-
Notifications
You must be signed in to change notification settings - Fork 8k
/
manifest.json
executable file
·87 lines (87 loc) · 2.44 KB
/
manifest.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
{
"id": "security_auth",
"title": "Security: Authentication",
"description": "Detect anomalous activity in your ECS-compatible authentication logs.",
"type": "Auth data",
"logoFile": "logo.json",
"defaultIndexPattern": "auditbeat-*,logs-*,filebeat-*,winlogbeat-*",
"query": {
"bool": {
"filter": [
{
"term": {
"event.category": "authentication"
}
}
],
"must_not": { "terms": { "_tier": ["data_frozen", "data_cold"] } }
}
},
"jobs": [
{
"id": "auth_high_count_logon_events_for_a_source_ip",
"file": "auth_high_count_logon_events_for_a_source_ip.json"
},
{
"id": "auth_high_count_logon_fails",
"file": "auth_high_count_logon_fails.json"
},
{
"id": "auth_high_count_logon_events",
"file": "auth_high_count_logon_events.json"
},
{
"id": "auth_rare_hour_for_a_user",
"file": "auth_rare_hour_for_a_user.json"
},
{
"id": "auth_rare_source_ip_for_a_user",
"file": "auth_rare_source_ip_for_a_user.json"
},
{
"id": "auth_rare_user",
"file": "auth_rare_user.json"
},
{
"id": "suspicious_login_activity",
"file": "suspicious_login_activity.json"
}
],
"datafeeds": [
{
"id": "datafeed-auth_high_count_logon_events_for_a_source_ip",
"file": "datafeed_auth_high_count_logon_events_for_a_source_ip.json",
"job_id": "auth_high_count_logon_events_for_a_source_ip"
},
{
"id": "datafeed-auth_high_count_logon_fails",
"file": "datafeed_auth_high_count_logon_fails.json",
"job_id": "auth_high_count_logon_fails"
},
{
"id": "datafeed-auth_high_count_logon_events",
"file": "datafeed_auth_high_count_logon_events.json",
"job_id": "auth_high_count_logon_events"
},
{
"id": "datafeed-auth_rare_hour_for_a_user",
"file": "datafeed_auth_rare_hour_for_a_user.json",
"job_id": "auth_rare_hour_for_a_user"
},
{
"id": "datafeed-auth_rare_source_ip_for_a_user",
"file": "datafeed_auth_rare_source_ip_for_a_user.json",
"job_id": "auth_rare_source_ip_for_a_user"
},
{
"id": "datafeed-auth_rare_user",
"file": "datafeed_auth_rare_user.json",
"job_id": "auth_rare_user"
},
{
"id": "datafeed-suspicious_login_activity",
"file": "datafeed_suspicious_login_activity.json",
"job_id": "suspicious_login_activity"
}
]
}