5u6hRtpGy!SK;xT>o}{=?1RFU9f*ID8nM+u5#m76i7GM(1~Y zpOTya9}lrp43Xo{gfIdwPqnNAvd{MzaCvrufHVBzyW<1-qC9yOW5(2@fDC;lo*q=> zCt<;*K{pr{$ciNdX^veQcbFH0enG6eF%5q&)*oI@smn9s31-MP>}DFZf(=A`mQ3zC zwOnUqdP`E=BzEd_^?ND#q_r<0^DL-P{BHJh2KUTVOh02az0^ru~=G=k8 zslzm8<&&AW01_n~7;3AW%p_AVrSBdCMJMp^^m3h1+n$q2p;RfTQ6Swht!+ZpalJ)W z)aS+Vm?t_OI#Kzn?g`gzVh@bzci@4aPbAI>_G?c_!Sd*FAazbI!RP7p!eQ6>bfS~m zbz%m}^r#>)VgI%vb#~`ob|{?fw&Wb~D^>u%EfO&l zKR<|>Z6B6*qq)K#Z>Lt+P#o!8Yi)JXKNz}yXJ^}A&WXpVdalUX4WFlsX`U#Xvaq@$ z_iS}EPDGk*8X7PDbnUI*A7gBUI~ck|i?KCz+Gd1;l`oaQ}fqA72vz}XIwNwW#8!~_oT9u_YTF}Wq} ziQ^N*Z*Qx#cT6+NFqv3Oh}nSqq(ffNsW9|4*TyK_303PpmcD*}yIolL)t<9O=cj zRYD00Oz%dMfW?A9MPn^m=m|4gvlW1y_TCME<#+VlM8q!r6}OjKfH#$oDM1F%te; z2sG4Yo24x?2+pq2=x5nE^dIx(*FK z7C|HT21fgP70PK>wY=BzcvX{lwKf`4?V8hMdFjZ^X^SZfaembd`(2=NYM6}E2x3W+ zrnE3Fg_DmXv8hd@2o&{S=TIX0nTcX*og;a<899%$T(QMeqKr+DG81mIj`L<~p zd#0|gPuSFg&+b%AxxQK(tKaW$o}dT*ybsLyYVOY}!fEC&(KX$3iAY%hPCD1<{-C56 zJ}R%9I&QO>WP*^<%HZPH^nOtBT>UiDl?Osb7o~poR90QT{)|@Sgdec{g>V`IF5&mM z3s7b)Zy$L9203}J8=&ZzcV&XAB2k(0vlipPg?YV$hHnzD07C?@%%94?13w4)wWak6 zufvI;Ir%e+mom1x)%7ayKTv2e= zy|f(e^eizE1OvO3rG9@2W4ifPUFqSE{K<(mCF5|E?|#33pV4WmxlyKD?c| zS(0dwYjmTss(1pSTWWu5;!KLp>7rgvU}6y_nM`?lpt1nF*ji-wdBYVOtqsg$U=UvS z(*awdwb9E!X9Ijt5x4ulj9(^w$mU5(f3@(H0reF3A_&ANHJ~_Mq_^T+fAZJ5M$sWn zX9q}&sm@E{QP?Nwq@KmRJAwi@2ZB!vFw_FK@-&h@zkYz6i#Zu#bR1x3r=j{U DK?YAz literal 0 HcmV?d00001 diff --git a/x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/mappings.json b/x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/mappings.json deleted file mode 100644 index 9ef3267f3735b..0000000000000 --- a/x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/mappings.json +++ /dev/null @@ -1,5243 +0,0 @@ -{ - "type": "index", - "value": { - "aliases": { - ".alerts-security.alerts-default": { - "is_write_index": true - }, - ".siem-signals-default": { - "is_write_index": false - } - }, - "index": ".internal.alerts-security.alerts-default-000001", - "mappings": { - "dynamic": "false", - "_meta": { - "namespace": "default", - "kibana": { - "version": "8.0.0" - } - }, - "properties": { - "@timestamp": { - "type": "date" - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "type": "keyword" - } - } - }, - "ephemeral_id": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "client": { - "properties": { - "address": { - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "type": "keyword" - }, - "continent_code": { - "type": "keyword" - }, - "continent_name": { - "type": "keyword" - }, - "country_iso_code": { - "type": "keyword" - }, - "country_name": { - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "type": "keyword" - }, - "postal_code": { - "type": "keyword" - }, - "region_iso_code": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "timezone": { - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "type": "keyword" - }, - "subdomain": { - "type": "keyword" - }, - "top_level_domain": { - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "type": "keyword" - }, - "email": { - "type": "keyword" - }, - "full_name": { - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "hash": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "roles": { - "type": "keyword" - } - } - } - } - }, - "cloud": { - "properties": { - "account": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "availability_zone": { - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "account": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "availability_zone": { - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "provider": { - "type": "keyword" - }, - "region": { - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "type": "keyword" - } - } - } - } - }, - "project": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "provider": { - "type": "keyword" - }, - "region": { - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "type": "keyword" - } - } - }, - "target": { - "properties": { - "account": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "availability_zone": { - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "provider": { - "type": "keyword" - }, - "region": { - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "type": "keyword" - } - } - } - } - } - } - }, - "container": { - "properties": { - "id": { - "type": "keyword" - }, - "image": { - "properties": { - "name": { - "type": "keyword" - }, - "tag": { - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "name": { - "type": "keyword" - }, - "runtime": { - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "address": { - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "type": "keyword" - }, - "continent_code": { - "type": "keyword" - }, - "continent_name": { - "type": "keyword" - }, - "country_iso_code": { - "type": "keyword" - }, - "country_name": { - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "type": "keyword" - }, - "postal_code": { - "type": "keyword" - }, - "region_iso_code": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "timezone": { - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "type": "keyword" - }, - "subdomain": { - "type": "keyword" - }, - "top_level_domain": { - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "type": "keyword" - }, - "email": { - "type": "keyword" - }, - "full_name": { - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "hash": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "roles": { - "type": "keyword" - } - } - } - } - }, - "dll": { - "properties": { - "code_signature": { - "properties": { - "digest_algorithm": { - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "signing_id": { - "type": "keyword" - }, - "status": { - "type": "keyword" - }, - "subject_name": { - "type": "keyword" - }, - "team_id": { - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "hash": { - "properties": { - "md5": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - }, - "sha256": { - "type": "keyword" - }, - "sha512": { - "type": "keyword" - }, - "ssdeep": { - "type": "keyword" - } - } - }, - "name": { - "type": "keyword" - }, - "path": { - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "type": "keyword" - }, - "company": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "file_version": { - "type": "keyword" - }, - "imphash": { - "type": "keyword" - }, - "original_file_name": { - "type": "keyword" - }, - "product": { - "type": "keyword" - } - } - } - } - }, - "dns": { - "properties": { - "answers": { - "properties": { - "class": { - "type": "keyword" - }, - "data": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "type": { - "type": "keyword" - } - } - }, - "header_flags": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "op_code": { - "type": "keyword" - }, - "question": { - "properties": { - "class": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "registered_domain": { - "type": "keyword" - }, - "subdomain": { - "type": "keyword" - }, - "top_level_domain": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "ecs": { - "properties": { - "version": { - "type": "keyword" - } - } - }, - "error": { - "properties": { - "code": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "message": { - "type": "match_only_text" - }, - "stack_trace": { - "type": "wildcard" - }, - "type": { - "type": "keyword" - } - } - }, - "event": { - "properties": { - "action": { - "type": "keyword" - }, - "agent_id_status": { - "type": "keyword" - }, - "category": { - "type": "keyword" - }, - "code": { - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "type": "keyword" - }, - "module": { - "type": "keyword" - }, - "original": { - "type": "keyword" - }, - "outcome": { - "type": "keyword" - }, - "provider": { - "type": "keyword" - }, - "reason": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "url": { - "type": "keyword" - } - } - }, - "faas": { - "properties": { - "coldstart": { - "type": "boolean" - }, - "execution": { - "type": "keyword" - }, - "trigger": { - "type": "nested", - "properties": { - "request_id": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "signing_id": { - "type": "keyword" - }, - "status": { - "type": "keyword" - }, - "subject_name": { - "type": "keyword" - }, - "team_id": { - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "type": "keyword" - }, - "directory": { - "type": "keyword" - }, - "drive_letter": { - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "type": "keyword" - }, - "byte_order": { - "type": "keyword" - }, - "cpu_type": { - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flattened" - }, - "header": { - "properties": { - "abi_version": { - "type": "keyword" - }, - "class": { - "type": "keyword" - }, - "data": { - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "type": "keyword" - }, - "os_abi": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "imports": { - "type": "flattened" - }, - "sections": { - "type": "nested", - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "physical_offset": { - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "type": "keyword" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - } - }, - "segments": { - "type": "nested", - "properties": { - "sections": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "shared_libraries": { - "type": "keyword" - }, - "telfhash": { - "type": "keyword" - } - } - }, - "extension": { - "type": "keyword" - }, - "fork_name": { - "type": "keyword" - }, - "gid": { - "type": "keyword" - }, - "group": { - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - }, - "sha256": { - "type": "keyword" - }, - "sha512": { - "type": "keyword" - }, - "ssdeep": { - "type": "keyword" - } - } - }, - "inode": { - "type": "keyword" - }, - "mime_type": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "type": "keyword" - }, - "owner": { - "type": "keyword" - }, - "path": { - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "type": "keyword" - }, - "company": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "file_version": { - "type": "keyword" - }, - "imphash": { - "type": "keyword" - }, - "original_file_name": { - "type": "keyword" - }, - "product": { - "type": "keyword" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "type": "keyword" - }, - "country": { - "type": "keyword" - }, - "distinguished_name": { - "type": "keyword" - }, - "locality": { - "type": "keyword" - }, - "organization": { - "type": "keyword" - }, - "organizational_unit": { - "type": "keyword" - }, - "state_or_province": { - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "type": "keyword" - }, - "public_key_curve": { - "type": "keyword" - }, - "public_key_exponent": { - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "type": "keyword" - }, - "signature_algorithm": { - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "type": "keyword" - }, - "country": { - "type": "keyword" - }, - "distinguished_name": { - "type": "keyword" - }, - "locality": { - "type": "keyword" - }, - "organization": { - "type": "keyword" - }, - "organizational_unit": { - "type": "keyword" - }, - "state_or_province": { - "type": "keyword" - } - } - }, - "version_number": { - "type": "keyword" - } - } - } - } - }, - "group": { - "properties": { - "domain": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "type": "keyword" - }, - "cpu": { - "properties": { - "usage": { - "type": "scaled_float", - "scaling_factor": 1000 - } - } - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "type": "keyword" - }, - "continent_code": { - "type": "keyword" - }, - "continent_name": { - "type": "keyword" - }, - "country_iso_code": { - "type": "keyword" - }, - "country_name": { - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "type": "keyword" - }, - "postal_code": { - "type": "keyword" - }, - "region_iso_code": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "timezone": { - "type": "keyword" - } - } - }, - "hostname": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "type": "long" - } - } - } - } - }, - "os": { - "properties": { - "family": { - "type": "keyword" - }, - "full": { - "type": "keyword" - }, - "kernel": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "platform": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "type": { - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "type": "wildcard" - } - } - }, - "bytes": { - "type": "long" - }, - "id": { - "type": "keyword" - }, - "method": { - "type": "keyword" - }, - "mime_type": { - "type": "keyword" - }, - "referrer": { - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "type": "wildcard" - } - } - }, - "bytes": { - "type": "long" - }, - "mime_type": { - "type": "keyword" - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "type": "keyword" - } - } - }, - "kibana": { - "properties": { - "alert": { - "properties": { - "action_group": { - "type": "keyword" - }, - "ancestors": { - "properties": { - "depth": { - "type": "long" - }, - "id": { - "type": "keyword" - }, - "index": { - "type": "keyword" - }, - "rule": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "building_block_type": { - "type": "keyword" - }, - "depth": { - "type": "long" - }, - "duration": { - "properties": { - "us": { - "type": "long" - } - } - }, - "end": { - "type": "date" - }, - "group": { - "properties": { - "id": { - "type": "keyword" - }, - "index": { - "type": "integer" - } - } - }, - "original_event": { - "properties": { - "action": { - "type": "keyword" - }, - "agent_id_status": { - "type": "keyword" - }, - "category": { - "type": "keyword" - }, - "code": { - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "type": "keyword" - }, - "duration": { - "type": "keyword" - }, - "end": { - "type": "date" - }, - "hash": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "type": "keyword" - }, - "module": { - "type": "keyword" - }, - "original": { - "type": "keyword" - }, - "outcome": { - "type": "keyword" - }, - "provider": { - "type": "keyword" - }, - "reason": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "url": { - "type": "keyword" - } - } - }, - "original_time": { - "type": "date" - }, - "reason": { - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "rule": { - "properties": { - "author": { - "type": "keyword" - }, - "building_block_type": { - "type": "keyword" - }, - "category": { - "type": "keyword" - }, - "consumer": { - "type": "keyword" - }, - "created_at": { - "type": "date" - }, - "created_by": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "enabled": { - "type": "keyword" - }, - "exceptions_list": { - "type": "object" - }, - "false_positives": { - "type": "keyword" - }, - "from": { - "type": "keyword" - }, - "immutable": { - "type": "keyword" - }, - "interval": { - "type": "keyword" - }, - "license": { - "type": "keyword" - }, - "max_signals": { - "type": "long" - }, - "name": { - "type": "keyword" - }, - "note": { - "type": "keyword" - }, - "parameters": { - "type": "flattened", - "ignore_above": 4096 - }, - "producer": { - "type": "keyword" - }, - "references": { - "type": "keyword" - }, - "rule_id": { - "type": "keyword" - }, - "rule_name_override": { - "type": "keyword" - }, - "rule_type_id": { - "type": "keyword" - }, - "tags": { - "type": "keyword" - }, - "threat": { - "properties": { - "framework": { - "type": "keyword" - }, - "tactic": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - } - } - }, - "technique": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - }, - "subtechnique": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - } - } - } - } - } - } - }, - "timeline_id": { - "type": "keyword" - }, - "timeline_title": { - "type": "keyword" - }, - "timestamp_override": { - "type": "keyword" - }, - "to": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "updated_at": { - "type": "date" - }, - "updated_by": { - "type": "keyword" - }, - "uuid": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "severity": { - "type": "keyword" - }, - "start": { - "type": "date" - }, - "status": { - "type": "keyword" - }, - "system_status": { - "type": "keyword" - }, - "threshold_result": { - "properties": { - "cardinality": { - "properties": { - "field": { - "type": "keyword" - }, - "value": { - "type": "long" - } - } - }, - "count": { - "type": "long" - }, - "from": { - "type": "date" - }, - "terms": { - "properties": { - "field": { - "type": "keyword" - }, - "value": { - "type": "keyword" - } - } - } - } - }, - "uuid": { - "type": "keyword" - }, - "workflow_reason": { - "type": "keyword" - }, - "workflow_status": { - "type": "keyword" - }, - "workflow_user": { - "type": "keyword" - } - } - }, - "space_ids": { - "type": "keyword" - }, - "version": { - "type": "version" - } - } - }, - "labels": { - "type": "object" - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "type": "keyword" - } - } - }, - "level": { - "type": "keyword" - }, - "logger": { - "type": "keyword" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "long" - }, - "name": { - "type": "keyword" - } - } - }, - "function": { - "type": "keyword" - } - } - }, - "syslog": { - "properties": { - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "type": "keyword" - } - } - }, - "priority": { - "type": "long" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "type": "keyword" - } - } - } - } - } - } - }, - "message": { - "type": "match_only_text" - }, - "network": { - "properties": { - "application": { - "type": "keyword" - }, - "bytes": { - "type": "long" - }, - "community_id": { - "type": "keyword" - }, - "direction": { - "type": "keyword" - }, - "forwarded_ip": { - "type": "ip" - }, - "iana_number": { - "type": "keyword" - }, - "inner": { - "properties": { - "vlan": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - } - } - }, - "name": { - "type": "keyword" - }, - "packets": { - "type": "long" - }, - "protocol": { - "type": "keyword" - }, - "transport": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "vlan": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - } - } - }, - "observer": { - "properties": { - "egress": { - "properties": { - "interface": { - "properties": { - "alias": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "zone": { - "type": "keyword" - } - } - }, - "geo": { - "properties": { - "city_name": { - "type": "keyword" - }, - "continent_code": { - "type": "keyword" - }, - "continent_name": { - "type": "keyword" - }, - "country_iso_code": { - "type": "keyword" - }, - "country_name": { - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "type": "keyword" - }, - "postal_code": { - "type": "keyword" - }, - "region_iso_code": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "timezone": { - "type": "keyword" - } - } - }, - "hostname": { - "type": "keyword" - }, - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "zone": { - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "type": "keyword" - }, - "full": { - "type": "keyword" - }, - "kernel": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "platform": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "product": { - "type": "keyword" - }, - "serial_number": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "vendor": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "orchestrator": { - "properties": { - "api_version": { - "type": "keyword" - }, - "cluster": { - "properties": { - "name": { - "type": "keyword" - }, - "url": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "namespace": { - "type": "keyword" - }, - "organization": { - "type": "keyword" - }, - "resource": { - "properties": { - "name": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "type": { - "type": "keyword" - } - } - }, - "organization": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "package": { - "properties": { - "architecture": { - "type": "keyword" - }, - "build_version": { - "type": "keyword" - }, - "checksum": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "install_scope": { - "type": "keyword" - }, - "installed": { - "type": "date" - }, - "license": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "path": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - }, - "size": { - "type": "long" - }, - "type": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "signing_id": { - "type": "keyword" - }, - "status": { - "type": "keyword" - }, - "subject_name": { - "type": "keyword" - }, - "team_id": { - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "type": "wildcard" - }, - "elf": { - "properties": { - "architecture": { - "type": "keyword" - }, - "byte_order": { - "type": "keyword" - }, - "cpu_type": { - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flattened" - }, - "header": { - "properties": { - "abi_version": { - "type": "keyword" - }, - "class": { - "type": "keyword" - }, - "data": { - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "type": "keyword" - }, - "os_abi": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "imports": { - "type": "flattened" - }, - "sections": { - "type": "nested", - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "physical_offset": { - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "type": "keyword" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - } - }, - "segments": { - "type": "nested", - "properties": { - "sections": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "shared_libraries": { - "type": "keyword" - }, - "telfhash": { - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "type": "keyword" - }, - "executable": { - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "hash": { - "properties": { - "md5": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - }, - "sha256": { - "type": "keyword" - }, - "sha512": { - "type": "keyword" - }, - "ssdeep": { - "type": "keyword" - } - } - }, - "name": { - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "signing_id": { - "type": "keyword" - }, - "status": { - "type": "keyword" - }, - "subject_name": { - "type": "keyword" - }, - "team_id": { - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "type": "wildcard" - }, - "elf": { - "properties": { - "architecture": { - "type": "keyword" - }, - "byte_order": { - "type": "keyword" - }, - "cpu_type": { - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flattened" - }, - "header": { - "properties": { - "abi_version": { - "type": "keyword" - }, - "class": { - "type": "keyword" - }, - "data": { - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "type": "keyword" - }, - "os_abi": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "imports": { - "type": "flattened" - }, - "sections": { - "type": "nested", - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "physical_offset": { - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "type": "keyword" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - } - }, - "segments": { - "type": "nested", - "properties": { - "sections": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "shared_libraries": { - "type": "keyword" - }, - "telfhash": { - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "type": "keyword" - }, - "executable": { - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "hash": { - "properties": { - "md5": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - }, - "sha256": { - "type": "keyword" - }, - "sha512": { - "type": "keyword" - }, - "ssdeep": { - "type": "keyword" - } - } - }, - "name": { - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "type": "keyword" - }, - "company": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "file_version": { - "type": "keyword" - }, - "imphash": { - "type": "keyword" - }, - "original_file_name": { - "type": "keyword" - }, - "product": { - "type": "keyword" - } - } - }, - "pgid": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "thread": { - "properties": { - "id": { - "type": "long" - }, - "name": { - "type": "keyword" - } - } - }, - "title": { - "type": "keyword" - }, - "uptime": { - "type": "long" - }, - "working_directory": { - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "architecture": { - "type": "keyword" - }, - "company": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "file_version": { - "type": "keyword" - }, - "imphash": { - "type": "keyword" - }, - "original_file_name": { - "type": "keyword" - }, - "product": { - "type": "keyword" - } - } - }, - "pgid": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "thread": { - "properties": { - "id": { - "type": "long" - }, - "name": { - "type": "keyword" - } - } - }, - "title": { - "type": "keyword" - }, - "uptime": { - "type": "long" - }, - "working_directory": { - "type": "keyword" - } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "type": "keyword" - }, - "strings": { - "type": "wildcard" - }, - "type": { - "type": "keyword" - } - } - }, - "hive": { - "type": "keyword" - }, - "key": { - "type": "keyword" - }, - "path": { - "type": "keyword" - }, - "value": { - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hash": { - "type": "keyword" - }, - "hosts": { - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "type": "keyword" - } - } - }, - "rule": { - "properties": { - "author": { - "type": "keyword" - }, - "category": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "license": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - }, - "ruleset": { - "type": "keyword" - }, - "uuid": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "server": { - "properties": { - "address": { - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "type": "keyword" - }, - "continent_code": { - "type": "keyword" - }, - "continent_name": { - "type": "keyword" - }, - "country_iso_code": { - "type": "keyword" - }, - "country_name": { - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "type": "keyword" - }, - "postal_code": { - "type": "keyword" - }, - "region_iso_code": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "timezone": { - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "type": "keyword" - }, - "subdomain": { - "type": "keyword" - }, - "top_level_domain": { - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "type": "keyword" - }, - "email": { - "type": "keyword" - }, - "full_name": { - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "hash": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "roles": { - "type": "keyword" - } - } - } - } - }, - "service": { - "properties": { - "address": { - "type": "keyword" - }, - "environment": { - "type": "keyword" - }, - "ephemeral_id": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "address": { - "type": "keyword" - }, - "environment": { - "type": "keyword" - }, - "ephemeral_id": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "type": "keyword" - } - } - }, - "state": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "state": { - "type": "keyword" - }, - "target": { - "properties": { - "address": { - "type": "keyword" - }, - "environment": { - "type": "keyword" - }, - "ephemeral_id": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "type": "keyword" - } - } - }, - "state": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "type": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "signal": { - "properties": { - "ancestors": { - "properties": { - "depth": { - "type": "alias", - "path": "kibana.alert.ancestors.depth" - }, - "id": { - "type": "alias", - "path": "kibana.alert.ancestors.id" - }, - "index": { - "type": "alias", - "path": "kibana.alert.ancestors.index" - }, - "type": { - "type": "alias", - "path": "kibana.alert.ancestors.type" - } - } - }, - "depth": { - "type": "alias", - "path": "kibana.alert.depth" - }, - "group": { - "properties": { - "id": { - "type": "alias", - "path": "kibana.alert.group.id" - }, - "index": { - "type": "alias", - "path": "kibana.alert.group.index" - } - } - }, - "original_event": { - "properties": { - "action": { - "type": "alias", - "path": "kibana.alert.original_event.action" - }, - "category": { - "type": "alias", - "path": "kibana.alert.original_event.category" - }, - "code": { - "type": "alias", - "path": "kibana.alert.original_event.code" - }, - "created": { - "type": "alias", - "path": "kibana.alert.original_event.created" - }, - "dataset": { - "type": "alias", - "path": "kibana.alert.original_event.dataset" - }, - "duration": { - "type": "alias", - "path": "kibana.alert.original_event.duration" - }, - "end": { - "type": "alias", - "path": "kibana.alert.original_event.end" - }, - "hash": { - "type": "alias", - "path": "kibana.alert.original_event.hash" - }, - "id": { - "type": "alias", - "path": "kibana.alert.original_event.id" - }, - "kind": { - "type": "alias", - "path": "kibana.alert.original_event.kind" - }, - "module": { - "type": "alias", - "path": "kibana.alert.original_event.module" - }, - "outcome": { - "type": "alias", - "path": "kibana.alert.original_event.outcome" - }, - "provider": { - "type": "alias", - "path": "kibana.alert.original_event.provider" - }, - "reason": { - "type": "alias", - "path": "kibana.alert.original_event.reason" - }, - "risk_score": { - "type": "alias", - "path": "kibana.alert.original_event.risk_score" - }, - "risk_score_norm": { - "type": "alias", - "path": "kibana.alert.original_event.risk_score_norm" - }, - "sequence": { - "type": "alias", - "path": "kibana.alert.original_event.sequence" - }, - "severity": { - "type": "alias", - "path": "kibana.alert.original_event.severity" - }, - "start": { - "type": "alias", - "path": "kibana.alert.original_event.start" - }, - "timezone": { - "type": "alias", - "path": "kibana.alert.original_event.timezone" - }, - "type": { - "type": "alias", - "path": "kibana.alert.original_event.type" - } - } - }, - "original_time": { - "type": "alias", - "path": "kibana.alert.original_time" - }, - "reason": { - "type": "alias", - "path": "kibana.alert.reason" - }, - "rule": { - "properties": { - "author": { - "type": "alias", - "path": "kibana.alert.rule.author" - }, - "building_block_type": { - "type": "alias", - "path": "kibana.alert.building_block_type" - }, - "created_at": { - "type": "alias", - "path": "kibana.alert.rule.created_at" - }, - "created_by": { - "type": "alias", - "path": "kibana.alert.rule.created_by" - }, - "description": { - "type": "alias", - "path": "kibana.alert.rule.description" - }, - "enabled": { - "type": "alias", - "path": "kibana.alert.rule.enabled" - }, - "false_positives": { - "type": "alias", - "path": "kibana.alert.rule.false_positives" - }, - "from": { - "type": "alias", - "path": "kibana.alert.rule.from" - }, - "id": { - "type": "alias", - "path": "kibana.alert.rule.uuid" - }, - "immutable": { - "type": "alias", - "path": "kibana.alert.rule.immutable" - }, - "interval": { - "type": "alias", - "path": "kibana.alert.rule.interval" - }, - "license": { - "type": "alias", - "path": "kibana.alert.rule.license" - }, - "max_signals": { - "type": "alias", - "path": "kibana.alert.rule.max_signals" - }, - "name": { - "type": "alias", - "path": "kibana.alert.rule.name" - }, - "note": { - "type": "alias", - "path": "kibana.alert.rule.note" - }, - "references": { - "type": "alias", - "path": "kibana.alert.rule.references" - }, - "risk_score": { - "type": "alias", - "path": "kibana.alert.risk_score" - }, - "rule_id": { - "type": "alias", - "path": "kibana.alert.rule.rule_id" - }, - "rule_name_override": { - "type": "alias", - "path": "kibana.alert.rule.rule_name_override" - }, - "severity": { - "type": "alias", - "path": "kibana.alert.severity" - }, - "tags": { - "type": "alias", - "path": "kibana.alert.rule.tags" - }, - "threat": { - "properties": { - "framework": { - "type": "alias", - "path": "kibana.alert.rule.threat.framework" - }, - "tactic": { - "properties": { - "id": { - "type": "alias", - "path": "kibana.alert.rule.threat.tactic.id" - }, - "name": { - "type": "alias", - "path": "kibana.alert.rule.threat.tactic.name" - }, - "reference": { - "type": "alias", - "path": "kibana.alert.rule.threat.tactic.reference" - } - } - }, - "technique": { - "properties": { - "id": { - "type": "alias", - "path": "kibana.alert.rule.threat.technique.id" - }, - "name": { - "type": "alias", - "path": "kibana.alert.rule.threat.technique.name" - }, - "reference": { - "type": "alias", - "path": "kibana.alert.rule.threat.technique.reference" - }, - "subtechnique": { - "properties": { - "id": { - "type": "alias", - "path": "kibana.alert.rule.threat.technique.subtechnique.id" - }, - "name": { - "type": "alias", - "path": "kibana.alert.rule.threat.technique.subtechnique.name" - }, - "reference": { - "type": "alias", - "path": "kibana.alert.rule.threat.technique.subtechnique.reference" - } - } - } - } - } - } - }, - "timeline_id": { - "type": "alias", - "path": "kibana.alert.rule.timeline_id" - }, - "timeline_title": { - "type": "alias", - "path": "kibana.alert.rule.timeline_title" - }, - "timestamp_override": { - "type": "alias", - "path": "kibana.alert.rule.timestamp_override" - }, - "to": { - "type": "alias", - "path": "kibana.alert.rule.to" - }, - "type": { - "type": "alias", - "path": "kibana.alert.rule.type" - }, - "updated_at": { - "type": "alias", - "path": "kibana.alert.rule.updated_at" - }, - "updated_by": { - "type": "alias", - "path": "kibana.alert.rule.updated_by" - }, - "version": { - "type": "alias", - "path": "kibana.alert.rule.version" - } - } - }, - "status": { - "type": "alias", - "path": "kibana.alert.workflow_status" - }, - "threshold_result": { - "properties": { - "cardinality": { - "properties": { - "field": { - "type": "alias", - "path": "kibana.alert.threshold_result.cardinality.field" - }, - "value": { - "type": "alias", - "path": "kibana.alert.threshold_result.cardinality.value" - } - } - }, - "count": { - "type": "alias", - "path": "kibana.alert.threshold_result.count" - }, - "from": { - "type": "alias", - "path": "kibana.alert.threshold_result.from" - }, - "terms": { - "properties": { - "field": { - "type": "alias", - "path": "kibana.alert.threshold_result.terms.field" - }, - "value": { - "type": "alias", - "path": "kibana.alert.threshold_result.terms.value" - } - } - } - } - } - } - }, - "source": { - "properties": { - "address": { - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "type": "keyword" - }, - "continent_code": { - "type": "keyword" - }, - "continent_name": { - "type": "keyword" - }, - "country_iso_code": { - "type": "keyword" - }, - "country_name": { - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "type": "keyword" - }, - "postal_code": { - "type": "keyword" - }, - "region_iso_code": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "timezone": { - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "type": "keyword" - }, - "subdomain": { - "type": "keyword" - }, - "top_level_domain": { - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "type": "keyword" - }, - "email": { - "type": "keyword" - }, - "full_name": { - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "hash": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "roles": { - "type": "keyword" - } - } - } - } - }, - "span": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "tags": { - "type": "keyword" - }, - "threat": { - "properties": { - "enrichments": { - "type": "nested", - "properties": { - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "type": "keyword" - } - } - } - } - }, - "confidence": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "signing_id": { - "type": "keyword" - }, - "status": { - "type": "keyword" - }, - "subject_name": { - "type": "keyword" - }, - "team_id": { - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "type": "keyword" - }, - "directory": { - "type": "keyword" - }, - "drive_letter": { - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "type": "keyword" - }, - "byte_order": { - "type": "keyword" - }, - "cpu_type": { - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flattened" - }, - "header": { - "properties": { - "abi_version": { - "type": "keyword" - }, - "class": { - "type": "keyword" - }, - "data": { - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "type": "keyword" - }, - "os_abi": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "imports": { - "type": "flattened" - }, - "sections": { - "type": "nested", - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "physical_offset": { - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "type": "keyword" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - } - }, - "segments": { - "type": "nested", - "properties": { - "sections": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "shared_libraries": { - "type": "keyword" - }, - "telfhash": { - "type": "keyword" - } - } - }, - "extension": { - "type": "keyword" - }, - "fork_name": { - "type": "keyword" - }, - "gid": { - "type": "keyword" - }, - "group": { - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - }, - "sha256": { - "type": "keyword" - }, - "sha512": { - "type": "keyword" - }, - "ssdeep": { - "type": "keyword" - } - } - }, - "inode": { - "type": "keyword" - }, - "mime_type": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "type": "keyword" - }, - "owner": { - "type": "keyword" - }, - "path": { - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "type": "keyword" - }, - "company": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "file_version": { - "type": "keyword" - }, - "imphash": { - "type": "keyword" - }, - "original_file_name": { - "type": "keyword" - }, - "product": { - "type": "keyword" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "type": "keyword" - }, - "country": { - "type": "keyword" - }, - "distinguished_name": { - "type": "keyword" - }, - "locality": { - "type": "keyword" - }, - "organization": { - "type": "keyword" - }, - "organizational_unit": { - "type": "keyword" - }, - "state_or_province": { - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "type": "keyword" - }, - "public_key_curve": { - "type": "keyword" - }, - "public_key_exponent": { - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "type": "keyword" - }, - "signature_algorithm": { - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "type": "keyword" - }, - "country": { - "type": "keyword" - }, - "distinguished_name": { - "type": "keyword" - }, - "locality": { - "type": "keyword" - }, - "organization": { - "type": "keyword" - }, - "organizational_unit": { - "type": "keyword" - }, - "state_or_province": { - "type": "keyword" - } - } - }, - "version_number": { - "type": "keyword" - } - } - } - } - }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "type": "keyword" - }, - "continent_code": { - "type": "keyword" - }, - "continent_name": { - "type": "keyword" - }, - "country_iso_code": { - "type": "keyword" - }, - "country_name": { - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "type": "keyword" - }, - "postal_code": { - "type": "keyword" - }, - "region_iso_code": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "timezone": { - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "port": { - "type": "long" - }, - "provider": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "type": "keyword" - }, - "strings": { - "type": "wildcard" - }, - "type": { - "type": "keyword" - } - } - }, - "hive": { - "type": "keyword" - }, - "key": { - "type": "keyword" - }, - "path": { - "type": "keyword" - }, - "value": { - "type": "keyword" - } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "type": "keyword" - }, - "extension": { - "type": "keyword" - }, - "fragment": { - "type": "keyword" - }, - "full": { - "type": "wildcard" - }, - "original": { - "type": "wildcard" - }, - "password": { - "type": "keyword" - }, - "path": { - "type": "wildcard" - }, - "port": { - "type": "long" - }, - "query": { - "type": "keyword" - }, - "registered_domain": { - "type": "keyword" - }, - "scheme": { - "type": "keyword" - }, - "subdomain": { - "type": "keyword" - }, - "top_level_domain": { - "type": "keyword" - }, - "username": { - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "type": "keyword" - }, - "country": { - "type": "keyword" - }, - "distinguished_name": { - "type": "keyword" - }, - "locality": { - "type": "keyword" - }, - "organization": { - "type": "keyword" - }, - "organizational_unit": { - "type": "keyword" - }, - "state_or_province": { - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "type": "keyword" - }, - "public_key_curve": { - "type": "keyword" - }, - "public_key_exponent": { - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "type": "keyword" - }, - "signature_algorithm": { - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "type": "keyword" - }, - "country": { - "type": "keyword" - }, - "distinguished_name": { - "type": "keyword" - }, - "locality": { - "type": "keyword" - }, - "organization": { - "type": "keyword" - }, - "organizational_unit": { - "type": "keyword" - }, - "state_or_province": { - "type": "keyword" - } - } - }, - "version_number": { - "type": "keyword" - } - } - } - } - }, - "matched": { - "properties": { - "atomic": { - "type": "keyword" - }, - "field": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "index": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - } - } - }, - "framework": { - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "type": "keyword" - } - } - } - } - }, - "confidence": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "signing_id": { - "type": "keyword" - }, - "status": { - "type": "keyword" - }, - "subject_name": { - "type": "keyword" - }, - "team_id": { - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "type": "keyword" - }, - "directory": { - "type": "keyword" - }, - "drive_letter": { - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "type": "keyword" - }, - "byte_order": { - "type": "keyword" - }, - "cpu_type": { - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flattened" - }, - "header": { - "properties": { - "abi_version": { - "type": "keyword" - }, - "class": { - "type": "keyword" - }, - "data": { - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "type": "keyword" - }, - "os_abi": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "imports": { - "type": "flattened" - }, - "sections": { - "type": "nested", - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "physical_offset": { - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "type": "keyword" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - } - }, - "segments": { - "type": "nested", - "properties": { - "sections": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "shared_libraries": { - "type": "keyword" - }, - "telfhash": { - "type": "keyword" - } - } - }, - "extension": { - "type": "keyword" - }, - "fork_name": { - "type": "keyword" - }, - "gid": { - "type": "keyword" - }, - "group": { - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - }, - "sha256": { - "type": "keyword" - }, - "sha512": { - "type": "keyword" - }, - "ssdeep": { - "type": "keyword" - } - } - }, - "inode": { - "type": "keyword" - }, - "mime_type": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "type": "keyword" - }, - "owner": { - "type": "keyword" - }, - "path": { - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "type": "keyword" - }, - "company": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "file_version": { - "type": "keyword" - }, - "imphash": { - "type": "keyword" - }, - "original_file_name": { - "type": "keyword" - }, - "product": { - "type": "keyword" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "type": "keyword" - }, - "country": { - "type": "keyword" - }, - "distinguished_name": { - "type": "keyword" - }, - "locality": { - "type": "keyword" - }, - "organization": { - "type": "keyword" - }, - "organizational_unit": { - "type": "keyword" - }, - "state_or_province": { - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "type": "keyword" - }, - "public_key_curve": { - "type": "keyword" - }, - "public_key_exponent": { - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "type": "keyword" - }, - "signature_algorithm": { - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "type": "keyword" - }, - "country": { - "type": "keyword" - }, - "distinguished_name": { - "type": "keyword" - }, - "locality": { - "type": "keyword" - }, - "organization": { - "type": "keyword" - }, - "organizational_unit": { - "type": "keyword" - }, - "state_or_province": { - "type": "keyword" - } - } - }, - "version_number": { - "type": "keyword" - } - } - } - } - }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "type": "keyword" - }, - "continent_code": { - "type": "keyword" - }, - "continent_name": { - "type": "keyword" - }, - "country_iso_code": { - "type": "keyword" - }, - "country_name": { - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "type": "keyword" - }, - "postal_code": { - "type": "keyword" - }, - "region_iso_code": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "timezone": { - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "port": { - "type": "long" - }, - "provider": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "type": "keyword" - }, - "strings": { - "type": "wildcard" - }, - "type": { - "type": "keyword" - } - } - }, - "hive": { - "type": "keyword" - }, - "key": { - "type": "keyword" - }, - "path": { - "type": "keyword" - }, - "value": { - "type": "keyword" - } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "type": "keyword" - }, - "extension": { - "type": "keyword" - }, - "fragment": { - "type": "keyword" - }, - "full": { - "type": "wildcard" - }, - "original": { - "type": "wildcard" - }, - "password": { - "type": "keyword" - }, - "path": { - "type": "wildcard" - }, - "port": { - "type": "long" - }, - "query": { - "type": "keyword" - }, - "registered_domain": { - "type": "keyword" - }, - "scheme": { - "type": "keyword" - }, - "subdomain": { - "type": "keyword" - }, - "top_level_domain": { - "type": "keyword" - }, - "username": { - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "type": "keyword" - }, - "country": { - "type": "keyword" - }, - "distinguished_name": { - "type": "keyword" - }, - "locality": { - "type": "keyword" - }, - "organization": { - "type": "keyword" - }, - "organizational_unit": { - "type": "keyword" - }, - "state_or_province": { - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "type": "keyword" - }, - "public_key_curve": { - "type": "keyword" - }, - "public_key_exponent": { - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "type": "keyword" - }, - "signature_algorithm": { - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "type": "keyword" - }, - "country": { - "type": "keyword" - }, - "distinguished_name": { - "type": "keyword" - }, - "locality": { - "type": "keyword" - }, - "organization": { - "type": "keyword" - }, - "organizational_unit": { - "type": "keyword" - }, - "state_or_province": { - "type": "keyword" - } - } - }, - "version_number": { - "type": "keyword" - } - } - } - } - }, - "software": { - "properties": { - "alias": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "platforms": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "tactic": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - } - } - }, - "technique": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - }, - "subtechnique": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - } - } - } - } - } - } - }, - "tls": { - "properties": { - "cipher": { - "type": "keyword" - }, - "client": { - "properties": { - "certificate": { - "type": "keyword" - }, - "certificate_chain": { - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - }, - "sha256": { - "type": "keyword" - } - } - }, - "issuer": { - "type": "keyword" - }, - "ja3": { - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "server_name": { - "type": "keyword" - }, - "subject": { - "type": "keyword" - }, - "supported_ciphers": { - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "type": "keyword" - }, - "country": { - "type": "keyword" - }, - "distinguished_name": { - "type": "keyword" - }, - "locality": { - "type": "keyword" - }, - "organization": { - "type": "keyword" - }, - "organizational_unit": { - "type": "keyword" - }, - "state_or_province": { - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "type": "keyword" - }, - "public_key_curve": { - "type": "keyword" - }, - "public_key_exponent": { - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "type": "keyword" - }, - "signature_algorithm": { - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "type": "keyword" - }, - "country": { - "type": "keyword" - }, - "distinguished_name": { - "type": "keyword" - }, - "locality": { - "type": "keyword" - }, - "organization": { - "type": "keyword" - }, - "organizational_unit": { - "type": "keyword" - }, - "state_or_province": { - "type": "keyword" - } - } - }, - "version_number": { - "type": "keyword" - } - } - } - } - }, - "curve": { - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "next_protocol": { - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "certificate": { - "type": "keyword" - }, - "certificate_chain": { - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - }, - "sha256": { - "type": "keyword" - } - } - }, - "issuer": { - "type": "keyword" - }, - "ja3s": { - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "subject": { - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "type": "keyword" - }, - "country": { - "type": "keyword" - }, - "distinguished_name": { - "type": "keyword" - }, - "locality": { - "type": "keyword" - }, - "organization": { - "type": "keyword" - }, - "organizational_unit": { - "type": "keyword" - }, - "state_or_province": { - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "type": "keyword" - }, - "public_key_curve": { - "type": "keyword" - }, - "public_key_exponent": { - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "type": "keyword" - }, - "signature_algorithm": { - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "type": "keyword" - }, - "country": { - "type": "keyword" - }, - "distinguished_name": { - "type": "keyword" - }, - "locality": { - "type": "keyword" - }, - "organization": { - "type": "keyword" - }, - "organizational_unit": { - "type": "keyword" - }, - "state_or_province": { - "type": "keyword" - } - } - }, - "version_number": { - "type": "keyword" - } - } - } - } - }, - "version": { - "type": "keyword" - }, - "version_protocol": { - "type": "keyword" - } - } - }, - "trace": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "transaction": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "type": "keyword" - }, - "extension": { - "type": "keyword" - }, - "fragment": { - "type": "keyword" - }, - "full": { - "type": "wildcard" - }, - "original": { - "type": "wildcard" - }, - "password": { - "type": "keyword" - }, - "path": { - "type": "wildcard" - }, - "port": { - "type": "long" - }, - "query": { - "type": "keyword" - }, - "registered_domain": { - "type": "keyword" - }, - "scheme": { - "type": "keyword" - }, - "subdomain": { - "type": "keyword" - }, - "top_level_domain": { - "type": "keyword" - }, - "username": { - "type": "keyword" - } - } - }, - "user": { - "properties": { - "changes": { - "properties": { - "domain": { - "type": "keyword" - }, - "email": { - "type": "keyword" - }, - "full_name": { - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "hash": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "roles": { - "type": "keyword" - } - } - }, - "domain": { - "type": "keyword" - }, - "effective": { - "properties": { - "domain": { - "type": "keyword" - }, - "email": { - "type": "keyword" - }, - "full_name": { - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "hash": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "roles": { - "type": "keyword" - } - } - }, - "email": { - "type": "keyword" - }, - "full_name": { - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "hash": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "roles": { - "type": "keyword" - }, - "target": { - "properties": { - "domain": { - "type": "keyword" - }, - "email": { - "type": "keyword" - }, - "full_name": { - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "hash": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "roles": { - "type": "keyword" - } - } - } - } - }, - "user_agent": { - "properties": { - "device": { - "properties": { - "name": { - "type": "keyword" - } - } - }, - "name": { - "type": "keyword" - }, - "original": { - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "type": "keyword" - }, - "full": { - "type": "keyword" - }, - "kernel": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "platform": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "version": { - "type": "keyword" - } - } - }, - "vulnerability": { - "properties": { - "category": { - "type": "keyword" - }, - "classification": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "enumeration": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - }, - "report_id": { - "type": "keyword" - }, - "scanner": { - "properties": { - "vendor": { - "type": "keyword" - } - } - }, - "score": { - "properties": { - "base": { - "type": "float" - }, - "environmental": { - "type": "float" - }, - "temporal": { - "type": "float" - }, - "version": { - "type": "keyword" - } - } - }, - "severity": { - "type": "keyword" - } - } - } - } - }, - "settings": { - "index": { - "lifecycle": { - "name": ".alerts-ilm-policy", - "rollover_alias": ".alerts-security.alerts-default" - }, - "routing": { - "allocation": { - "include": { - "_tier_preference": "data_content" - } - } - }, - "mapping": { - "total_fields": { - "limit": "1700" - } - }, - "hidden": "true", - "number_of_shards": "1", - "provided_name": ".internal.alerts-security.alerts-default-000001", - "creation_date": "1647635669038", - "number_of_replicas": "1", - "uuid": "FUalekzBT3Gidug_gisROA", - "version": { - "created": "8000099" - } - } - } - } -} \ No newline at end of file diff --git a/x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/mappings.json.gz b/x-pack/test/functional/es_archives/security_solution/alerts/8.0.0/mappings.json.gz new file mode 100644 index 0000000000000000000000000000000000000000..3a26e140e7eaa87becd588b84b6cfae9955a2905 GIT binary patch literal 9711 zcmVhJd10o>_Q{cmVsH;5T|GoeysYDTv1dyOqZFYpiDv8WYyb{RQhkrf&@WZBm zYv|@5KWtc4(AUk6@~b1^gZ%Da;t%mB;f!>&yL=(OdM2EdYY(lo5vPa0jkRitFOq^cNiF0yAO?a5SD@hI&YlB>Qwx8}$9-(T34 zRMU54&(pSJbtT{V_4(8Dr_JTZKW81*v~?p|z$POjzW=wL3D!L+n_KGVp)N>IuP9$h zMfSAnZ(lPoQon5n#*5k4_LtP}b<6fl42$;HD_LLY+qb$cHnV5`e6sz0)hI=dHV0bL zmhg;e#kI1#C5AvkPLF6Jr-$Q+yiYk#I#0UK*OMvd%yTx8qG)NSn=yWEB3crzDOnBW zmbR`5$?IybnT<`lGyB8wUD3^Y&%p@}|6(ykN+xd5Xi)#DUYvs1|)h&sl zE(r^md^cqFvH(_U$j%YdvZAG-#%*2Mn_a z>j7guV5|p>^?>o+959}ApC`_ny6TBob+^M}b>LuRHiPWS19gFD$=| z@O|B~{!rqomsg?Hot?R@MVFHb=;jfPWz}9^sSz%zIP3L8#IWl~4$3Q#;50@_iQRrv zSa4vK_>h?iAB&^pAwQ8*ZlPbu=<)KIe)mi!ZqI=s-SW6a4whS8S4BKL3nM zvMVTcPDdn*1I0PlkX}1s{D=f;anj}o)(dT;-v!)aXhcyj<#pMR>J61tZm6w9=nrs@s`rcOzHbH!*NQ9zjmD{%2r2 zb@P+-x3#x%1o2M*z0+ueJG~c7uRKsv&^Fs~vX2iLAVjl-WpD7o`O*1(kkJ!;63g=Q z7vCfTcxS??+dMVlQ~_R_2;$2vnU;1nKZ>4@bBYQwOqXTBTS9~*Np<>kM=xQD zp*6(}J%S9hifoR_Be3);XO;BX#SYF3v-bx~;RrK>$Imtk;EN}rp%*4Af-R4i-Ap)gOwT_BIw4;6QCEkh6K;kz= zQt633py^&*mWcThN3Gk4V;iutoEz_s%(Au|ha_G&yH@MGooVt{nhz+OcrO&s-oDJM zQP5j&l0}GQN^vHhMy?Ran<0za z>U2cq43!y@Y7(I>T>2_A;GD{E$HhiQD+&~Lbe5ZlLXw`ymO0{K6ZwMDlWgwmcV%`mCf3I5aOE)#1L9=W`fX1!3w0K`%)~H1RhLj_UEb02&900(d%9^&irmg-((pGQdeEMUfN2G9sbIMSb5Kg2IVV8gX^69sr z)y&mpI=ysusvB-_XLHvLaqcjo6iRz_G)y{!geM-VY(AYsj7gY|{lL0|I4mb^iY(OU z`dB&+0|43vE)$`)hKi-L*=0;j`oc4nJz@q7^WYS0PE~cEk)1x^FyRk(b4!w2y3=Ql z1k!AVEoXTqIw4U+^@>40v`6Ia>YccZ0aWuu#2I~fUj7wvi+>}4a7SAvmI4es$IrAl z2i6k}<|#tFZUXBjux4Ata!UyIsZS?2$v=`K7Ge z4Q0<9sAdQ`-VcV#f{6f~P!~ccjR~JxU$=Zh<|FNhOs){`eE#(5Q=}m$6yi%rlUhoQ z$uW@4!~~~yc_3xrLEU!xF{Jk!%oSiRjPwdHr(RkC=2n0?R~@qGdK3>lMlsI=fZZYV zL`8e?P|z++_m&KS#db1N9)=Mh&xd&MCNEA(Yv<^`aopn+1SPQ}CF8h3BMFCxO7MlY z6~!fqzq4`D@AM^M;Y87sfuloiUNaIWy3@EK&zg|clkW4x80~v6>-<#M6tcp$bzxjz zch+U{9BuaBPKfKv-7gG+mA$QX0e)WOikFi1hZ>orC9fl#s;ZT3)A_r8yj>0>w8pv~ z9(+BdnQdbs9LUtd0BlYNdh)`yq`IxPuzMvr)fe-+@3K-=I962Opuv#0G=GCiYngL4e%RmrOk!KGNkWP#K{KFKO14 zppJ6mDB!$41EP&eQ_%}DzzA4jZkLjCb7-t|yip0wi+g$6(JL{?k`qUMbSb`l=?!weYKudN2r)XQ)~G@jQ2r{Ss_%7ok0=|r4quWFmI@YgeE z`rCwwyv~xccpkJOTMj!2hS7h`scJ!&ai)z5&G_i9%XP8Y5#G_PsXHd?i_%$%yS4`H z=V7PvvK)Fj90||;J#CK(Pq&=qR3GfXp4G^ z_xgJ>W-Q(jYxLygWZ75p2urrLs*CyCr{BK%S|Y`eC$&UQrb4>)E{_CeY(OOXa?WL< zliQXhbP*|5l0wS%^eK^h`h(naZR7!`H1*t0E)_#Un!mgjnMWehMXF203z1ztYaKy< z;T;W7#2kt-4O56SAds`=SMzVyQKtE!V!|e02il)$!hv>h?uIRNDEl%v+ zq2@&<{y*@z(tOeu(mCx2N`OrOM!9Qi#yS2U33nd~-5v|Y24&k(wRLISCs6-bKwO8m zrPZ|j-~;dGQH(w*_7k6=D&MZeGAovl?YWr}b z*tD#Moa=o+vh0?^U#Gk6^V_+Z=&z)`NNBu{_L_#ixZGZw(lneIfgt?UuBi^mGJv-v zBo{B0 zRt0WE1#$PB%z@eIuPlcUP|py~X1AM89(dHu|2v<=RwZl@VY48<(TaVBKzhYKyS%ny zpZ&06pUuzd>kj=9_n~!%Hi)p~4*i{={;fD`i;HrN$Lux zMt?~24O?38c<>`8&Ybno>ZMwIgyWQ@*KmZX5Wt!>j*WHAKJMKL(i^P_I4yR)f~w-h z(`N^ozjT9ckM|53S!+#wO+RVAb6KB_u&pf31 z@i!gfoM2KNJ;dtH=gtVnqSsck`L#$A$xP{%Uh(0AW|!-;LiVwC0`&wRHH-0;P-XE7ijRd-#&XghI;Irmr+NVt)CO zV#XXQ4_AX>9Gn(RS$x4Ys}JNeHo>32e8ndD<+Evr4=Hm099(PA#gKyfW#?!<}AQRo&f*CHM#hno?P z5y<5@VdsErvG4-BA1C~xn&)&y;<0ipd^|?z{b%^a4`Ijdwwy>5s5gB44Hn;qdJd{# z9PZ2s&+vuec5Nata=AGtY@#M90E7{T5#0TmfTzRFH{lpQYRhRBu#0rUGrVO$cc~9I z6lLacp-$w%QZ)eeHsSj~n-xxleeDET~uReHJP( zd)cGu4r9N*u-qT)M+mhpIX++Wp{j`S3V`J-(Z`ECH$(m15uVy5SsAcD%&0l|vYDDI*ziT)A=uK`~%HW5g#7@L>ZR*cObz8j3q zM?m)rO4!#5ZWUg`eB`7DV4u)3>}y_Kje|Y!K#O-%7>#c#L;6VjOE+whDD`!dscVd| zL^D}3PKXi{d$$N0G1N;`P{ajUlSq>I3TWTfgK=$vYD;W=2b0Snn|k^C1$9ODY(Lb+ z47xqE<}toGyY_w3eZIB8*vw#E!~~<&k+pSI8j98YXf+2~(pH?G5bWK%VddQtG1QKx zg-!I@&ckoGvuAMz?k?6D6+zcNyTS=Sx^6PeK=s?B`6cw}6K>ohKf@#{LZKnJEJm!U zLp%?tq}}U%lk1`f5MCGky6Bf&^ak-CCI%o&`EPAP`vJ7dY1h|nkPE+{jr%g<@vah` zfpm`7ZeG}yROFd(!R+}W(ep?iNe_gJ!JxXRD(GuMF%)^UMHViIq7b=`Of$zJo?bM~ zJefr-3_b{i^dH}jRHEE>Qk_IFOsD{(MQrT!7z&gEx`W!ciBq|rPfS2vZVB&WigaNE z6ABP+h!se(fC(eP3EZf-vGSa_fJBnnT;`%sERoJ!U?L4IC|DLN)0qwMgr9oYBnOZv z5btE9EQ-aQ4iGn@Ko$NAOFlx11xT2(F6Jp#*y5a+fCQ?CKCj(2TBJm0E+CP_{&r*l z2D(VbZkB+xAn zm|$&vV_5w1j+GE9VU#t*84c~y(7tTCJqwCT*eVE$(c6H zdL*wSxG+z%a<1uv1cHS3f+SIdVItJ-fLfRcH59qvQdyH`RIbS1*)sGt1%>#40CiZe zoM^)Zk#j1mh4s@ieAn;0Oj9;@HU0c-z1|FP7}qU|FiZqlRc<^|LgM?oR&>9tkTyO7 zYK^N!O3vqZW?B-aB-UOAPjqSdJ}p(xSu<@tnhI;~D7V(}dj4l@)db6aS}O{ugHVM0p{ce$#SMW7v#zIw=R2MdkIrect;vlJ6?awPGqgDrJnB& zH7_#p|A7Z3%}E?68OX9&;UM#qQ4Xqp3^6@#+xdJY^z+Es>*#L+W=b#Y$QgMr1YPCk zyF}*AP+UL)rHCoa-VL=wc}A zRd~>-w$)ahH8|puU$+hGEBh$FXE@QSk1h?d{E8MAGbmPJneABNh$qJB?j>&HvTfn& z0q|wsewU6q#}{XmdOzOP%>A5328uqHX0rHIj2roSY?$aY(c-J58_P(EyBXUcLG zzibec78~PViP;Y0&G2b-yn}g9NqLXHzJ%F*INQ|%h;2J`W|RgkQ_{_C`yPI*jbcdo4s&}0-uLR? z21h#-F&T)-1Qlo3;j_-0!Bz&Ekg;6Z(m!38;p?>A@j!M^JL2axA0D0@fuF~&(S(XH0Q)=HKdimaA(|d0#F$$8-rDzV%Y6`9~tWL z2=@pxqV6&=Iqxb0P{E}WAo(~rp0NM!(ps#%m%i+%!i4i;ZSW4xp7+(T;(YM){T8%T zDs|&J%Ow;*jHt1e&&VEi5drPdbOJPow~pn6XZ3Dp#<5#imX7`5-79#r;{KYIwf!Kv z0p_oq$%5AtXF(Et2n0s4re%Ci(TEmKpd+$-1OJNC*WgA$iU?Um{eYFpR)L}ynp>bKHr1s z&tJaYgYB2kkYh74+peJ0%awm8?ZYgWPx#Ad<5aSeLOgv)+!kxrGJgBTRCfKXTF8NZ zszq6V5o#Rzu8#V=E*nxotZ-buu+)(>yk*XXha(Y}IV+nq=STeLSl>YkV({HGnnD?};h(yFxD`a^ylXcyYCY&Y| zeQB?qnZ1%GoHiC--8Z1dx}H`0fprI3+`mg?$(W_4ei#qR5uR=3e* zb(^WX5Mb~;fzl*(p;dLCk)1o4MLmp{njqP3>COzanTT&QY&pv_(fN1G@VpWtAKK#` zj$H2o$Q+T%e8r|#2DcmELjYhL0g-t}TP9Qps5D{18pmaGPFlX>1UzNFt_O;=GOP!R zInnh%VIcaw94Jm6lw|5P%&Is1;#-x|c74`S3aV=|A688C_2?j%pP@xRF0_!Dq>+_4 z02Gl_EEjAg2z4Y4)5TipKq;9qv!Ing*e%vBH>wFPKN#9c5}u3osRJD)fEkL8HiD5% zgwX+#*r;-nRPmRjeGvym4CUW*!~_MD5h?3}?U)UpbRw01?^#e|CX~&Vqmi=xI?W07 zpfY9%xN|HAi7{g}gurtPP;ubpSU2Ia%^pOqHf_aP^WyuB@j_y7Mkb3TDL)E358G0Y znA0PLvxA72m)ZT7iln*FGd($>Xx}a;RYh9`25d$22-lJw+aG$zl8PYjST=F$acEIc zB%DA?a7iuFDk2N#akfOIOE1H0;I`42FmkJ8YxdD8?O_>i4e2`7E03n_BAaDDcTG5j zr$hWc(1l97A#i;7T)X^07c$vw=z#d#00@HkOeM-7t_h5?3p-L$;CMcssVF#|3Q9lm zI{EuWiLi4Up^+iv+{Tb-5UvOw5g_a|L$9b$I_B_554O?iAKkgPAqY(k!ALuYrh_2x z3P=G#I+^*UeV{W1rg|Wp+5FNw5E%NTbReCjywf<)&TxR#jde3#H)A8Qbu<2eo3U3~ zMKbe7^DPWeyCl7^bB!R_AVA{2F6~!8M|lFlH#7xNPY9LHs)D{IqmJW!h0U8M+ut_= zT5l`2OLa@hRMqXo*&Z*!GE8Y_$LN;H!^6Zo;*|iZUW05yGItM8)QxRUMH>;)0PetW zl=VA$yn?p`ClYzs6m^%7hS9ZN8UotCoX9<>%2d+?3#vG*1#UF)h%^omf_U6!21X5s z2mbuf!m&bt0EF-hD<`6{%ghC#f+JbC5F~I^Lwdo4IS}GEUUD7;8=Xm~IFY*}bfOEbJA$+mp*v31LQuIQIlz#(zx%tm(a0#UM&ox3n(Y+R;ZXxNC=tlkLN z$o^a?>NPIgG`X~}(zXxaEruakW9cj)jOm3P08Z5}fCWRWMqG4olxjq#P-JS{Nq-+q zC~pMnMEsXWC%BJh^G26OY_TVzv=3)=#R^1^PNwQYE(&!4Z&=YVP2u$4JE_ zAf#g)Uf$@&NIBOaMB}A51BZDPQ=tn&EPjMMG*cCD!c*p2`Zaxa%{E`N&F{i|%{B+i zy_SB>xvr&OzD(EBFJ!)J>DRg$ubc5-ZZrPirC(0eT*t<)qiIIU1tqdW5OQNP&4H-6 zSZorv28@1-!zgKM04TQ?1`dSVyEuShXtr@Y;0U%Te3JGT0I4>0<&6=Q_QF_)NUNjd zLZS^&rgrpMkV3Vi&Zh2NH^OW{uUOE{99D~#njJ~@Zq=Ats#e5U(0p)Y;DVi=5QJE) z$|DFW?1fhxavpA~yx%#_l&)Y$eT~z=FIJ@22M$=e5M5JiHVArafHra=wg!;2OzAK+ zWJYF%X&@KoU}RlT`rIlv@@galJK8Ex)fuxC+z6|Y8~~`Q%V?HB@spv}yAV_3PwY^X z)HqH~WYkFV05sG{!vl_h8X3QKqn@VTsVre`7`A{%css7MoFQ%aMN44sIaVGL#AA+> zhve%e$6*WfjANw-fxY4Q3}GH{EaS${>%Fw`0SPz9q+>!t%n|fG!^)AT5_l*XjS(Px z9C2QOhm0ebK*Pk5X9};-aP;}b5e{BAvUMX%&v4zy-r0dewW!DOC)?jQqHel+*MB40 zt#AcAoW0a=(u;#biQDQlj{7(loYy4kN#1L*Se;Yo(Fc5Kgv*}hhl>5K^)j!WsrOzF zTU)QGXCN+zgh~HNKYI>XxD^&}y*P8AqBb_S)iT;`VytSr&A?>rZCdQ3EF0)1@9OZQ#q7oBSSdCrW_R(?g?>qr>|a!)eGUlaP>mGvs>Ni zLCjWnI-JSsPG2{&bt79hG9y=%jqC%s(@mR(pR+=O^$V@t>95GT(9%NM-_ok+YcB`1 zuk%`$e&;7yOS_>&kZLsTR(A}b#p;>W9RvApId=@MdH+%TF$w%8t7l_95UvM84~FZ3 z@SWZ2*$85`dN$xpR?o(|k*yoqx{(>VqHJUzz_Vcnh4u3woSPc%l6ca6o@AJ`WH!Rq z920Ho4}ug`M{>>DT3(iU^{iC}V||*Z8_QA^>qp5_{pv|bU*&osqA%XOrDCaO^`vB} zTJ>v~p*q!99DNn4<@|I@!BlPP>t=LUmHJUMR*!m;u~dorQ36zh`Vq8LeMYN~Zni1e zbM_9T+G`JwPWP_0G&an|WWB08h@#XY_-RSD3rHRT`EV9TeXUj>Z(;%t@0ge71Q$bHwR2h&X1C5ncYJ*J=8q$8dbxR@f(T| z3;H%`0%J;;mV>9Apl(xnkeRh^dT_Z6vZR^O|ycs)EGH!%U4OW<_1Yc-dQCyPA>h4jAo?gNuXumfPdwm24 zWSmOnIPi+LWXm*xNW0&U^mJb%_A0us|DTu%CjBk=@rG3eeVuUKaJHlQTh3>J<v;1vy-5hyPDb-rjTJ-a1OsG#cspx>wh(QeJ4b4bDoH2eSG6 z_fMZTP96tV6zal*P2Udms*^Wk`b1XmvhF}y#cK2U`hgSf{w1Gh^UNxhKg=Ct@zW>y zZ$c|?sp{{n7)ud0pTGX??_YoU^7ZR)pMLpOFP6};Vq%cFV8eLl=;lBFPw;*D<3IlQ xm;YkLu+R3a`=9^*_v~3@BsS{WhdovC_V2dT4>%22F>V=AzsbML5fqemSJdI&Rhmj+ve{oiG2I;Z( zM+^&dePD}|wOY!p3Z*Hj7#(<`a3d;7Ga22ZveMH0N3`Wi^GK+jxVqB~r;X*KK_aUY z>-uN5E}S~X#22>M$vQmqeS0_W#6u*{Tv+vG`QyZmt(i6*CJI>g?9A*jbmK_QdBKu+ zyz8{n+(^CgR1VHu!{X;B;!~#vBa|ohdNe!E?G$KFzUuzE|Lt4(%bV6CoGW~67N{o` zRlJzaNM-h<1=;Hu!m#tS=kV*jjg5rH(vlVa=P-2(V%vdgpKrxPePOc2Os8t(ETu{`Z!3g_g@O+$HqLEkV6>lxlIa%;6R9SBtW zwGFN06EQWpZ<_AqGu2ZdGqbYX?8lh zBXSy~3Ivlg;0|F$Q(@x+b%#GerJ0x}Ua{j{IVb0IC7)F758r@?s}wih%ft<+`cA5F7Gn$C;~B>wn%z)@=K z9q3c(Hoa=${j{jNy0Kw0H9JuK+b6$G^8%}w38M{rYS_JL+38i-zS5OELEGB7;icun zDaEDBMW+>yql~B38q$ud!5@coUS%?9NpsSP>9}j^tV{6@I<33h9$qy+YRdu7PEJ`* zeNsIcnu$Ka5l;Pxm=%?(z4Yq-ugiI>B@ar|!;~BnY@Ce?8I>TXI3bGD>Sk;hA1vE> zqa ze2c~Y`<7zaj~e~CyyR08u6^&7w5%TIjHyX)1O}b}merhM&30M`wH>awnH_!*waW_a zkFhy;gN{4J7wvXtrb7&fe)t`=a(7KR-P7YWf~EI1{ch@!WrH1P@<7VhAsqgSrF1#) z)#);8?P;6;F(%w|Zsv3aYZ|z>XwmsV!X^wK770Ie$8JJkHAL)>!HmwGXzMvT&zOvR`nYBa@vUE5Ip8hChb#$ntq`AWkF_vGpCTLWWB)*gN$%ZO2=Mz%dq zY>#zpIugS7YI-YFJv-;1ukLhl3$l5bN41RmK1TEocI>eoHuZwx*mz+}1C;`Kigk@g zE^^ILjf3AS)-R}uNZAQX*?D&MKDsSiQ}0=V^_t1%s~yQuboZ)q>Y?7-$S~~t7&Zm= z>ghjS3!Cb;oIxbQ`(d^H`0qb<_ackj$g7=_R0B`9qTx-lnA8GpcEb3Ro*`T6oJfRT za<~UiEereD`tVdYu2C3*mP@=*Q8R+`+WhvoUcPZ69Ud^eOI)iv9-Fd-8dyG)oXI`- zyt@9$`v>T`|G`bo;mE|==P8MBY+ci*fI8TxUw^__(UtbQLa?~n2Hm#$3>fur{!A%# z!Bru{=C55vzC_8PPoGa~>dZk)KWjO26TZ(SC-T7xe@QmvEzFk4Ss^xjvYZ3*zRIlk zj=b6|UYF?aOQimgyPWarB;DAGtvpG?I$zEZbGrRdzh{PC4m&7O%i(J?m#L^(7lLwAbIaU$YE0Vgcjrz&VW@Py0*+SqC5m9i zdzpGL`C?h|(beiT$qJ{vek@$IWQP%(CZ_1sK%xVRAW|7>=9Zky9Pc^#l5Qs zOXKM>W8ksT?ZqEU(+&1s!|tWc8*4MT#$HXLv%SGoac}dc)8K9!4Nnrjs;| z;>f^hrJtc#^0v7Dm%b;|54Si82Q+(2QF5kDsO(m2yuV^NS0>c<4LwMMCggkHmD}>0 zX$KsNRuRMR-)RW>xr3`El9`|h);9sFS zlEWyyvOFUiV3I62uxQEM`=p^}Y6}0A3Ncq`?|ot;`UJal%hYpkW(I#s^qfk?5Z4Ja z>90=h5bAH%Tk(N*V+6hf^Ux*dZGS3k*isw*8}WQCRs=ORa1=4O?zXo~Y_!HzAp*-H z#0&NoiL-(O73B#`E6U^|)Q}Vva-QIRm3ABXdJ0s_D=M&ks~8qcObE2~?8ASbCvG0m z`hA+u#t|JFmu@qYeihPff1<;b9?_#<$!BG;$;qiT$pU;SY{{A6PmVPm^YZfxuwQpc zX$W14gFN2x_uA5d&B=@|1umnp`EzsViM>)B(GJbH(TbOL=PE4;*xWo)MPPvsodw{` z=-)nI$MKEE>nt*X+33ts{CW5Tz;f;z=6REp%%a~SRv0qr_{r&Pc6vCSjq*BeX>5}F zik|t8@N#2iaBhe@z*2#B*yrK3mw*K~+<+Z|ZFXQN@1mdV!rGAnn03o*chA3Mf+%yk zG%(#=BwiXAyu>~`;Ff>!+=NPV|*SsEY|H zapqb^sugMWr(NfhS%gd+$dL4F_p#|M*UdvxOzXBZd9rO2qy`d0fVI?Di3xXSsQ|k$ zz2Eo*!o8)HGssto;kEc%TmJ1+6La{8>oVQ}*6ZI557MCU~A00 zv;~HCONg2H*^63&|I(DWhMjxI20q>Z$~XrOfGdD;z#1a)Si%GJH(+qPNxj|>sjA0JlU4591Euo2<$Q&?;RO9Jpu zM-UHa{u_%ni1KMHU<@AAUh6EiA>V@kJvnTt*6V+OrH*ip-kOHS$5=e#d~8lB+=H%K zOxHr{y(idHNH%i(LHi`7=_ze0f9^IF0&`En`(#UI?!RYc%a=2o20qQsg5CRcye>BS z8P z?%&fDAEPaVZ_^~j_Hew^7VNZAeIuMq@k7;(pWG0%pb~w(WR)h%h=T$ssO(9+sZD#oMmC@w31ftG(%i&{?O$N)f|t^S@t(w`8$)H z)h;9C{ISlkdOyO^Or@IvR&KmKW8`qlU;X}YQ0^TzbFfSD8;wkcyqkl4T17_mChzW4 zr|?JdM<;)Qpsk-7OwO z&?P9FMr=0~a?mt^F{DKaT1JK$b;LwX_?+fCkGdg7qnToZBDkxx1++_}X zz{$EDeB&Opyj$yP+2PI@dqX5yJJU&GQkG`#PE<*~{foN|j&~cd#y2hvT1#C2YF_d+ zugEi?yGh`*xG}GI{Zai3BRQd8dpSNJLHAthhN?N=>P*#vC^775OxrZPk!T&QMa{B8 zkWf<%by>I+177h(JGvz$`1Mf2XPHb-tnWY9oOoBK5p8#){ssr-GAS+qai_C@A;0E9 zH!?=+SM1`5YHSPSmeXP#JG}OB5%Gn`c1x)1%1zbenWBoXe}YN4hgzN?f>u( zR!mLDynp{fSAoNxEAO0Z=46wJXSC~bt9i3*S3&Dv^Oi*M&3S#b_JRW$(zYt$H~N~8 z;phnNXlvoYyAdL?RyP>(lm8G_r#f48D&_lNXMukgu#m=fR#$;66sN^ZQ1RAM#6H2* zZ^H!>d{`W!XB4mu`7bjgU3t&U|K~plM_D+fOp7b8+^&Qt)94}h;>hDJUzu2~OXf*$ zQDp9t?gc#;-rkRorc`;OK|VX%n;IM~^@l;+aMDih0z+cFzUl;!WpP@jVp-pvoi^5c z*gt-Hs0KEHi`ubg6?=?)xY3i^!+F0DE%1TI(!6OddBH&x9?&Rt{H)slONseNW;N0h zY!C+>e%FPvGb&+uv;OB#syFN7xXrIm8RcR85AS(&xl_#qh0}yHKtq0_A5=%kAGhIj z_#ID2O=m()=LY-+vl89)0t_w_qH)^o&vZr`5`>Zmk}l^JHm2z0#p70UZ&VOwT1_i5 zlapsH^0HLJqJD9}S(Sf5PJcL^FdUzJN~(T@G1WaOi_m?({+TOL4T^Ysd+yt-heJGF z^4-JFmbNF#!(2YmIuE5e+3=R)v@&9nBJ^+BoDQF=u)^bJW&#*=+^u|$Kh{;p zl4>sJTA3gK;lg%treJ6*>ReX# zA#K2(WTowo{6=J?GtCkAh8XWD_?l@8@-omxUxtt&ou-+Azca;iV|+*|+|+dJlh-rf zu>+{MQmLJtVz(}yyTC*#DKcc?TJ+`lOx@ydZX$coCt&9F8Pvz6-AtnbYS;!`GsJGVwWOOB$JX26xuTOwi^@cf=L6RZKML_c9wbB#Y4uj(KO9|w%%rk0 z5GbP$e6~!9UJ!x%{4pywxjw*odk%$;E$qPs73h`WY6d@E6I`yk*n%<}@tnINN`eI0 zy>x~+^0a|GuR&zqLGxQr0c6>e(Fbd=Qn?bjpjH$vi2@l6ZJZzh##R&nd|B%-1e(3R zNBDv|w7|6oU5S1CoAfJkkc8$%V9v-O4+EUtrB$isV&;Vbnt3-UEv3<40)LR)dfnV& zV)np$bob`G{uy18TX&>gS_Mrr)zKgt`tv5G3ir%B+HYNiE1G;96do? z^tayia`~Ir!#)Mo7*Kx6HAT|-2!0$3$?Fo{|jp505#0NPzwR5jh#_j;tQl!J?TI%_=USFzlBELFJ!M(J8(0n ztUe~q7kl2V_y~-Xq%cP*^IrZ~%=^|o_)DJ%%G*8i{X$zostnB{J)hIXp*RA?I}_VS z=sM#`(K~gWec<(aF6B^GCB%W253*R@a>QkG>LO)yqtTgaaB{zFb>x5NxC4A_3XAc2vXCp7{^2Dgx{CERtn zIDTc7Y&Y22QT-x<3>$2H&!si~(ygmI)kI{mv;*CX)SxTA8RfI-#mIQvT?4a&;Yv!Q zGRw6M#uk{BGX>Y_OWm!d{Fh3_@70uEW+skyt&+xd_P)QlrE-7ej$$|8S{1i-Ebfu7 zLZU8?bWbhc$L;+~jjcaW`wa9eVhaQJvGmP)&`QSwu4ayQ5NP!V~yrCmcU2Rs7Z(7q5zZk5i$bb5^0z_9x{H zVCw`nF_IkC73#aqL&18kja9Z1E-`cf%&7CBAnb~Y3>aTP0TkX zti_)trf`cJ4LW&LD!#xxUg9=otMf`r z06Hh@5t|Cl^oYnXBScD*XlXv~IWD*#!O{6YXe6#7Zol+wXIt)H$!1P%s2!A z<2gD)!Eq}}eeclMa^&m;1d+LM(JN6-8oA3@H~)-`6tLi_j3Do8cLT8t0}rSqE~Z3% zyzBC)k%Q9c0?@7mHP7o$X}z{?t(@1VG;&#OA#3w@JUMSq7_8=lXRXk+Rx36ZlHv5J zCp%Y3ZaEkq`jKyDbxq2M5^q&T%E{4*WK?T(Tc@O{RAka{y0P+zeYWbh{fqZ{fenvl z0+g5S4?+pJyFRy%;@Usj5c=#rofl`thHxf%hNbF?oQk^m|5a+e7goaA?};cs+Zk27 z#W==mn^NqOp13NZIQ`|>lONHf1v)#^P{*7q9*f#zc0eER@)jowPxf$Jjp}iEq)my| z=0`>tzLXbkxBg)MFyR?=oeF(3Mk=3HcN)Oehgtw|Ia+HYL*7euMy8^8<5N*a+BGjB z!^I!$`g3GPZg^Y4?$c9qsXkS8zX&^}mw3mk(=rX-3$$;^^6B)_h zr9jHgY^=bcFl>)4BjHT)PgbKRt>=T;>8=B!%S>oN{Xa@$IUtSre@NrIpeqOeqckog zv73YR*GZy;DY66v)GabN_(I&5i|JIha=<$Gl=FD5wHE3rDLbn9#NR}>8z}5W%_*oLo{QyLWQFA<0LV+ z!>3n)4PZ}+i@6CYrT9&g`LiA^C@D_9kt1si{N;%)hg#@QiM?FCAg&uvexzg1%PS6x zO7N#gZm&ffDCsec4JzSt_#V;zR>t)YdiAO1HiP60o|6}VVp$&2A%_?P7mOly%8XuT zz=EO+yK=-H!9eF5+D;cBx9zAq0E0EFE5P_0nfe+v7KAOQ{pWLS9sF$IX>r#=3uA#9xYv*4v$ zI}gp9#SEXa_dcp>*~z!2sWa=HoD+Gy(Kkz_cGiIavKYGG&bB1B|K?Ad>o`e%W;zaE z+K~KU$zD(1eD5#d`?p11jRaex7bfqzwEnpHs3T0P+&4J#|J*lf()a!;TXArmb0vwp zyvJgRJ0=}vf%KfF&;^a(Oyvxvb*d!vTw%)IKNCe4U782-HzKq^S(<8w*>B?}^^_9+ zdgH#}Ky()5eX&UfpPWUO&z^j)MK?r1d4Mz8 zWIz4iN4j8W_9Sccfd{7aIb;U7-n1M!KZI6_*kuD=(9 zGa4Z!x#gh@^dM#r&X^&pWysDCac^75x~Pl<`^J96)vTB4ym>(m`svu|>sJ%2@cWR4 z1)@G$jj_Hkm)6Xjc@(AJk)0hW;yS=>tVUzi{2Z#-9UeQ1|LNGBRlvF>Oa2(1!f&W^ zdD)R8&CZcTZt3~kS9lGl;W6Z?)?TqXy1jmy0m)vVnHHt=q=e6K{XKjUqE#CFu6_Mu zd%wi|j@q<;-+<OA%ps>=ayY$l_N2XXq^H#@=D^4AHlwK!f zwWq6B?_zxLZK3Zi^;{YQTGu|xRoi+D?up7LwpoMY&Aiq0BaMUvZ11By;WTV;Yp}Xy zDqru1;{2l&aQr6fs8^sy6uxN>Tl|*zN1(J>?EEujb6X!1$7s5JhrAo(dSx+1GgKK$ zHrcd(DxBzgS2L*>y&j)U#CcV?u6jwm5ZUnbvy}nG&2aJM8?*S8jfoZPna2!O{sb?I zlG10EtBEKT=O$~=+Yl?E6K;i9*+a=4FS$OXEK0qh$YW&|Q`SjqfF$zUTTB%X{=AEd zEob8_RN~;|y#+5$jc?6Jjeh1uKGra(Q^k9%_s=3Of*cCWjj51O0HgFOG(DC>` zCAOaEJ*|J=Z83^&_Y}&xE}>|G?~8ah+1;LddDJJKQ906EH9Vb*0$7M;hN)wT>_*3) zP%G0?hFMHy+tw=;Wi^RA_U(H@SyN27)E-&%mev##=6IdZ1)OrwuE%F{&pzKp|5nUt zn)civS(yFm?vQU)=c@`g1AFlJO8UrQIb?%BzmuaaVd;&XGox0`(QTy21n#;DmAtFE z$7t)7Td0?@hV0?|xjXppXE9hbM1GbYDTC-O0x3aqZT5qS15=sU0`oH75UKIwXmlSx z#%%A8KX5vWMf>?o^GfQ!BNE^j9$on-=fk7bHHkXg(MQ(tq?(Bi$lf zCo-LHv5Ke7Kc#M$lhPikLbyEOX5At^vZ4hD52IGdZbhz89Pix?EfoY(z{Qkeg{kH zv7@*4N4dAoSFP*)R`h2G40S7m+yQX&;Am9uz*a`joXceK{GA9OVh8---xKk+pKY_j z;yUo~A;z-m2|Rr0A=SVl9kj~OCtXOP>A&U^Z$@%IZlZ}$EUHh0SQIwvf_}6&Sr6EL zWC zGC|gl4z2ibN&7VAnXSWhT%YAb4xY4kY2J|f?N|v*fkm+GncE(tDDM9n`4kf&m2xIT z%xgjH(?>ZgJ@((z&S{^yUss+oiWCEORoYT}@W^?>ccLzR(B*Wj+5>S77_m+3VYNSk zY*=!u)2@GGUXnjl5s5M&G6V~EertR&nn!65P7rfzdVCG=W!-I`_pf>8<&M0IhQN1Z zF=B4TzGah zC}O9JQJ;=_EN*xh{0fk(C{v?kYoITu2vuOmn@jrgeLIL!{92u#*$Y~4 zswryBB|R=o3`c!%`ob89HiEY*E8RIpJyb4)t901=Twd_E*7@@M+gBvOe)so6^`7;z z#p#edCxP+rUx_`Gr>A>T5kpze_zV#bdn0rdsy56dLs}t&g{{28b$`?E%6ei;#$UR<;Xd9*^EnS?uL&&b@w3 zFLjuCPz^jzRn8R_@MNNXWhrVettQ}s=l0^?{|>s$Hr`2X=`IfpT!B76$3AAL9xu@R zyk0|!U$)u`xi@{Wde2-w^_Y55=*79N)N1LU?{xCev$vf4xHo_Qv{i{EazJS-V>-ZJ zinX)wl1B;&*C$z!R6-p?_c3xUa4&EdF=DC6CO>eUY zhqAG@&ywqJmENJBTJxSMN|yYidfY=GqX zEIUn7CCh7yqvt?Z#)U{FyH;MUOkkfLR07_GyoO3V>lqi87v$+51na%kFc&8=M)u3? zp;9r$#@S$J?gI}qIm9Qc3UAjs))n8o6+}=!AAD*(C1@j00g6wu-Cb?d;1;x8gou5O)2FEFIc2j;VxP;e&eed2s;pQ6$c zzNyMEFoNNTk98LzY(Cd5mdme|AdzNEcaum1>!k2ImH!RHk+qWec3Ly0N#0K%rpb9s zojCT@lK7>})eP9*vCWYb;M~VdVizdD(N@< z=Lh<>9yj*R_AFO5@L@sIrn=2b0WJ^~c88&eWUnXjgqRdGhPGK++WHYsJM>JI(pFd< z<(3%Hxe{C7?q8tu@4*?YJ_SJ7iQ7$8%b(aEi73A~xQAGbf<~!dpC57cQw+qa-S{Yc zh-inpBcC>*k7Oui<5IarnhdQ8Kk4>yBml8*YKED})w?P-IBipUtD>P`ffY1IoE%IUai{G5aG&&hpNTeHjoDP3NOF{81j24C*E!QhA?!D}e zqK|Zf`BpB$p!%|C8~PNL6*+VqnUfZ>i;i2u&+VdxJ(fOhk+ssiQDhvivGmJBMbCz- zcS_lUsv%0a(MK}3*qN?v1F<+raj~$?b9ydlXMK6%MYv(*+!`eS25$TgTbm56iR`s- z2#UNe`Q&0j73wL%BIX`H_gV`2`BPRwRMSQ+{ZwzD9*!BOcwD~jwHm%R2>4&r2G^M_ z8P0eh)VcU(ND<%eySm>VwXN+!@Ft9-z2%a(eR|^Ht@_PPW&8o%rJ1Zh=W|>mN#tO3 zrBKGO(6xOtTfdE7nHtR^w$8yS9Ki8}jWu#3?#Iy-7vnNBgt8=Q?I`d=Su8E)Hw_>e zm<6V3|4#AnsYk^vl)Ls;B(fS7D6Xr~GuU5`(v^uozs4){i}N~UP5z?@)bKS`w(jA{ zq%!LdulC4wv4`}`c--Fs>a1i8%N|C!*|raDWm5;0zXrQT{}#W$y58y~@VKrg+;_jy zt=SfTk_`~w8~&W!P}umP8yO)*;HL&O?5()or!|1wlC}dOi7j%ObWl&Lbs=@v_T%q+ zsHg+73YUg-n+e#6T1qTra$Gil!@*D;|3GU`XOy6nkL9@Mbd8eTMbg<;tpw0(Rn;YH z#KAcnEo$k2pK3%3Fr%>RsunewHEl~`sXa+{OaoDK$8j|Z%n^;o)H};e4`bAI_60NW zAhpjh>ABy`v}7N6RJ^ji7beE_xJ?9I+PW7$ur>EaC$aoGOX)|?DDCc;mN}A%ncaJ; zFHAvWLHCn0syr1VL6k1)5YEzXiP)(yhcgHDW_$-aeOu=ex#Rx)F9Oz_f1Sv$XDuB> z;O=LTP2m8%9Aa6e#?Xrk0d(B*5A`=HbeM)-8czq0-el}U(;FRB^*+?%LZba~3d5twl_WG%tX{_;x@O5k#bhacOw$*GnI(ZZ179Xq}pC+qppj^8$;e$KhHfFp%Q$qx4D#as`R} zlgCxd#0;8oJ_>@Z6N3~q+Hg^!^Fi)T z)o9vRlpHH2c;FBI(XgZsAT?bYncui$LP}yP7y@eSiMgC9&fZl}M%H?&`YC^C2x&f* z_Aqdiu=?1=|kfO5JQ{GjR@!wqhO-pjGAYgTc)y7z;j-x4`1+}xlL zeI}&A6ZayT|M1L~Bch*1ih2M?<2y6MN`#rzGqNxKLqQQF8pWBq=#UMkJ>t=lBR8136qW&6`?v<*-bTAha!j^MGn55`$CKk%)>&7{{NA z62=k}ETpTs+gI9XAjp1XhF6gnB%q-w2-&KcJ^xaOFAwg}yDZn9gic{QIvAvhG_T5A zLP%cjJg!$%k&K5&Ugdlyz-%6GWgK1yqHv0A5kE8z>&j`K4^|(-&njwU?b0S|w*2*J zfR3nv1LFZXyAkcNHm+PQWV4(YJ_rOD39CME|J zCyPq(DGHypZciJzq?%=zc){BcQG571Pa1qub*faJO`~mY^W7SU)!SBhMDJ`yi#JId zg&qnA)bQEBiAF-v6z`H{gr&dx+HucD7Wo%5D)>v2uj72DoJ~Z#Qf$ilUCiIxiu-H0 zTkF+j;?z&|^WJ>}y|Alv*2YrCC`0DX@IXc7Ei>`U{MNjSR6gD(`3L?(R9mOCg8RG9 z-johVjrQhWoCV$zy5xS11F+_!hr~b`WhLf}04hcImiq5|b4Gm^OE8CYzV1Y3m(0=y@bYlpw>-|4puo4~4dr!e`|XDPdAD*pwP*`20{ ze!l14u`Ttvu-zixMLX?>LNn`F+B=5|%)!$cm~RK(puavv6r%UK=6Er!^w%-|Ckw5@ z7U&@SdA>gKrAz+QWLcU718%9s=&9^LP;}hzV-g@Rh*MogMWhQfgExf=hf^t<7r|oR6R@7rsbv`OS~Xf zz!VM{9fNq#Y-6f#IED?nUk_O{rm|kRH~A*|wjp2`G==f2o4E~>wh{5VSg($t-%gf! zX6R3?E?D~PsZ7Oxd0dO%t);y6u9i)J?bWhx;4`OQRM*WQ@lxRE)K{=OCQJ5Keg{bK z*)Y<}>!=C=#9vw>=djGO8TT3kXVn%P>N~t2nsnyT=y*_ky8c?7`5pZ>vg4o45oZGh zsd#~aGwbtzLwggefJ4SCgL-io0+`7Gyvbo@b+deO>Zi_@Q@nw9cI}wGg8nMW913R z`f$(t{%qNz+Qc-?3QHm&*<0K{d+DuL>m;`_A#Zm`cODi|VA&J+onMQiB?$-C6wL=_ zS?|D@*y_h-&0sSc8TGHG+e*-GC2I|v4y8}X2*e%%qS zOv}D=YE9F=ll0&3&hIanC%q@qRkjX;lP{RxgReP=1$1U1RtQLG5%C$|4LM7s>`i(a zK)58yLewKTcoF;Vswkhz{eB#oae9Qje#>~`U?XnU-4fakES-9t$8P|7RZ~5E+T2)t z!U@P3sIHtPaPGC0KcgUun1W8~qBL1n4xM0`tm{>b)%s5Y;V|MyyH;` zJ&V3dF3g}*Kq7SN1(m#pag+M_I7IsA|3nXB`N#| ztYgKQ1>eLbq8fH~apW~f33bU&KHCWd}dKhu~$fs4gH!^dVAgsyA=K}ro!vOuw)76;e-2?vo59ttI9_5+WqC=_i2s9zgLB6M0{ugs%=1)iLsU=-x zW1AL!dh&M19M? z>nSZkEgXZispd@SWU`szK)*P@%ZH}N6VR-Q5_pNGih+*Ms1-VF!Dk)tmt!+SPM4_~ zx+BRWQPA=K=~0XN|Jg$8c{nQN26meC_QgRvda`MDJqbDK{u9AWeA7g0yH3b%h)*TvMT^LBVITevCU7HQ^Z64|{0OmMP+Ag13Rl#qTv8qWdRypt31 zrD8N}J%wKMT$pc@*b&^jq9p6ye0c(ojYRMTKt+3;7$FZ1x6M1xWXKyQ5se%IQnbq% z^fL%^T_OteFas?-A&e`&sv!7KcMueVnO!>1q+cv0sFcVGAOWb1yMSiF*GvzfQACvf zNFmSR$BvjCumACmpFf?uiy;Li3fc1kX;qy5j1V$5BR>;q4D*7rF$)d|hlw{OO@AS{ zDXmK~se!=(PypV4IKY)jCi@=~6Mp%W#OP-7L5_2_ zO4hgygn18F+v#J$d%_Lvy%HzWBFB zJP^}HD$n2WZR}9f$nOvJ(WoUAe)Dp+miALp;$r?PJI}02urt2XwS)DHH?ln}wkDv> zkD@ky|HCyo(R(u3BdK_7Yj^}KlDVG=bSYwjNq#+}%ir6uck<)hS-9fC&3FfX!WF+z zjjh=UYv8gOLN@7Bz4-%AO{xY2KgAqEo|U>9K| zD^wd~elkc0A2MI0oUy3h`5rKgQbU|$n>{|X{~J-aFlLYF^PiyzFYW(}Dd*tpG;K(y zIcpk6#&ZJmhdWr(r@519!i%qq$a<9D0(Q(V2mp)=3I*|)B_kudOrg?9&s6lZhoN@I6KIcr}RZ2u*z`ldp(kDVVT$2%BoPl*)~ickEr!%khTS}rgJ%&XYgVr%_9 zAb61;NA^0==Z(^zR8Pm4j@uL>W0dp~#pGR#(sefCg2)<+H_y!z9!rpLjk$q4Px6kw zVSi9lA(QJrI)#gO!0KH$pFIe%KrGfr{qf$twUVb~`H$_nxE)m3uaaHHFXt2sl|aE1 z5;)v2F%Q-6^K0Rzv=7#~jQVI&{Hr!rf6`-BK?@vlHIo@{4vJb zD&R_SyzA#|ShUdYu&ZUQ=lWvC) z7;>6!*}3A)lKgHVF`R8h<~nr>R@|b9BF}cIM4~04C8@v`S{yHSGDpb}`VZWU4`ezV zGLy-ktW0f_e-laC#K`Xsmc%&S0)mrO0W5l&z~QMhtTOc<^Rfn^On2gX zIfi$J(HNEm0Lnux2+oCgIqm?SEL^1^LZo!(tQLcHum}uC#!GcQIb3emVlpAaW(+zK zRuLp^Uv#>Kh?$+dVZ9JE!4X6`E!fbcN?t14W2faJv3QRfHLXg5U!vJHIpB-BlsJq2 z{6Ls`29MvV_D|~%{6XLbMf(h?i4jS|DK-pYhn45Cy_vjv?$>ym5Vi30GzPza4ogl)@tGp?>{sZ2CkC1g&_zM>?FUJLZGj&vSsUDc?iC<#^(73t>^KNnJ3kihbqmnz=WCBj#`*y zUgy}wVp)uJnE8m_bt91AdMq=Eu#L%Ui*20!_qZ&<$#lu{S~(~XmIU} zN)a~}_bN>rQMbT5DdyQxB-;DfmT^)I$z5kIiDt%5WuL?WR;vOV+LsLq${E2ty zyPNp9ls;c5J!@Do0G~zI*95To)r#hxo_mXvjVj>+4xdI*$(jmVV031qM*u09)Y+BZ zl{8Q%!*+z*X0RdrPh2_amnHlPl{T>JtY4g<8UDp32JHpxbL_gae@m?HEDF0$R;V)+ zTPJXU_zXd_Efl+0O@AmhS+3DoO4D_ZP+L{PQLB383jzGW1);e5fHgJGUscP;B)w3R zX$rOC$6scBWUr5I)L%8mpl!}IlQ8DU7Q+bG8C$)8m5pEk^Q*^uQ-4d+gI@(^{o5Hk z+Ek^r4_lZicELs>cA~#&-i_fQH}e*H0|}VX$+g#c)#K-3FO`oD;^f(bKGLjqU!c#8 zpy1=rYaAOHrGUMbYvcYz)6prRbR5sc7@|uDV%)Xr$^cLQp%?LM%kbOFjAvMNEPi|0 zL=!sGr}T3cIo6h))x#(19L_XUJ-+Og{GW{kP!=PjA6ljz!`>YJ1jM(-yXtDYW(_Ph zo}{y$?O>)`DEav1VpCWa-$~(r=bGcKH9>Ay%+=B2aL^4uyE}IGqW~4fxXwzYg;ixj zE>8r_9hn3c$c%mtV>~9rzbP{Yep8ZSXCy$KS`xJSP+*+>5euf_d=4f1mxM@pUBt_V zNpn};$Wy}vfgN=nenaMQNKf99DIb3>*WD|qtub2NF+xo_~dT2 zIq$A+_j;Pw6LD&>d9Tk3+UfhYQEN*F=?LfGVLFG-o#i2;Ea*2-W5Ubb>09q~fnvR_ z(DGl&0#tL(vVcrjiZ~kHt&XyY8GcW!q+7=BL%7j1bm}+yE39CbNX+*2m1{)Grr2S{ zASQnZ;fzoueWhTjW9%2YxW=imHPl~^LRo>YZ;wLjfuBfhxxfui=yJp24*?re%Wi*= zku+gtN;($Cxx`_|dQ(Qs7E49TrPGQy_>(%zBt*Q*0%=XD^B0Nq}6^V~>()m^bY5##DttFw;*&?pG{^#tZ2|2^( z^W|e>RZiCLw)$wv5e)%zAD&c?on-2KYODa8+x+Z*CeQC+-`nFPp5P%=`vQ51($@8r zHlD#Iul&g_?!COiOcTx95E;9}!(8uJI(5OV?nOSh?*maTM<8B%Aq)`kVvF;|YvdGb z*;&lTx8^|K`@j9|;a2;=he}eoZA>6b{}y7L066LYvqBTb3vW*X%$Nim=p&;?tpQiX zWdb6gF?VCu?LUGL{NCRHBc+S48D^^F&P9tPIe;5>h$SXhVL06DJ51AWz~``LMO~?=KzSX49erLrrlgKIx# z|ECPI`on52lz^ky{)H$Z?Rw2dsS388O=2+Lj88TmzZL*xs27|F**Mq(pXu;I=Gtk) z@REbO_ph>JgmJWJGs?ZIW(nCd2${}CW6i=-^!HAm4`@)&L=>D)z)QV*@>SDs(z6;f zl*n{tT&@3|7wFJ{@)_%hQBRVH3#B-K(hZfj1!|(}bS1V@)#&@;TS9jBCBOqZzjbJm z=1-Dj9IPfcsJA{?Z!)`Td;YKk(e)A?c7`x7Zz6{r4WDiv!}cUkSxUf;oWh8rjabpE z!nhb1r>U>2ra+86-ZM%KWoxLs#$+DfW>SF~9KtOllkEs4TEx02yv>7~rjYttgwL~v zIfT}gDuX;vcN59lIH5|fh;&gx2N{Z>peEQK8Qw*$5E!3Dn>Ics1<>%`(%i{5)OIb1 zthtGb+|7jI*M`?+?StiFpGrK*m_^n+GsQm=m#g4cJZZr?B!2w{ z_PsIFUV`0gprDFyD=(Itq8wZ>D&rbV z?lQ*KT-k;zWW+kxR;xNajvkuk}*%F+k+tlO%kpNT6amfl#C#!@Dx zxakRIAxKD!9ze^8N?&w`m68CsQiGEdUA%ot2>~nmVQ2}N!bn6n-xZ>m;hO)TU(72Q z48qq>w?EsxUFkaXYv%4nyy`ljWcWFJ=C~Q?4ftm_)EkZaudOydvl^lviR_qs4CxKz zRdpwZ8OSWfry-2&L8=kj6@*YID zSN%ho&jP0Aa4|~=pudi2MgeNdOhiZ$7AahxwUR~H%H%5w{csH52-ayX%H`|DVd4@< zx!UPrYuBicZZ3M>uNs7g6(Wag*3Oqf(^yArz;lFsspEEEABhG{~Y^wg#)D z-GgSJZpRJhYZuJzO5OpJ+{Sp$%4IHX8DT?)dtz*Er1G{&&+}kQ2`R8iud;$)i?t0` z3nT)os+qFR5WP<=Uj2cle#GQS`^}b!hKAji(g%#dw(JO8Ml@mC=!dGZdZ9)JCl8X| zAfS(!M`t#T`=f-)`H83&1s;PY2>01=^EJ3E z*KCrFobCkft-$73wic@3o3t5}EUC;o!(EyS6sC0!?_$N>H)NSDmPGeE-{g8&9pA`H zv6oqtyc#L4u|oTSz386v3xlr&>m(5No%2h1WU3(^3e`>364cF+xU*qg6^&2hPg4)( zVws==d4T@^z&6b%Um@VhcYV`RQ3w*AkCO3CIcH9~mlNa2-{+qTQoUE4cCrk;_;T~v zp=`D;30G_-q`Ou8*3SDupGkT{dBb?q(^ryv4C^My8sAf1jnGDT6)*~Hi0$j-&FShZ z1R@3Kcg2a#yhi+%22EQ-W zLpJzBYCCf?E;y~Q`LF|9wEk8-0HN6Q>Nrf^1i^+jYRfa39x6LPD=q8_Qj&YRs3{OV z{843C0z$gfD)+{o^5pQuG`&?>%9{5aI zcI(=Qw!q`GtJdt^>Z{h`UjK$XJ)eKUkl2s7Vk)wu#_Ey#7Ky)OP#%btuv1!K&S+2) zm0e`o>V>B`%t4_-URy9o*YJhRV6MO;?OeE+Z z!Z>|#A3qzE8Gz(4lYj{Sql|beYyJ9{h1T2EX3h6_4XyeX+w@zN+N_Sk0RiJp*T6J| ztt*n6^WxQ*H9anS`~fZWL$N&^MPo+zCC|Gj%w-39)RvZ22~_4xG4AK%=lS=nN&9n& z+ka)H-l_ojDadJ=bh`jp8Xe5%w-{;#lY*6?@L&}eTZkv7!{-sNgkez72xV!jr)8cn z5BOarscZxSSP$@^`UOGJnCE>v=DmyUFrVU#k@ee7dU7`cj0CwU^*Gjzj>wX(JE=a! zOK3>YQNu>ygqGW0{(UK@Ed9a{RiMe*M2qk#`>raZVdr~Y#JraI!dt$bGF#2(*-M>c z2hpbK;bHDzFaec`PRqaPeFm$8jVCwnzsLupevBj5uEN$%4(sNoz^R&O2BwnvO%9)QxW2wqP=I?{nGNUS zvqxitL3!^y5n*0>4T|~WtJB;ZAx#n_1A@oFP=yn$FV{qFvp+?xmyQ=%y=nWa|K}jQ z*O%H{>+1;pcadr0+rvt$S0`}>r|O*BIy^me?!utImwSPK-=-c}f?kiEjGj#4i5YNU zvJtuCy%HV&-immBJ!XEr{r>tG3ksrZ5hM+4{QCWROuD9g;k8ejU^~73@$m8b`nqPs XQ{nMN`SpJE1#Y-!$WCVl0rr0YQDEFA literal 0 HcmV?d00001