From 084e151de8c464f9e491cf3fc584afc0f1068647 Mon Sep 17 00:00:00 2001 From: Lee Hinman <57081003+leehinman@users.noreply.github.com> Date: Tue, 5 May 2020 15:09:42 -0500 Subject: [PATCH] update osquery golden files (#18263) PR 17881 didn't have updated golden files for osquery. This updates them. Related #17881 --- .../test/osquery.rootkit.log-expected.json | 360 +++++++++-- .../osqueryd.results.darwin.log-expected.json | 600 +++++++++++++++--- .../osqueryd.results.sample.log-expected.json | 600 +++++++++++++++--- .../result/test/test.log-expected.json | 6 +- 4 files changed, 1305 insertions(+), 261 deletions(-) diff --git a/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json b/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json index 5e03b82457b..bedd286615d 100644 --- a/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json +++ b/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json @@ -29,8 +29,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -62,8 +66,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -95,8 +103,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -128,8 +140,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -161,8 +177,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -194,8 +214,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -227,8 +251,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -260,8 +288,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -293,8 +325,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -326,8 +362,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -359,8 +399,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -392,8 +436,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -425,8 +473,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -458,8 +510,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -491,8 +547,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -524,8 +584,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -557,8 +621,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -590,8 +658,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -623,8 +695,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -656,8 +732,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -689,8 +769,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -722,8 +806,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -755,8 +843,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -788,8 +880,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -821,8 +917,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -854,8 +954,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -887,8 +991,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -920,8 +1028,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -953,8 +1065,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -986,8 +1102,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1019,8 +1139,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1052,8 +1176,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1085,8 +1213,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1118,8 +1250,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1151,8 +1287,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1184,8 +1324,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1217,8 +1361,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1250,8 +1398,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1283,8 +1435,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1316,8 +1472,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1349,8 +1509,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1382,8 +1546,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1415,8 +1583,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1448,8 +1620,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1481,8 +1657,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1514,8 +1694,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1547,8 +1731,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1580,8 +1768,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1613,8 +1805,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1646,8 +1842,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1679,8 +1879,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1712,8 +1916,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1745,8 +1953,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1778,8 +1990,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1811,8 +2027,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1844,8 +2064,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1877,8 +2101,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T14:51:55.000Z", @@ -1910,8 +2138,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_osquery-monitoring_schedule", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T17:06:29.000Z", @@ -1963,8 +2195,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_ossec-rootkit_slapper_installed", "osquery.result.unix_time": "1515431189", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_ossec-rootkit_slapper_installed", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2018-01-08T17:19:48.000Z", @@ -2016,7 +2252,11 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_ossec-rootkit_adore_worm", "osquery.result.unix_time": "1515431988", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_ossec-rootkit_adore_worm", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" } ] \ No newline at end of file diff --git a/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json b/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json index 7b7a06ee846..9a892288d5f 100644 --- a/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json +++ b/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json @@ -22,8 +22,12 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "org.python.python.app", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_explicit_auths", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -48,8 +52,12 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.ruby", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_explicit_auths", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -74,8 +82,12 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.a2p", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_explicit_auths", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -100,8 +112,12 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.javajdk16.cmd", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_explicit_auths", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -126,8 +142,12 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.php", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_explicit_auths", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -152,8 +172,12 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.nc", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_explicit_auths", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -178,8 +202,12 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.ksh", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_explicit_auths", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -206,8 +234,12 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "httpd", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_services", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -234,8 +266,12 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "cupsd", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_services", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -262,8 +298,12 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "AEServer", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_services", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -290,8 +330,12 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "ftpd", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_services", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -318,8 +362,12 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "AppleFileServer", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_services", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -346,8 +394,12 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "sshd-keygen-wrapper", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_services", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -374,8 +426,12 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "smbd", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_services", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -402,8 +458,12 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "AppleVNCServer", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_services", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:50.000Z", @@ -430,8 +490,12 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "ODSAgent", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_alf_services", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -481,9 +545,13 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery", - "url.full": "https://addons.cdn.mozilla.net/user-media/addons/8542/lastpass_password_manager-4.2.3.20-an+fx.xpi?filehash=sha256%3Acb837b4d738d51fac1d4361b7ac50cac1fc2828c2848057f10f88220aff77380" + "url.full": "https://addons.cdn.mozilla.net/user-media/addons/8542/lastpass_password_manager-4.2.3.20-an+fx.xpi?filehash=sha256%3Acb837b4d738d51fac1d4361b7ac50cac1fc2828c2848057f10f88220aff77380", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -533,8 +601,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -584,8 +656,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -635,8 +711,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -686,8 +766,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -737,8 +821,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -788,8 +876,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -839,8 +931,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -890,8 +986,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -941,8 +1041,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -992,8 +1096,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1043,8 +1151,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1094,9 +1206,13 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_firefox_addons", "service.type": "osquery", - "url.full": "file:///var/folders/rl/ps6sz7995lq3kqz5v9bmwjlh0000gn/T/tmpaddon" + "url.full": "file:///var/folders/rl/ps6sz7995lq3kqz5v9bmwjlh0000gn/T/tmpaddon", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1123,8 +1239,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1151,8 +1271,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1179,8 +1303,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1207,8 +1335,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1235,8 +1367,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1263,8 +1399,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1291,8 +1431,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1319,8 +1463,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1347,8 +1495,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1375,8 +1527,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1403,8 +1559,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1431,8 +1591,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1459,8 +1623,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1487,8 +1655,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1515,8 +1687,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1543,8 +1719,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1571,8 +1751,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1599,8 +1783,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1627,8 +1815,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1655,8 +1847,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1683,8 +1879,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1711,8 +1911,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1739,8 +1943,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1767,8 +1975,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1795,8 +2007,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1823,8 +2039,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1851,8 +2071,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1879,8 +2103,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1907,8 +2135,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1935,8 +2167,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1963,8 +2199,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -1991,8 +2231,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2019,8 +2263,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2047,8 +2295,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2075,8 +2327,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2103,8 +2359,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2131,8 +2391,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2159,8 +2423,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2187,8 +2455,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2215,8 +2487,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2243,8 +2519,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2271,8 +2551,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2299,8 +2583,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2327,8 +2615,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2355,8 +2647,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2383,8 +2679,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2411,8 +2711,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2439,8 +2743,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2467,8 +2775,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2495,8 +2807,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2523,8 +2839,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2551,8 +2871,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2579,8 +2903,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2607,8 +2935,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2635,8 +2967,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2663,8 +2999,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2691,8 +3031,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2719,8 +3063,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2747,8 +3095,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2775,8 +3127,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2803,8 +3159,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2831,8 +3191,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2859,8 +3223,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2887,8 +3255,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2915,8 +3287,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2943,8 +3319,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2971,8 +3351,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -2999,8 +3383,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -3027,8 +3415,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -3055,8 +3447,12 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" }, { "@timestamp": "2017-12-28T14:39:51.000Z", @@ -3083,7 +3479,11 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_homebrew_packages", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" } ] \ No newline at end of file diff --git a/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json b/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json index 5e98a6bc7c0..30f8ae2259b 100644 --- a/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json +++ b/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json @@ -26,8 +26,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "system_info", "osquery.result.unix_time": "1512649280", + "related.user": [ + "ubuntu" + ], "rule.name": "system_info", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -56,8 +60,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -86,8 +94,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -116,8 +128,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -146,8 +162,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -176,8 +196,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -206,8 +230,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -236,8 +264,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -266,8 +298,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -296,8 +332,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -326,8 +366,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -356,8 +400,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -386,8 +434,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -416,8 +468,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -446,8 +502,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -476,8 +536,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -506,8 +570,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -536,8 +604,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -566,8 +638,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -596,8 +672,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -626,8 +706,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -656,8 +740,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -686,8 +774,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -716,8 +808,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -746,8 +842,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -776,8 +876,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -806,8 +910,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -836,8 +944,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -866,8 +978,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -896,8 +1012,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -926,8 +1046,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -956,8 +1080,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -986,8 +1114,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1016,8 +1148,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1046,8 +1182,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1076,8 +1216,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1106,8 +1250,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1136,8 +1284,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1166,8 +1318,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1196,8 +1352,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1226,8 +1386,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1256,8 +1420,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1286,8 +1454,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1316,8 +1488,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1346,8 +1522,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1376,8 +1556,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1406,8 +1590,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1436,8 +1624,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1466,8 +1658,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1496,8 +1692,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1526,8 +1726,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1556,8 +1760,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1586,8 +1794,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1616,8 +1828,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1646,8 +1862,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1676,8 +1896,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:15.000Z", @@ -1706,8 +1930,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_kernel_modules", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -1738,8 +1966,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -1770,8 +2002,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -1802,8 +2038,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -1834,8 +2074,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -1866,8 +2110,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -1898,8 +2146,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -1930,8 +2182,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -1962,8 +2218,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -1994,8 +2254,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -2026,8 +2290,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -2058,8 +2326,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -2091,8 +2363,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_os_version", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_os_version", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:18.000Z", @@ -2140,8 +2416,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_osquery_info", "osquery.result.unix_time": "1512669438", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_osquery_info", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2172,8 +2452,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2204,8 +2488,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2236,8 +2524,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2268,8 +2560,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2300,8 +2596,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2332,8 +2632,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2364,8 +2668,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2396,8 +2704,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2428,8 +2740,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2460,8 +2776,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2492,8 +2812,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_disk_encryption", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2525,8 +2849,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_os_version", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_os_version", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:19.000Z", @@ -2574,8 +2902,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_osquery_info", "osquery.result.unix_time": "1512669439", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_osquery_info", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2611,8 +2943,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2648,8 +2984,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2685,8 +3025,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2722,8 +3066,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2759,8 +3107,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2796,8 +3148,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2833,8 +3189,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2870,8 +3230,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2907,8 +3271,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2944,8 +3312,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -2981,8 +3353,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -3018,8 +3394,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -3055,8 +3435,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -3092,8 +3476,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -3129,8 +3517,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -3166,8 +3558,12 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" }, { "@timestamp": "2017-12-07T17:57:21.000Z", @@ -3203,7 +3599,11 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.user": [ + "ubuntu" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "ubuntu" } ] \ No newline at end of file diff --git a/filebeat/module/osquery/result/test/test.log-expected.json b/filebeat/module/osquery/result/test/test.log-expected.json index 1051a6d64a8..37a56ff8f13 100644 --- a/filebeat/module/osquery/result/test/test.log-expected.json +++ b/filebeat/module/osquery/result/test/test.log-expected.json @@ -33,7 +33,11 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1514472008", + "related.user": [ + "tsg" + ], "rule.name": "pack_it-compliance_mounts", - "service.type": "osquery" + "service.type": "osquery", + "user.name": "tsg" } ] \ No newline at end of file