diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json deleted file mode 100644 index 56b11c825271..000000000000 --- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-generated.log-expected.json +++ /dev/null @@ -1,904 +0,0 @@ -{ - "expected": [ - { - "ecs": { - "version": "8.2.0" - }, - "message": "modtempo 1454047799.olab nto_ security_event olaborissecurity_event tur url=https://example.org/odoco/ria.jpg?ritin=uredolor#tatemac src=10.15.44.253:5078 dst=10.193.124.51:5293 mac=01:00:5e:28:ae:7d name=psa sha256=umq disposition=ntium action=deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "umdo 1455282753.itessequ vol_ events dhcp lease of ip 10.102.218.31 from server mac 01:00:5e:9c:c2:9c for client mac 01:00:5e:0f:87:e3 from router 10.15.16.212 on subnet ameaqu with dns aqu", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "uipexea 1456517708.tatio minim_ flows ceroinBC flows src=10.179.60.216 dst=10.69.53.104 protocol=udp pattern: 0 reprehe", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "mipsu 1457752662.consec taliquip_ flows radip flows block src=10.155.236.240 dst=10.112.46.169 mac=01:00:5e:7a:74:89 protocol=ipv6 type=roidents ", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "obeataev 1458987616.lor uidexea_appliance events MAC 01:00:5e:e1:89:ac and MAC 01:00:5e:a3:d9:ac both claim IP: 10.14.107.140", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "iutal 1460222571.dexe urerep events content_filtering_block url='https://api.example.org/liqu/lorem.gif?ueipsaqu=uidolore#niamqu' category0='ari' server='10.108.180.105:5098' client_mac='01:00:5e:40:9b:83'", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "ipit 1461457525.idexea riat_appliance events MAC 01:00:5e:25:4f:e4 and MAC 01:00:5e:3f:49:e4 both claim IP: 10.149.88.198", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "ntsuntin 1462692479.aecatcup animi events dhcp release for mac 01:00:5e:e3:10:34", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "orsitame 1463927433.quiratio ite events MAC 01:00:5e:48:62:22 and MAC 01:00:5e:9f:b6:a6 both claim IP: 10.243.206.225", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "olupta turveli.toccae tatno_ ids-alerts taliqu ids-alerts signature=temUten priority=ccusan timestamp=1465162388.iqudirection=outbound protocol=icmp src=10.131.82.116:7307", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "uaera 1466397342.sitas ehenderi_ security_event atquovosecurity_event iumto url=https://www5.example.net/sun/essecill.html?saute=vel#quu src=10.210.213.18:7616 dst=10.134.0.141:2703 mac=01:00:5e:aa:42:fa name=idolores sha256=llumquid disposition=tation action=accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "omn ipsumq.atcu oremagna_ security_event remipsum security_event liq signature=ist priority=tnon timestamp=1467632296.ionul shost=01:00:5e:c8:9c:2f direction=outbound protocol=udp src=10.163.72.17 dst=10.74.237.180 message:nsequu", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "omm 1468867250.idestla Nemoeni_appliance events MAC 01:00:5e:c4:69:7f and MAC 01:00:5e:e2:67:d2 both claim IP: 10.72.31.26", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "agna tionemu.eomnisis mqui ids-alerts signature=civeli priority=errorsi timestamp=1470102205.desdirection=internal protocol=tcp src=10.70.95.74:4290", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "olupt 1471337159.dit sumquiad events MAC 01:00:5e:ea:e8:7a and MAC 01:00:5e:9c:d2:4a both claim IP: 10.17.21.125", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "amqu 1472572113.uines nsec events dhcp lease of ip 10.85.10.165 from server mac 01:00:5e:63:93:48 for client mac 01:00:5e:46:17:35 from router 10.53.150.119 on subnet uiineavo with dns tisetq", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "giatquov eritquii.dexeac iscinge ids-alerts signature=atvol priority=umiur timestamp=1473807067.imadprotocol=igmp src=10.88.231.224 dst=10.187.77.245message: iadese", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "agnaali 1475042022.gnam tat events content_filtering_block url='https://internal.example.com/quae/maccusa.htm?rQuisau=idex#xerci' category0='aqu' server='10.186.58.115:7238' client_mac='01:00:5e:8f:16:6d'", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "apariat 1476276976.tlabore untmolli_ events dhcp lease of ip 10.219.84.37 from server mac 01:00:5e:e8:bf:69 for client mac 01:00:5e:87:e1:a0 from router 10.205.47.51 on subnet uovolup with dns samvolu", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "ento 1477511930.pic evita events MAC 01:00:5e:ce:61:db and MAC 01:00:5e:ec:f8:cc both claim IP: 10.3.134.237", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "tmo 1478746884.fficiade uscipit events aid=vitaedi arp_resp=fugitse arp_src=veniamq auth_neg_dur=one auth_neg_failed=etMalor channel=ipi dns_req_rtt=reseos dns_resp=pariatu dns_server=tin duration=48.123000 full_conn=oquisqu identity=sperna ip_resp=eabilloi ip_src=10.182.178.217 is_8021x=tlab is_wpa=volupt last_auth_ago=osqui radio=xerc reason=iutali rssi=fdeFi type=texp vap=tasuntex client_mac=01:00:5e:e3:b1:24 client_ip=10.194.114.58 instigator=ectio http_resp=dutper dhcp_lease_completed=lamcolab dhcp_ip=ati dhcp_server=tlabo dhcp_server_mac=uames dhcp_resp=iduntu url=https://internal.example.net/ris/uamqu.txt?liqui=quioffi#uptate category0=ncidid server=10.63.194.87 vpn_type=quisno connectivity=sin", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "emvel 1479981839.tmollita fde events aid=nsecte arp_resp=inculpa arp_src=abo auth_neg_dur=veniamqu auth_neg_failed=nse channel=non dns_req_rtt=paquioff dns_resp=mquisnos dns_server=maven duration=71.798000 full_conn=atcu identity=labor ip_resp=didunt ip_src=10.153.0.77 is_8021x=udan is_wpa=orema last_auth_ago=invento radio=qua reason=aturQui rssi=utlabor type=rau vap=idex client_mac=01:00:5e:9e:7b:a4 client_ip=10.105.88.20 instigator=ecte http_resp=tinvolu dhcp_lease_completed=iurer dhcp_ip=iciadese dhcp_server=quidolor dhcp_server_mac=tessec dhcp_resp=olupta url=https://mail.example.com/icabo/itatio.jpg?eleum=sintoc#volupt category0=siste server=10.163.154.210 vpn_type=ept connectivity=iumtotam", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "ionevo 1481216793.ugiatnu ciati_appliance events MAC 01:00:5e:b8:7a:96 and MAC 01:00:5e:b9:6b:a8 both claim IP: 10.73.69.176", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "spi 1482451747.stquido ommodico_ flows ese flows allow src=10.145.248.111 dst=10.57.6.252 mac=01:00:5e:94:6a:cf protocol=udp ", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "smo etcons.iusmodi uamest_ security_event uiac security_event epte signature=idolo priority=quinesc timestamp=1483686701.madmi shost=01:00:5e:1c:4c:64 direction=internal protocol=icmp src=10.31.77.157 dst=10.12.182.70 message:tev", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "nisiuta 1484921656.roid inibusB flows cancel", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "str 1486156610.idolore pid_ flows cteturad flows deny src=10.93.68.231 dst=10.135.217.12 mac=01:00:5e:4a:69:5b protocol=ipv6 type=archite ", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "amnih 1487391564.ium esciuntN_ events dhcp release for mac 01:00:5e:8b:99:98", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "isnost 1488626519.queips ncidi_ flows iscinge flows src=10.247.30.212 dst=10.66.89.5 mac=01:00:5e:7f:65:da protocol=igmp pattern: 1 borios", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "oin 1489861473.mvenia madminim events IDS: fugitsed", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "dmin fugi.quia iduntu security_event idestlab signature=rnatur priority=ofdeFin timestamp=1491096427.essequam dhost=01:00:5e:c1:53:b1 direction=inbound protocol=tcp src=10.221.102.245 dst=10.173.136.186 message:naal", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "umqu tinv.adipisc uscipitl_ ids-alerts ritatise ids-alerts signature=uamei priority=siut timestamp=1492331381.ciad dhost=01:00:5e:1f:c6:29 direction=external protocol=udp src=10.58.64.108 dst=10.54.37.86 message: entorev", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "velitess 1493566336.naali uunturm_ flows veli flows block src=10.147.76.202 dst=10.163.93.20 mac=01:00:5e:1d:85:ec protocol=ipv6 sport=1085 dport=3141 ", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "iumdol tpersp.stla uptatema_ security_event uradi security_event tot signature=llamco priority=nea timestamp=1494801290.psum dhost=01:00:5e:35:71:1e direction=internal protocol=icmp src=10.0.200.27:5905 dst=10.183.44.198:1702 message:asiarc", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "tiaec 1496036244.rumwrit icabo_ events dhcp lease of ip 10.148.124.84 from server mac 01:00:5e:0b:2c:22 for client mac 01:00:5e:06:12:98 from router 10.28.144.180 on subnet ritin with dns temporin", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "ica 1497271198.lillum remips_appliance events aid=uisaute arp_resp=imide arp_src=poriss auth_neg_dur=tvolup auth_neg_failed=itesseq channel=dictasun dns_req_rtt=veniamqu dns_resp=rum dns_server=quaea duration=165.611000 full_conn=mvel identity=nof ip_resp=usmodi ip_src=10.204.230.166 is_8021x=dat is_wpa=aincidu last_auth_ago=nimadmin radio=isiu reason=licabo rssi=enimadmi type=utaliqu vap=dic client_mac=01:00:5e:bb:60:a6 client_ip=10.62.71.118 instigator=ineavol http_resp=iosa dhcp_lease_completed=boNemoe dhcp_ip=onsequ dhcp_server=equinesc dhcp_server_mac=cab dhcp_resp=atisund url=https://example.net/ites/isetq.gif?nisiut=tur#avolupt category0=ariatur server=10.98.194.212 vpn_type=nimave connectivity=isciv", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "dipisci 1498506153.spernatu admi events content_filtering_block url='https://www.example.org/ueipsa/tae.html?eriti=atcupi#corpori' category0='borisnis' server='10.197.13.39:5912'", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "itsedd 1499741107.leumiur eratvol events dhcp release for mac 01:00:5e:fd:84:bb", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "leumiu tla.item nimid ids-alerts signature=dat priority=periam timestamp=1500976061.dquprotocol=icmp src=10.242.77.170 dst=10.150.245.88message: orisn", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "sitam rad.loi isc_ ids-alerts volupt ids-alerts signature=rem priority=idid timestamp=1502211015.tesse shost=01:00:5e:9d:eb:fb direction=external protocol=tcp src=10.247.139.239 dst=10.180.195.43 message: tenatuse", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "tore 1503445970.elits consequa events dhcp release for mac 01:00:5e:50:48:c4", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "undeom uamnihi.risnis uov_ ids-alerts isn ids-alerts signature=sBono priority=loremqu timestamp=1504680924.teturprotocol=rdp src=10.94.6.140 dst=10.147.15.213message: uptat", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "itasper 1505915878.uae mve_ flows obeata flows block src=10.230.6.127 dst=10.111.157.56 mac=01:00:5e:39:a7:fc protocol=icmp type=aliquamq ", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "archite 1507150832.remq veniamq events aid=occ arp_resp=oloreseo arp_src=iruredol auth_neg_dur=veniamqu auth_neg_failed=licaboN channel=atquo dns_req_rtt=cupi dns_resp=strude dns_server=eritin duration=85.513000 full_conn=litsedq identity=nderiti ip_resp=ntNe ip_src=10.179.40.170 is_8021x=olorema is_wpa=mollita last_auth_ago=tatem radio=iae reason=quido rssi=emip type=inBC vap=mol client_mac=01:00:5e:58:2d:1c client_ip=10.153.81.206 instigator=rsita http_resp=nsequun dhcp_lease_completed=eetd dhcp_ip=illu dhcp_server=iatqu dhcp_server_mac=lorsi dhcp_resp=repreh url=https://www.example.net/irured/illumqui.txt?tionula=ritqu#ecatcupi category0=uamei server=10.193.219.34 vpn_type=onse connectivity=olorem", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "umwritte 1508385787.vol oremquel_appliance events MAC 01:00:5e:16:5e:b1 and MAC 01:00:5e:ee:e8:77 both claim IP: 10.255.199.16", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "unte 1509620741.uamnihil llam_appliance events MAC 01:00:5e:ee:1d:77 and MAC 01:00:5e:f1:21:bd both claim IP: 10.94.88.5", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "esci 1510855695.uov quaeab_ events IDS: moles", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "accusa 1512090649.natu liquid events IDS: enim", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "dquiaco nibus.vitaed ser security_event etconsec signature=elillum priority=upt timestamp=1513325604.rnat dhost=01:00:5e:01:60:e0 direction=internal protocol=ipv6 src=10.90.99.245 dst=10.124.63.4 message:pta", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "tetura 1514560558.imadmini moe_appliance events content_filtering_block url='https://mail.example.net/uat/lupta.html?uptassit=ncidi#tlabori' category0='laudan' server='10.249.7.146:2010'", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "lapar 1515795512.ritati edquia_appliance events IDS: itesse", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "amvolu mip.tion tobeatae_ security_event Utenima security_event iqua signature=luptat priority=deriti timestamp=1517030466.sintocc dhost=01:00:5e:c9:b7:22 direction=inbound protocol=icmp src=10.196.96.162 dst=10.81.234.34 message:equuntur", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "uide 1518265421.scivel henderi_appliance events IDS: iusmodt", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "tiumd 1519500375.ntmoll mexer events dhcp lease of ip 10.40.101.224 from server mac 01:00:5e:0a:df:72 for client mac 01:00:5e:7c:01:ab with hostname remips188.api.invalid from router 10.78.199.43 on subnet ehender with dns ilmole", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "runtmo 1520735329.ore isund_appliance events MAC 01:00:5e:17:87:3e and MAC 01:00:5e:5f:c1:3e both claim IP: 10.244.29.119", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "tutlabor 1521970284.reseosq gna_ flows pteurs flows deny src=10.83.131.245 dst=10.39.172.93 mac=01:00:5e:c4:12:c7 protocol=udp type=uido ", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "osquira 1523205238.umd sciveli_ events dhcp lease of ip 10.86.188.179 from server mac 01:00:5e:48:4b:78 for client mac 01:00:5e:7e:cd:15 from router 10.201.168.116 on subnet umiure with dns laborum", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "umdolors 1524440192.lumdo acom_ security_event umexercisecurity_event duntut url=https://mail.example.com/prehend/eufug.htm?eufug=est#civelits src=10.148.211.222:2053 dst=10.122.204.151:3903 mac=01:00:5e:c3:a0:dc name=ine sha256=urerepre disposition=asnulap action=deny", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "atnul 1525675146.umfugi stquidol_ flows luptatem flows accept", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "essequam ueporro.aliqu upt ids-alerts signature=orum priority=Bonoru timestamp=1526910101.madminimprotocol=ipv6-icmp src=10.97.46.16 dst=10.120.4.9message: teni", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "lorsitam tanimid.onpr litseddo_ ids-alerts oremqu ids-alerts signature=idex priority=radip timestamp=1528145055.uptaprotocol=ipv6-icmp src=10.171.206.139 dst=10.165.173.162message: lestia", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "inibusB 1529380009.nostrud cteturad events dhcp lease of ip 10.150.163.151 from server mac 01:00:5e:72:b7:79 for client mac 01:00:5e:f2:d3:12 with hostname uames4985.mail.localdomain from router 10.144.57.239 on subnet oinBCSed with dns orem", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "eritq rehen.ipsamvol elillum_ ids-alerts tco ids-alerts signature=tvol priority=oluptate timestamp=1530614963.lit shost=01:00:5e:ac:6d:d3 direction=unknown protocol=igmp src=10.52.202.158 dst=10.54.44.231 message: Ute", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "runtm 1531849918.eturadip olorsi_ events MAC 01:00:5e:67:1d:0f and MAC 01:00:5e:f0:a9:cd both claim IP: 10.101.183.86", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "inesciu 1533084872.quid atcupid_ flows orem flows src=10.71.22.225 dst=10.4.76.100 protocol=ggp pattern: allow serrorsi", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "lamco 1534319826.cit siar events MAC 01:00:5e:80:cd:ca and MAC 01:00:5e:45:aa:51 both claim IP: 10.83.130.95", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "hite 1535554780.ianonnum nofdeFi events aid=henderit arp_resp=remq arp_src=unt auth_neg_dur=tla auth_neg_failed=arch channel=lite dns_req_rtt=ugia dns_resp=meum dns_server=borumSec duration=91.439000 full_conn=nvolupta identity=tev ip_resp=nre ip_src=10.2.110.73 is_8021x=eturadip is_wpa=ent last_auth_ago=rumSecti radio=Utenima reason=olore rssi=orumS type=olor vap=radip client_mac=01:00:5e:59:bf:36 client_ip=10.230.98.81 instigator=aaliquaU http_resp=olu dhcp_lease_completed=iameaque dhcp_ip=identsun dhcp_server=ender dhcp_server_mac=inc dhcp_resp=tect url=https://www.example.net/doconse/eni.html?mSec=smoditem#tatisetq category0=uidolo server=10.103.49.129 vpn_type=oquisq connectivity=abori", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "dunt 1536789735.ames amni events aid=tatio arp_resp=amquisno arp_src=modoc auth_neg_dur=magnam auth_neg_failed=uinesc channel=cid dns_req_rtt=emi dns_resp=Bonorum dns_server=lesti duration=59.289000 full_conn=iosamni identity=idu ip_resp=sis ip_src=10.158.61.228 is_8021x=tsedquia is_wpa=its last_auth_ago=umdolor radio=isiu reason=assi rssi=eserun type=rvelill vap=lupta client_mac=01:00:5e:e6:a6:a2 client_ip=10.186.16.20 instigator=tisu http_resp=remagnam dhcp_lease_completed=nvolupt dhcp_ip=meiusm dhcp_server=nidolo dhcp_server_mac=atquovol dhcp_resp=quunt url=https://www.example.com/seq/moll.htm?sunt=dquianon#urExc category0=tDuis server=10.132.176.96 vpn_type=aria connectivity=inim", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "oremeumf 1538024689.lesti sintocca events dhcp lease of ip 10.105.136.146 from server mac 01:00:5e:bb:aa:f6 for client mac 01:00:5e:69:92:4a with hostname lors2232.api.example from router 10.46.217.155 on subnet amnihil with dns orissus", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "nimadmin 1539259643.lumqui quiavolu flows src=10.245.199.23 dst=10.123.62.215 mac=01:00:5e:1f:7f:1d protocol=udp pattern: 0 iusmodt", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "rep 1540494597.remap deri flows cancel src=10.239.105.121 dst=10.70.7.23 mac=01:00:5e:8e:82:f0 protocol=ipv6 ", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "idexeac 1541729552.nimadmin midest_appliance events aid=modt arp_resp=iduntutl arp_src=rsitam auth_neg_dur=xercit auth_neg_failed=ulpaquio channel=itqu dns_req_rtt=minimav dns_resp=smodtem dns_server=roquisqu duration=116.294000 full_conn=iquid identity=evo ip_resp=mcorpori ip_src=10.196.176.243 is_8021x=itesse is_wpa=expl last_auth_ago=essecill radio=totamre reason=rpo rssi=velites type=nonpro vap=nula client_mac=01:00:5e:99:a6:b4 client_ip=10.90.50.149 instigator=nemulla http_resp=asp dhcp_lease_completed=dexercit dhcp_ip=amn dhcp_server=itessequ dhcp_server_mac=porissu dhcp_resp=umd url=https://www.example.net/sectetur/edquian.html?turQuis=taevi#uames category0=tconsec server=10.16.230.121 vpn_type=laboree connectivity=udantiu", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "ttenb olor.quiav gna security_event Nem signature=tdolorem priority=eacomm timestamp=1542964506.upidata dhost=01:00:5e:6a:c8:f8 direction=unknown protocol=ipv6 src=10.246.152.72:4293 dst=10.34.62.190:1641 message:eve", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "quisn 1544199460.rem ulamcola events dhcp no offers for mac 01:00:5e:67:fc:cb", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "eruntmo 1545434414.nimve usanti_ events dhcp release for mac 01:00:5e:7d:de:f7", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "uatu 1546669369.olupta consequu_ events dhcp release for mac 01:00:5e:6b:96:f2", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "sitam inibusBo.illoin emUtenim ids-alerts signature=ende priority=dexea timestamp=1547904323.acoprotocol=ipv6 src=10.244.32.189 dst=10.121.9.5message: uptas", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "edol 1549139277.sequuntu quameius_ events content_filtering_block url='https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor' category0='auto' server='10.41.124.15:333'", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "antium 1550374232.remaper eseosq events dhcp no offers for mac 01:00:5e:c3:77:27", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "oditau 1551609186.onsec dit events MAC 01:00:5e:19:86:21 and MAC 01:00:5e:ed:ed:79 both claim IP: 10.43.235.230", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "asper dictasun.psa lorese_ ids-alerts ctobeat ids-alerts signature=onsec priority=idestl timestamp=1552844140.litani shost=01:00:5e:a0:b2:c9 direction=unknown protocol=icmp src=10.199.19.205:5823 dst=10.103.91.159:7116 message: ntut", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "estiaec 1554079094.pitlabo tas_appliance flows src=10.17.111.91 dst=10.65.0.157 mac=01:00:5e:49:c4:17 protocol=udp pattern: 1 nostrum", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "ercitati 1555314049.atem serro flows cancel", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "amquaera 1556549003.rsitamet leumiur events MAC 01:00:5e:fd:79:9e and MAC 01:00:5e:4d:c0:dd both claim IP: 10.20.130.88", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "abill ametcon.ofdeFini tasnu_ ids-alerts tionev ids-alerts signature=uasiarch priority=velites timestamp=1557783957.uredolorprotocol=ipv6 src=10.177.64.152 dst=10.140.242.86message: temporin", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "lor nvolupt.dquia ora_ security_event dipi security_event ecatc signature=quovolu priority=ite timestamp=1559018911.itse shost=01:00:5e:b8:73:c8 direction=external protocol=icmp src=10.199.103.185:2449 dst=10.51.121.223:24 message:stenat", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "saq 1560253866.asiarch ssuscipi events MAC 01:00:5e:93:48:61 and MAC 01:00:5e:21:c2:55 both claim IP: 10.126.242.58", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "tlab 1561488820.vel ionevo events dhcp release for mac 01:00:5e:8a:1a:f9", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "aeab 1562723774.uradipis aerat_ flows uira flows deny src=10.121.37.244 dst=10.113.152.241 mac=01:00:5e:9c:86:62 protocol=udp type=utaliqui ", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "nesciu 1563958728.mali roinBCSe_appliance events aid=eetdolor arp_resp=tpersp arp_src=assi auth_neg_dur=rch auth_neg_failed=psa channel=nreprehe dns_req_rtt=pidatatn dns_resp=isno dns_server=luptatev duration=39.622000 full_conn=lla identity=urau ip_resp=aeca ip_src=10.247.118.132 is_8021x=atcupi is_wpa=enima last_auth_ago=uptateve radio=fugitsed reason=lumqui rssi=ectet type=ionu vap=eratv client_mac=01:00:5e:10:8b:c3 client_ip=10.153.33.99 instigator=liq http_resp=xerc dhcp_lease_completed=atisetqu dhcp_ip=squir dhcp_server=gnaaliq dhcp_server_mac=quam dhcp_resp=deriti url=https://www5.example.org/eturadi/umS.txt?mSecti=henderi#taevitae category0=tevel server=10.254.96.130 vpn_type=ita connectivity=iquipexe", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "tot 1565193683.reme emeumfu events aid=inBCSedu arp_resp=ita arp_src=ade auth_neg_dur=nihilmol auth_neg_failed=nder channel=ano dns_req_rtt=rumexer dns_resp=eab dns_server=iaconseq duration=18.963000 full_conn=eli identity=rissusci ip_resp=ectetur ip_src=10.101.13.122 is_8021x=oconsequ is_wpa=roqui last_auth_ago=oluptate radio=ntut reason=mremaper rssi=uteirur type=ntium vap=ide client_mac=01:00:5e:95:ae:d0 client_ip=10.78.143.52 instigator=ntiumdol http_resp=conse dhcp_lease_completed=aturve dhcp_ip=edqui dhcp_server=tvolu dhcp_server_mac=psu dhcp_resp=strud url=https://internal.example.org/fdeFi/ratv.htm?sequatu=tiumtot#tate category0=udanti server=10.200.98.243 vpn_type=cteturad connectivity=umq", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "oinvento 1566428637.mporin orissusc_appliance events content_filtering_block url='https://www5.example.net/uov/pariat.htm?litsed=lumd#tiaec' category0='lorem' server='10.247.205.185:7676' client_mac='01:00:5e:6f:21:c8'", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "metMa emoen.ptate mipsumqu_ ids-alerts ccusa ids-alerts signature=billo priority=doloremi timestamp=1567663591.ectetura dhost=01:00:5e:0a:88:bb direction=inbound protocol=ipv6 src=10.195.90.73:3914 dst=10.147.165.30:7662 message: idents", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "veniamqu 1568898545.iconsequ ueporr_appliance events IDS: empor", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "atDuisa mipsa.uas iat ids-alerts signature=hite priority=adipis timestamp=1570133500.abo dhost=01:00:5e:dd:cb:5b direction=inbound protocol=udp src=10.137.166.97 dst=10.162.202.14 message: ipsaqua", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "deom 1571368454.tiumdo rautod_appliance events content_filtering_block url='https://www5.example.com/illoinve/etcon.htm?nevolup=erspici#itinvolu' category0='adeserun' server='10.227.135.142:6598'", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "orese 1572603408.umdolore umqui_appliance events MAC 01:00:5e:f1:b8:3a and MAC 01:00:5e:37:9c:af both claim IP: 10.199.29.19", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "explicab 1573838362.samvolu teiru_appliance events dhcp no offers for mac 01:00:5e:b8:06:92", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "rissusci 1575073317.uaturQ iusmod_ events aid=mips arp_resp=iduntutl arp_src=mipsumd auth_neg_dur=eiusmo auth_neg_failed=quelauda channel=rcit dns_req_rtt=dolo dns_resp=ulamc dns_server=doe duration=10.574000 full_conn=remquela identity=toreve ip_resp=squirat ip_src=10.85.59.172 is_8021x=mto is_wpa=iae last_auth_ago=dent radio=Uten reason=tatiset rssi=sequat type=modoco vap=beataevi client_mac=01:00:5e:92:d8:95 client_ip=10.158.215.216 instigator=deritin http_resp=ptate dhcp_lease_completed=lloi dhcp_ip=nseq dhcp_server=equunt dhcp_server_mac=tutla dhcp_resp=usmod url=https://example.com/qui/itse.gif?orsitame=tasn#exeaco category0=upta server=10.75.122.111 vpn_type=reprehe connectivity=deFinib", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.2.0" - }, - "message": "orr 1576308271.pre aute events IDS: rchite", - "tags": [ - "preserve_original_event" - ] - } - ] -} \ No newline at end of file diff --git a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-security-events.log-expected.json b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-security-events.log-expected.json index b42a403bb3d3..c5f6aaa9c405 100644 --- a/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-security-events.log-expected.json +++ b/packages/cisco_meraki/data_stream/log/_dev/test/pipeline/test-security-events.log-expected.json @@ -30,6 +30,7 @@ "info" ] }, + "message": "BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", "network": { "direction": "ingress", "protocol": "tcp/ip" @@ -56,13 +57,7 @@ "tags": [ "forwarded", "preserve_original_event" - ], - "threat": { - "indicator": { - "description": "BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", - "last_seen": "2021-11-23T18:13:18.330Z" - } - } + ] }, { "@timestamp": "2023-10-23T12:58:11.323Z", @@ -94,6 +89,7 @@ "info" ] }, + "message": "SERVER-WEBAPP PHPUnit PHP remote code execution attempt", "network": { "direction": "ingress", "protocol": "tcp/ip" @@ -120,13 +116,7 @@ "tags": [ "forwarded", "preserve_original_event" - ], - "threat": { - "indicator": { - "description": "SERVER-WEBAPP PHPUnit PHP remote code execution attempt", - "last_seen": "2023-10-23T12:58:11.322Z" - } - } + ] }, { "@timestamp": "2021-11-23T18:14:58.984Z", @@ -170,6 +160,12 @@ "info" ] }, + "file": { + "hash": { + "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" + }, + "name": "EICAR:EICAR_Test_file_not_a_virus-tpd" + }, "observer": { "hostname": "MX84" }, @@ -181,16 +177,12 @@ "forwarded", "preserve_original_event" ], - "threat": { - "indicator": { - "file": { - "hash": { - "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" - }, - "name": "EICAR:EICAR_Test_file_not_a_virus-tpd" - }, - "reference": "http://www.eicar.org/download/eicar.com.txt" - } + "url": { + "domain": "www.eicar.org", + "extension": "txt", + "original": "http://www.eicar.org/download/eicar.com.txt", + "path": "/download/eicar.com.txt", + "scheme": "http" } }, { @@ -218,23 +210,19 @@ "info" ] }, + "file": { + "hash": { + "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" + }, + "name": "EICAR:EICAR_Test_file_not_a_virus-tpd" + }, "observer": { "hostname": "MX84" }, "tags": [ "forwarded", "preserve_original_event" - ], - "threat": { - "indicator": { - "file": { - "hash": { - "sha256": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" - }, - "name": "EICAR:EICAR_Test_file_not_a_virus-tpd" - } - } - } + ] }, { "@timestamp": "2021-11-24T19:58:11.345Z", @@ -286,12 +274,7 @@ "tags": [ "forwarded", "preserve_original_event" - ], - "threat": { - "indicator": { - "last_seen": "2021-11-24T19:58:11.512Z" - } - } + ] }, { "@timestamp": "2021-11-24T21:43:21.246Z", @@ -331,12 +314,7 @@ "tags": [ "forwarded", "preserve_original_event" - ], - "threat": { - "indicator": { - "last_seen": "2021-11-24T21:43:21.238Z" - } - } + ] } ] } \ No newline at end of file diff --git a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/idsalerts.yml b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/idsalerts.yml index 3a9025cc109b..d229e61d9f9c 100644 --- a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/idsalerts.yml +++ b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/idsalerts.yml @@ -14,10 +14,6 @@ processors: - rename: field: signature target_field: cisco_meraki.security.signature -- date: - field: timestamp - target_field: threat.indicator.last_seen - formats: ['UNIX'] - rename: field: direction target_field: network.direction diff --git a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/security.yml b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/security.yml index 44ba9c2a262b..9dfc516118c9 100644 --- a/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/security.yml +++ b/packages/cisco_meraki/data_stream/log/elasticsearch/ingest_pipeline/security.yml @@ -29,11 +29,6 @@ processors: field: signature target_field: cisco_meraki.security.signature ignore_missing: true -- date: - field: timestamp - target_field: threat.indicator.last_seen - formats: ['UNIX'] - if: ctx.timestamp != null - gsub: field: dhost target_field: cisco_meraki.security.dhost @@ -48,20 +43,14 @@ processors: field: protocol target_field: network.protocol ignore_missing: true -- rename: - field: message - target_field: threat.indicator.description - ignore_missing: true - if: ctx?.cisco_meraki?.event_subtype == 'ids_alerted' - rename: field: decision target_field: cisco_meraki.security.decision ignore_missing: true # handle fields of security_filtering_file_scanned or security_filtering_disposition_change type -- rename: +- uri_parts: field: url - target_field: threat.indicator.reference ignore_missing: true - gsub: field: mac @@ -71,11 +60,11 @@ processors: ignore_missing: true - rename: field: name - target_field: threat.indicator.file.name + target_field: file.name ignore_missing: true - rename: field: sha256 - target_field: threat.indicator.file.hash.sha256 + target_field: file.hash.sha256 ignore_missing: true - rename: field: disposition diff --git a/packages/cisco_meraki/data_stream/log/fields/ecs.yml b/packages/cisco_meraki/data_stream/log/fields/ecs.yml index 7a4289609bb0..37c048e439f3 100644 --- a/packages/cisco_meraki/data_stream/log/fields/ecs.yml +++ b/packages/cisco_meraki/data_stream/log/fields/ecs.yml @@ -86,6 +86,8 @@ name: file.directory - external: ecs name: file.extension +- external: ecs + name: file.hash.sha256 - external: ecs name: file.name - external: ecs @@ -220,6 +222,8 @@ name: source.subdomain - external: ecs name: source.top_level_domain +- external: ecs + name: url.extension - external: ecs name: url.domain - external: ecs @@ -230,6 +234,8 @@ name: url.query - external: ecs name: url.registered_domain +- external: ecs + name: url.scheme - external: ecs name: url.top_level_domain - external: ecs @@ -274,16 +280,6 @@ name: source.geo.region_name - external: ecs name: network.vlan.id -- external: ecs - name: threat.indicator.last_seen -- external: ecs - name: threat.indicator.description -- external: ecs - name: threat.indicator.reference -- external: ecs - name: threat.indicator.file.name -- external: ecs - name: threat.indicator.file.hash.sha256 - external: ecs name: client.geo.city_name - external: ecs diff --git a/packages/cisco_meraki/data_stream/log/sample_event.json b/packages/cisco_meraki/data_stream/log/sample_event.json index 57486fcf826a..8839b5c04650 100644 --- a/packages/cisco_meraki/data_stream/log/sample_event.json +++ b/packages/cisco_meraki/data_stream/log/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2021-11-23T18:13:18.348Z", "agent": { - "ephemeral_id": "66ed7cfa-f0ac-4350-9746-94eb916618bf", - "id": "0e259c68-d228-45c1-a61f-7ba14f07253b", + "ephemeral_id": "bd9fe1e0-a3cd-42b7-9b0b-e0946be0c276", + "id": "234cd698-ca4b-4fd7-8a3f-8617e423274a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0" + "version": "8.11.0" }, "cisco_meraki": { "event_subtype": "ids_alerted", @@ -30,9 +30,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "0e259c68-d228-45c1-a61f-7ba14f07253b", + "id": "234cd698-ca4b-4fd7-8a3f-8617e423274a", "snapshot": false, - "version": "8.0.0" + "version": "8.11.0" }, "event": { "action": "ids-signature-matched", @@ -42,7 +42,7 @@ "intrusion_detection" ], "dataset": "cisco_meraki.log", - "ingested": "2023-11-15T04:07:05Z", + "ingested": "2023-11-21T20:46:12Z", "original": "<134>1 1637691198.348361125 MX84 security_event ids_alerted signature=1:29708:4 priority=1 timestamp=1637691198.330873 dhost=D0:AB:D5:7B:43:73 direction=ingress protocol=tcp/ip src=67.43.156.12:80 dst=10.0.3.162:56391 decision=allowed message: BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", "type": [ "info" @@ -53,9 +53,10 @@ }, "log": { "source": { - "address": "192.168.240.4:53108" + "address": "192.168.160.4:52334" } }, + "message": "BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", "network": { "direction": "ingress", "protocol": "tcp/ip" @@ -83,11 +84,5 @@ "preserve_original_event", "cisco-meraki", "forwarded" - ], - "threat": { - "indicator": { - "description": "BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", - "last_seen": "2021-11-23T18:13:18.330Z" - } - } + ] } \ No newline at end of file diff --git a/packages/cisco_meraki/docs/README.md b/packages/cisco_meraki/docs/README.md index 4ab108656f06..9c1fc2c54fd6 100644 --- a/packages/cisco_meraki/docs/README.md +++ b/packages/cisco_meraki/docs/README.md @@ -170,6 +170,7 @@ The `cisco_meraki.log` dataset provides events from the configured syslog server | file.attributes | Array of file attributes. Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. | keyword | | file.directory | Directory where the file is located. It should include the drive letter, when appropriate. | keyword | | file.extension | File extension, excluding the leading dot. Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| file.hash.sha256 | SHA256 hash. | keyword | | file.name | Name of the file including the extension, without the directory. | keyword | | file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword | | file.path.text | Multi-field of `file.path`. | match_only_text | @@ -265,17 +266,14 @@ The `cisco_meraki.log` dataset provides events from the configured syslog server | source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | | source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | tags | List of keywords used to tag each event. | keyword | -| threat.indicator.description | Describes the type of action conducted by the threat. | keyword | -| threat.indicator.file.hash.sha256 | SHA256 hash. | keyword | -| threat.indicator.file.name | Name of the file including the extension, without the directory. | keyword | -| threat.indicator.last_seen | The date and time when intelligence source last reported sighting this indicator. | date | -| threat.indicator.reference | Reference URL linking to additional information about this indicator. | keyword | | url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | | url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | | url.original.text | Multi-field of `url.original`. | match_only_text | | url.path | Path of the request, such as "/search". | wildcard | | url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | | url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | | url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | user.full_name | User's full name, if available. | keyword | @@ -301,11 +299,11 @@ An example event for `log` looks as following: { "@timestamp": "2021-11-23T18:13:18.348Z", "agent": { - "ephemeral_id": "66ed7cfa-f0ac-4350-9746-94eb916618bf", - "id": "0e259c68-d228-45c1-a61f-7ba14f07253b", + "ephemeral_id": "bd9fe1e0-a3cd-42b7-9b0b-e0946be0c276", + "id": "234cd698-ca4b-4fd7-8a3f-8617e423274a", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0" + "version": "8.11.0" }, "cisco_meraki": { "event_subtype": "ids_alerted", @@ -330,9 +328,9 @@ An example event for `log` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "0e259c68-d228-45c1-a61f-7ba14f07253b", + "id": "234cd698-ca4b-4fd7-8a3f-8617e423274a", "snapshot": false, - "version": "8.0.0" + "version": "8.11.0" }, "event": { "action": "ids-signature-matched", @@ -342,7 +340,7 @@ An example event for `log` looks as following: "intrusion_detection" ], "dataset": "cisco_meraki.log", - "ingested": "2023-11-15T04:07:05Z", + "ingested": "2023-11-21T20:46:12Z", "original": "<134>1 1637691198.348361125 MX84 security_event ids_alerted signature=1:29708:4 priority=1 timestamp=1637691198.330873 dhost=D0:AB:D5:7B:43:73 direction=ingress protocol=tcp/ip src=67.43.156.12:80 dst=10.0.3.162:56391 decision=allowed message: BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", "type": [ "info" @@ -353,9 +351,10 @@ An example event for `log` looks as following: }, "log": { "source": { - "address": "192.168.240.4:53108" + "address": "192.168.160.4:52334" } }, + "message": "BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", "network": { "direction": "ingress", "protocol": "tcp/ip" @@ -383,13 +382,7 @@ An example event for `log` looks as following: "preserve_original_event", "cisco-meraki", "forwarded" - ], - "threat": { - "indicator": { - "description": "BROWSER-IE Microsoft Internet Explorer CSS uninitialized object access attempt detected", - "last_seen": "2021-11-23T18:13:18.330Z" - } - } + ] } ```