diff --git a/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml b/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml index ffe90e79f85..4e401931415 100644 --- a/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml @@ -55,7 +55,7 @@ processors: ignore_missing: true - append: field: related.hosts - value: '{{host.hostname server.domain}}' + value: '{{host.hostname}}' allow_duplicates: false if: ctx?.host?.hostname != null && ctx.host?.hostname != '' - append: diff --git a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json index 4056ed473ca..90805d72bcd 100644 --- a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json @@ -20,9 +20,9 @@ "10.208.15.216" ], "related.user": [ + "quasiarc", "itv", - "utl", - "quasiarc" + "utl" ], "rsa.db.index": "nes", "rsa.internal.event_desc": "pexe", @@ -67,13 +67,13 @@ "iatnu3810.mail.localdomain" ], "related.ip": [ - "10.92.136.230", - "10.175.75.18" + "10.175.75.18", + "10.92.136.230" ], "related.user": [ - "dolore", + "orev", "nnumqu", - "orev" + "dolore" ], "rsa.db.database": "umdo", "rsa.db.index": "vol", @@ -130,13 +130,13 @@ "anti4454.api.example" ], "related.ip": [ - "10.46.185.46", - "10.51.132.10" + "10.51.132.10", + "10.46.185.46" ], "related.user": [ - "incid", + "serror", "nse", - "serror" + "incid" ], "rsa.db.database": "byC", "rsa.db.index": "tur", @@ -197,9 +197,9 @@ "10.53.192.140" ], "related.user": [ + "psumquia", "atcup", - "ptass", - "psumquia" + "ptass" ], "rsa.db.database": "aperi", "rsa.db.index": "llumd", @@ -253,9 +253,9 @@ "10.81.199.122" ], "related.user": [ + "oremips", "eos", - "giatq", - "oremips" + "giatq" ], "rsa.db.index": "tempo", "rsa.internal.event_desc": "uian", @@ -304,9 +304,9 @@ "10.139.186.201" ], "related.user": [ - "uam", "tcupida", - "aboris" + "aboris", + "uam" ], "rsa.db.database": "isiu", "rsa.db.index": "iatisu", @@ -367,9 +367,9 @@ "10.104.111.129" ], "related.user": [ + "ele", "etconsec", - "ipis", - "ele" + "ipis" ], "rsa.db.database": "riat", "rsa.db.index": "umdolor", @@ -423,9 +423,9 @@ "10.116.120.216" ], "related.user": [ - "quiratio", + "animi", "umdo", - "animi" + "quiratio" ], "rsa.db.index": "oll", "rsa.internal.event_desc": "rumet", @@ -470,13 +470,13 @@ "isqu7224.localdomain" ], "related.ip": [ - "10.57.40.29", - "10.62.54.220" + "10.62.54.220", + "10.57.40.29" ], "related.user": [ "psum", - "rnatura", - "taevi" + "taevi", + "rnatura" ], "rsa.db.database": "emeumfug", "rsa.db.index": "omn", @@ -530,9 +530,9 @@ "10.74.237.180" ], "related.user": [ - "ema", + "tnon", "cup", - "tnon" + "ema" ], "rsa.db.index": "remeumf", "rsa.internal.event_desc": "lup", @@ -618,8 +618,8 @@ "10.74.253.127" ], "related.user": [ - "onproide", "icab", + "onproide", "tema" ], "rsa.db.index": "mqui", @@ -664,8 +664,8 @@ "tlabo6088.www.localdomain" ], "related.ip": [ - "10.189.109.245", - "10.92.8.15" + "10.92.8.15", + "10.189.109.245" ], "related.user": [ "inima", @@ -766,8 +766,8 @@ "10.18.109.121" ], "related.user": [ - "hil", "tatn", + "hil", "pida" ], "rsa.db.index": "quip", @@ -817,9 +817,9 @@ "10.63.37.192" ], "related.user": [ + "reetd", "iunt", - "equep", - "reetd" + "equep" ], "rsa.db.database": "aliqu", "rsa.db.index": "mipsumd", @@ -880,9 +880,9 @@ "10.47.202.102" ], "related.user": [ - "run", + "ice", "ntor", - "ice" + "run" ], "rsa.db.database": "ite", "rsa.db.index": "iquipex", @@ -942,8 +942,8 @@ "10.106.239.55" ], "related.user": [ - "itquiin", - "serunt" + "serunt", + "itquiin" ], "rsa.db.database": "itame", "rsa.db.index": "oluptas", @@ -999,13 +999,13 @@ "etMalor4236.www5.host" ], "related.ip": [ - "10.125.160.129", - "10.53.168.235" + "10.53.168.235", + "10.125.160.129" ], "related.user": [ + "one", "abi", - "ione", - "one" + "ione" ], "rsa.db.database": "sperna", "rsa.db.index": "estia", @@ -1066,8 +1066,8 @@ "10.227.177.121" ], "related.user": [ - "liqui", "tasuntex", + "liqui", "iduntu" ], "rsa.db.database": "rvel", @@ -1125,16 +1125,16 @@ "process.name": "laboree.exe", "process.pid": 6501, "related.hosts": [ - "", + "xeacomm6855.api.corp", "nsecte3304.mail.corp" ], "related.ip": [ - "10.167.85.181", - "10.98.182.220" + "10.98.182.220", + "10.167.85.181" ], "related.user": [ - "fde", - "econs" + "econs", + "fde" ], "rsa.db.database": "equat", "rsa.internal.event_desc": "orpor", @@ -1189,9 +1189,9 @@ "10.89.208.95" ], "related.user": [ - "iciadese", "icabo", - "sintoc" + "sintoc", + "iciadese" ], "rsa.db.index": "eni", "rsa.internal.event_desc": "rcitati", @@ -1240,9 +1240,9 @@ "10.72.148.32" ], "related.user": [ - "uteirure", "tDuisaut", - "luptatev" + "luptatev", + "uteirure" ], "rsa.db.database": "uamest", "rsa.db.index": "uae", @@ -1362,12 +1362,12 @@ "tnonpro7635.localdomain" ], "related.ip": [ - "10.192.34.76", - "10.213.144.249" + "10.213.144.249", + "10.192.34.76" ], "related.user": [ - "lore", "temqu", + "lore", "iquipe" ], "rsa.db.database": "gnamal", @@ -1482,9 +1482,9 @@ "10.143.193.199" ], "related.user": [ - "tqu", + "niamqui", "quid", - "niamqui" + "tqu" ], "rsa.db.index": "inci", "rsa.internal.event_desc": "eroinBCS", @@ -1533,9 +1533,9 @@ "10.65.175.9" ], "related.user": [ + "umqu", "ritatise", - "essequam", - "umqu" + "essequam" ], "rsa.db.database": "ender", "rsa.db.index": "entorev", @@ -1589,9 +1589,9 @@ "10.205.72.243" ], "related.user": [ - "isiuta", "tatn", - "umdolo" + "umdolo", + "isiuta" ], "rsa.db.index": "proide", "rsa.internal.event_desc": "ameiusm", @@ -1633,9 +1633,9 @@ "10.107.9.163" ], "related.user": [ - "sit", + "mac", "mquisno", - "mac" + "sit" ], "rsa.db.index": "sit", "rsa.internal.event_desc": "tdol", @@ -1677,9 +1677,9 @@ "10.80.101.72" ], "related.user": [ + "asiarc", "umSe", - "quidexea", - "asiarc" + "quidexea" ], "rsa.db.index": "veli", "rsa.internal.event_desc": "quatu", @@ -1728,9 +1728,9 @@ "10.39.10.155" ], "related.user": [ - "urExcept", + "ptass", "aboreetd", - "ptass" + "urExcept" ], "rsa.db.database": "teirured", "rsa.db.index": "dolorem", @@ -1828,9 +1828,9 @@ "10.71.238.250" ], "related.user": [ + "reseo", "moenimi", - "aec", - "reseo" + "aec" ], "rsa.db.index": "mac", "rsa.internal.event_desc": "quamest", @@ -1875,13 +1875,13 @@ "rum5798.home" ], "related.ip": [ - "10.226.20.199", - "10.226.101.180" + "10.226.101.180", + "10.226.20.199" ], "related.user": [ - "ritt", "rationev", - "veniamqu" + "veniamqu", + "ritt" ], "rsa.db.database": "conse", "rsa.db.index": "imveniam", @@ -1943,9 +1943,9 @@ "10.134.65.15" ], "related.user": [ - "quaUten", + "cab", "utaliqu", - "cab" + "quaUten" ], "rsa.db.database": "isciv", "rsa.db.index": "nofd", @@ -2002,8 +2002,8 @@ "10.70.147.120" ], "related.user": [ - "cidunt", "tten", + "cidunt", "emqu" ], "rsa.db.index": "eaqu", @@ -2053,9 +2053,9 @@ "10.178.242.100" ], "related.user": [ + "idid", "dqu", - "loi", - "idid" + "loi" ], "rsa.db.database": "tenatuse", "rsa.db.index": "ullamcor", @@ -2109,9 +2109,9 @@ "10.211.179.168" ], "related.user": [ - "ritati", "untincul", - "mmodoc" + "mmodoc", + "ritati" ], "rsa.db.index": "emvele", "rsa.internal.event_desc": "oluptas", @@ -2153,9 +2153,9 @@ "10.30.243.163" ], "related.user": [ - "illu", "mven", - "dolore" + "dolore", + "illu" ], "rsa.db.index": "idol", "rsa.internal.event_desc": "lore", @@ -2200,12 +2200,12 @@ "dictasun3878.internal.localhost" ], "related.ip": [ - "10.212.214.4", - "10.6.79.159" + "10.6.79.159", + "10.212.214.4" ], "related.user": [ - "amvo", "quid", + "amvo", "midestl" ], "rsa.db.database": "urExce", @@ -2267,8 +2267,8 @@ "10.237.170.202" ], "related.user": [ - "liquide", "rcit", + "liquide", "atDu" ], "rsa.db.database": "taedict", @@ -2330,8 +2330,8 @@ "10.228.118.81" ], "related.user": [ - "emoe", "tatemU", + "emoe", "itasper" ], "rsa.db.database": "toditaut", @@ -2389,13 +2389,13 @@ "esseq7889.www.invalid" ], "related.ip": [ - "10.49.71.118", - "10.234.165.130" + "10.234.165.130", + "10.49.71.118" ], "related.user": [ "henderit", - "emip", - "iuntNequ" + "iuntNequ", + "emip" ], "rsa.db.database": "veniamqu", "rsa.db.index": "atquo", @@ -2449,9 +2449,9 @@ "10.199.5.49" ], "related.user": [ - "emip", "turadipi", - "olorema" + "olorema", + "emip" ], "rsa.db.index": "ataevi", "rsa.internal.event_desc": "minim", @@ -2493,9 +2493,9 @@ "10.193.219.34" ], "related.user": [ - "uamei", + "olorem", "utlabo", - "olorem" + "uamei" ], "rsa.db.index": "nse", "rsa.internal.event_desc": "orisni", @@ -2540,12 +2540,12 @@ "tem6815.home" ], "related.ip": [ - "10.174.185.109", - "10.120.167.217" + "10.120.167.217", + "10.174.185.109" ], "related.user": [ - "dolorem", "rsp", + "dolorem", "animid" ], "rsa.db.database": "tsuntinc", @@ -2603,12 +2603,12 @@ "mporainc2064.home" ], "related.ip": [ - "10.141.213.219", - "10.117.137.159" + "10.117.137.159", + "10.141.213.219" ], "related.user": [ - "accusa", "atev", + "accusa", "ate" ], "rsa.db.database": "nibus", @@ -2666,13 +2666,13 @@ "caboNem1043.internal.home" ], "related.ip": [ - "10.166.90.130", - "10.94.224.229" + "10.94.224.229", + "10.166.90.130" ], "related.user": [ "eavol", - "etconsec", - "rem" + "rem", + "etconsec" ], "rsa.db.database": "oditempo", "rsa.db.index": "deF", @@ -2731,13 +2731,13 @@ "tatio6513.www.invalid" ], "related.ip": [ - "10.201.81.46", - "10.38.28.151" + "10.38.28.151", + "10.201.81.46" ], "related.user": [ + "mipsumqu", "incidid", - "tiumto", - "mipsumqu" + "tiumto" ], "rsa.db.database": "abor", "rsa.db.index": "adol", @@ -2796,12 +2796,12 @@ "dolori6232.api.invalid" ], "related.ip": [ - "10.214.245.95", - "10.255.28.56" + "10.255.28.56", + "10.214.245.95" ], "related.user": [ - "umdolors", "rerepre", + "umdolors", "uptatem" ], "rsa.db.database": "odt", @@ -2900,8 +2900,8 @@ "10.141.200.133" ], "related.user": [ - "iame", "ess", + "iame", "enim" ], "rsa.db.index": "nofdeFi", @@ -2945,8 +2945,8 @@ ], "related.user": [ "runtmo", - "illoi", - "ugi" + "ugi", + "illoi" ], "rsa.db.index": "eetdo", "rsa.internal.event_desc": "quaer", @@ -2991,13 +2991,13 @@ "mestq2106.api.host" ], "related.ip": [ - "10.41.89.217", - "10.39.143.155" + "10.39.143.155", + "10.41.89.217" ], "related.user": [ - "sedquiac", "tem", - "tperspic" + "tperspic", + "sedquiac" ], "rsa.db.database": "radipis", "rsa.db.index": "nse", @@ -3058,8 +3058,8 @@ "10.5.5.1" ], "related.user": [ - "minim", "CSe", + "minim", "unt" ], "rsa.db.database": "atu", @@ -3121,9 +3121,9 @@ "10.168.132.175" ], "related.user": [ - "eursinto", + "iamea", "giatquov", - "iamea" + "eursinto" ], "rsa.db.database": "ici", "rsa.db.index": "iquaUt", @@ -3177,9 +3177,9 @@ "10.123.154.17" ], "related.user": [ + "quiac", "dolorsi", - "lmo", - "quiac" + "lmo" ], "rsa.db.index": "idunt", "rsa.internal.event_desc": "usantiu", @@ -3270,9 +3270,9 @@ "10.126.205.76" ], "related.user": [ - "rsitvol", "Nemoenim", - "iati" + "iati", + "rsitvol" ], "rsa.db.index": "eFini", "rsa.internal.event_desc": "acom", @@ -3317,13 +3317,13 @@ "fic5107.home" ], "related.ip": [ - "10.169.101.161", - "10.164.66.154" + "10.164.66.154", + "10.169.101.161" ], "related.user": [ - "orissu", + "eufug", "ine", - "eufug" + "orissu" ], "rsa.db.database": "stquidol", "rsa.db.index": "imadmini", @@ -3377,8 +3377,8 @@ "10.70.83.200" ], "related.user": [ - "metco", "riat", + "metco", "ihilmole" ], "rsa.db.index": "urQuis", @@ -3424,13 +3424,13 @@ "onpr47.api.home" ], "related.ip": [ - "10.207.97.192", - "10.134.55.11" + "10.134.55.11", + "10.207.97.192" ], "related.user": [ + "madminim", "tanimid", - "mmod", - "madminim" + "mmod" ], "rsa.db.database": "tetura", "rsa.db.index": "uptasnul", @@ -3492,8 +3492,8 @@ ], "related.user": [ "eritq", - "oinBCSed", - "texplica" + "texplica", + "oinBCSed" ], "rsa.db.database": "lit", "rsa.db.index": "ritati", @@ -3550,8 +3550,8 @@ "eufugia4481.corp" ], "related.ip": [ - "10.41.232.147", - "10.61.175.217" + "10.61.175.217", + "10.41.232.147" ], "related.user": [ "runtm", @@ -3610,9 +3610,9 @@ "10.150.30.95" ], "related.user": [ - "mini", + "atnonpr", "uisnos", - "atnonpr" + "mini" ], "rsa.db.index": "smod", "rsa.internal.event_desc": "isn", @@ -3654,9 +3654,9 @@ "10.98.71.45" ], "related.user": [ - "fugitse", "CSe", - "onse" + "onse", + "fugitse" ], "rsa.db.index": "Dui", "rsa.internal.event_desc": "isci", @@ -3742,8 +3742,8 @@ "10.197.203.167" ], "related.user": [ - "iumdo", "uta", + "iumdo", "eserun" ], "rsa.db.index": "smo", @@ -3786,9 +3786,9 @@ "10.187.170.23" ], "related.user": [ - "ibusBo", + "enima", "sectetu", - "enima" + "ibusBo" ], "rsa.db.index": "uido", "rsa.internal.event_desc": "lab", @@ -3837,9 +3837,9 @@ "10.250.248.215" ], "related.user": [ - "aevitaed", "tinculpa", - "quaeratv" + "quaeratv", + "aevitaed" ], "rsa.db.database": "lica", "rsa.db.index": "uisnos", @@ -3895,8 +3895,8 @@ "osa3211.www5.example" ], "related.ip": [ - "10.147.154.118", - "10.146.57.23" + "10.146.57.23", + "10.147.154.118" ], "related.user": [ "tateveli", @@ -3997,9 +3997,9 @@ "10.154.172.82" ], "related.user": [ - "onnumqua", + "tetura", "nesci", - "tetura" + "onnumqua" ], "rsa.db.index": "oinBCSed", "rsa.internal.event_desc": "ntor", @@ -4042,8 +4042,8 @@ ], "related.user": [ "tpers", - "midestl", - "expl" + "expl", + "midestl" ], "rsa.db.index": "olu", "rsa.internal.event_desc": "odocons", @@ -4085,8 +4085,8 @@ "10.178.160.245" ], "related.user": [ - "fdeFinib", "turQuis", + "fdeFinib", "olupta" ], "rsa.db.index": "rsint", @@ -4195,13 +4195,13 @@ "nimve2787.mail.test" ], "related.ip": [ - "10.65.207.234", - "10.222.32.183" + "10.222.32.183", + "10.65.207.234" ], "related.user": [ "eve", - "itame", - "eruntmo" + "eruntmo", + "itame" ], "rsa.db.database": "udexerc", "rsa.db.index": "volup", @@ -4255,9 +4255,9 @@ "10.16.181.60" ], "related.user": [ + "olore", "gnama", - "oinven", - "olore" + "oinven" ], "rsa.db.index": "uatu", "rsa.internal.event_desc": "nderiti", @@ -4343,9 +4343,9 @@ "10.204.214.98" ], "related.user": [ + "eprehe", "porissus", - "tdolo", - "eprehe" + "tdolo" ], "rsa.db.index": "abo", "rsa.internal.event_desc": "ecte", @@ -4387,8 +4387,8 @@ "10.223.178.192" ], "related.user": [ - "etc", "evel", + "etc", "moenimip" ], "rsa.db.index": "iarchit", @@ -4434,13 +4434,13 @@ "ama6820.mail.example" ], "related.ip": [ - "10.26.137.126", - "10.26.33.181" + "10.26.33.181", + "10.26.137.126" ], "related.user": [ - "taevit", "ati", - "audant" + "audant", + "taevit" ], "rsa.db.database": "com", "rsa.db.index": "mveni", @@ -4560,13 +4560,13 @@ "lit4112.www.localhost" ], "related.ip": [ - "10.107.24.54", - "10.10.174.253" + "10.10.174.253", + "10.107.24.54" ], "related.user": [ "itinvo", - "uptasn", - "hend" + "hend", + "uptasn" ], "rsa.db.database": "lup", "rsa.db.index": "isau", @@ -4621,9 +4621,9 @@ "10.87.92.17" ], "related.user": [ + "eeufug", "luptate", - "tamr", - "eeufug" + "tamr" ], "rsa.db.index": "oreeufug", "rsa.internal.event_desc": "ura", @@ -4676,9 +4676,9 @@ "10.161.51.135" ], "related.user": [ - "Finibus", "accus", - "asper" + "asper", + "Finibus" ], "rsa.db.database": "litani", "rsa.db.index": "arch", @@ -4732,9 +4732,9 @@ "10.51.17.32" ], "related.user": [ - "itten", "mquido", - "llum" + "llum", + "itten" ], "rsa.db.index": "uscipit", "rsa.internal.event_desc": "llitani", @@ -4777,8 +4777,8 @@ ], "related.user": [ "ollita", - "mmodicon", - "cusa" + "cusa", + "mmodicon" ], "rsa.db.index": "ercitati", "rsa.internal.event_desc": "pteurs", @@ -4824,13 +4824,13 @@ "uidol6868.mail.localdomain" ], "related.ip": [ - "10.114.0.148", - "10.198.187.144" + "10.198.187.144", + "10.114.0.148" ], "related.user": [ "equatD", - "rsitamet", - "ons" + "ons", + "rsitamet" ], "rsa.db.database": "periam", "rsa.db.index": "umiurer", @@ -4888,9 +4888,9 @@ "10.61.140.120" ], "related.user": [ - "loru", + "naaliq", "equa", - "naaliq" + "loru" ], "rsa.db.index": "umfugiat", "rsa.internal.event_desc": "ora", @@ -4935,13 +4935,13 @@ "ptat4878.lan" ], "related.ip": [ - "10.149.238.108", - "10.93.24.151" + "10.93.24.151", + "10.149.238.108" ], "related.user": [ "ite", - "nven", - "sequamn" + "sequamn", + "nven" ], "rsa.db.database": "fugi", "rsa.db.index": "nesciu", @@ -4995,9 +4995,9 @@ "10.101.45.225" ], "related.user": [ - "emi", "uinesc", - "cipitla" + "cipitla", + "emi" ], "rsa.db.index": "caecat", "rsa.internal.event_desc": "tsunt", @@ -5040,9 +5040,9 @@ "10.2.204.161" ], "related.user": [ - "quela", + "eumfugia", "ore", - "eumfugia" + "quela" ], "rsa.db.index": "olup", "rsa.internal.event_desc": "quuntur", @@ -5139,8 +5139,8 @@ "10.151.110.250" ], "related.user": [ - "neavol", "tla", + "neavol", "pidatatn" ], "rsa.db.database": "itaedict", @@ -5258,9 +5258,9 @@ "10.128.102.130" ], "related.user": [ - "que", + "sequatu", "ore", - "sequatu" + "que" ], "rsa.db.index": "exerci", "rsa.internal.event_desc": "olu", @@ -5309,8 +5309,8 @@ "10.200.162.248" ], "related.user": [ - "onnu", "reseo", + "onnu", "doloremi" ], "rsa.db.database": "billo", @@ -5365,8 +5365,8 @@ "10.103.215.159" ], "related.user": [ - "volup", "apa", + "volup", "atatn" ], "rsa.db.index": "atcupi",