diff --git a/.ci/jobs/beats-mbp-2.0.yml b/.ci/jobs/beats-mbp-2.0.yml deleted file mode 100644 index 3ccc435c8bd..00000000000 --- a/.ci/jobs/beats-mbp-2.0.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- -- job: - name: Beats/beats-mbp-2.0 - display-name: 'Beats (2.0)' - description: 'Beats Main Pipeline 2.0' - view: Beats - concurrent: true - project-type: multibranch - prune-dead-branches: true - days-to-keep: 30 - script-path: '.ci/Jenkinsfile' - triggers: [] - wrappers: [] - scm: - - github: - branch-discovery: 'no-pr' - discover-pr-forks-strategy: 'merge-current' - discover-pr-forks-trust: 'permission' - discover-pr-origin: 'merge-current' - head-filter-regex: '(master|7\.[x789]|8\.\d+|PR-.*|v\d+\.\d+\.\d+)' - discover-tags: true - disable-pr-notifications: true - notification-context: "beats-ci-2.0" - repo: 'beats' - repo-owner: 'elastic' - credentials-id: github-app-beats-ci - ssh-checkout: - credentials: f6c7695a-671e-4f4f-a331-acdce44ff9ba - build-strategies: - - tags: - ignore-tags-older-than: -1 - ignore-tags-newer-than: 365 - - change-request: - ignore-target-only-changes: true - - named-branches: - - exact-name: - name: 'master' - case-sensitive: true - - regex-name: - regex: '7\.[x789]' - case-sensitive: true - - regex-name: - regex: '8\.\d+' - case-sensitive: true - clean: - after: true - before: true - prune: true - shallow-clone: true - depth: 3 - do-not-fetch-tags: true - submodule: - disable: false - recursive: true - parent-credentials: true - timeout: 100 - timeout: '15' - use-author: true - wipe-workspace: true diff --git a/.ci/scripts/generate_build_table.py b/.ci/scripts/generate_build_table.py new file mode 100755 index 00000000000..21fe5d67107 --- /dev/null +++ b/.ci/scripts/generate_build_table.py @@ -0,0 +1,52 @@ +#!/usr/bin/env python3 + +import os +import yaml + +if __name__ == "__main__": + + print("| Beat | Stage | Command | MODULE | Platforms | When |") + print("|-------|--------|----------|---------|------------|------|") + for root, dirs, files in os.walk("."): + dirs.sort() + for file in files: + if file.endswith("Jenkinsfile.yml") and root != ".": + with open(os.path.join(root, file), 'r') as f: + doc = yaml.load(f, Loader=yaml.FullLoader) + module = root.replace(".{}".format(os.sep), '') + platforms = [doc["platform"]] + when = "" + if "branches" in doc["when"]: + when = f"{when}/:palm_tree:" + if "changeset" in doc["when"]: + when = f"{when}/:file_folder:" + if "comments" in doc["when"]: + when = f"{when}/:speech_balloon:" + if "labels" in doc["when"]: + when = f"{when}/:label:" + if "parameters" in doc["when"]: + when = f"{when}/:smiley:" + if "tags" in doc["when"]: + when = f"{when}/:taco:" + for stage in doc["stages"]: + withModule = False + if "make" in doc["stages"][stage]: + command = doc["stages"][stage]["make"] + if "mage" in doc["stages"][stage]: + command = doc["stages"][stage]["mage"] + if "platforms" in doc["stages"][stage]: + platforms = doc["stages"][stage]["platforms"] + if "withModule" in doc["stages"][stage]: + withModule = doc["stages"][stage]["withModule"] + if "when" in doc["stages"][stage]: + when = f"{when}/:star:" + print("| {} | {} | `{}` | {} | `{}` | {} |".format( + module, stage, command, withModule, platforms, when)) + +print("> :palm_tree: -> Git Branch based") +print("> :label: -> GitHub Pull Request Label based") +print("> :file_folder: -> Changeset based") +print("> :speech_balloon: -> GitHub Pull Request comment based") +print("> :taco: -> Git tag based") +print("> :smiley: -> Manual UI interaction based") +print("> :star: -> More specific cases based") diff --git a/.ci/scripts/get-vendor-dependencies.sh b/.ci/scripts/get-vendor-dependencies.sh new file mode 100755 index 00000000000..e002a208b76 --- /dev/null +++ b/.ci/scripts/get-vendor-dependencies.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +# +# Given the go module it will list all the dependencies that will be later on +# used by the CI to enable/disable specific stages as long as the changeset +# matches any of those patterns. +# + +GO_VERSION=${GO_VERSION:?"GO_VERSION environment variable is not set"} +BEATS=${1:?"parameter missing."} +eval "$(gvm "${GO_VERSION}")" + +go list -deps ./"${BEATS}" \ +| grep 'elastic/beats' \ +| sort \ +| sed -e "s#github.com/elastic/beats/v7/##g" \ +| awk '{print "^" $1 "/.*"}' diff --git a/.ci/scripts/install-tools.sh b/.ci/scripts/install-tools.sh new file mode 100755 index 00000000000..297a7820cad --- /dev/null +++ b/.ci/scripts/install-tools.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash +set -exuo pipefail + +.ci/scripts/install-go.sh +.ci/scripts/install-docker-compose.sh +.ci/scripts/install-terraform.sh +make mage diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 3287a4853a9..01517e07245 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -28,6 +28,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - File integrity dataset (macOS): Replace unnecessary `file.origin.raw` (type keyword) with `file.origin.text` (type `text`). {issue}12423[12423] {pull}15630[15630] - Change event.kind=error to event.kind=event to comply with ECS. {issue}18870[18870] {pull}20685[20685] - Change network.direction values to ECS recommended values (inbound, outbound). {issue}12445[12445] {pull}20695[20695] +- Docker container needs to be explicitly run as user root for auditing. {pull}21202[21202] *Filebeat* @@ -589,6 +590,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Added new module for Zoom webhooks {pull}20414[20414] - Add type and sub_type to panw panos fileset {pull}20912[20912] - Always attempt community_id processor on zeek module {pull}21155[21155] +- Add related.hosts ecs field to all modules {pull}21160[21160] *Heartbeat* @@ -713,6 +715,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Move `compute_vm_scaleset` to light metricset. {pull}21038[21038] {issue}20985[20985] - Sanitize `event.host`. {pull}21022[21022] - Add overview and platform health dashboards to Cloud Foundry module. {pull}21124[21124] +- Release lambda metricset in aws module as GA. {issue}21251[21251] {pull}21255[21255] *Packetbeat* diff --git a/Jenkinsfile b/Jenkinsfile index bcf6d47f932..34d22d47bcd 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -3,20 +3,6 @@ @Library('apm@test/runbld') _ import groovy.transform.Field - - -/** - NOTE: Important note regarding the agents and labels. - agent labels are defined in the gobld service, that's managed by infra. The required format - is: - - ' && immutable' for linux OS. - - 'macosx' for the MacOS. - - 'windows-immutable && windows-' for Windows. NOTE: version might differ in some cases - - The above labels will help to set what OS family and specific version of the agent is - required to used in the stage. -*/ - /** This is required to store the stashed id with the test results to be digested with runbld */ @@ -25,21 +11,20 @@ import groovy.transform.Field pipeline { agent { label 'ubuntu-18 && immutable' } environment { + AWS_ACCOUNT_SECRET = 'secret/observability-team/ci/elastic-observability-aws-account-auth' REPO = 'beats' BASE_DIR = "src/github.com/elastic/${env.REPO}" - GOX_FLAGS = "-arch amd64" - DOCKER_COMPOSE_VERSION = "1.21.0" - TERRAFORM_VERSION = "0.12.24" - PIPELINE_LOG_LEVEL = "INFO" DOCKERELASTIC_SECRET = 'secret/observability-team/ci/docker-registry/prod' + DOCKER_COMPOSE_VERSION = "1.21.0" DOCKER_REGISTRY = 'docker.elastic.co' - AWS_ACCOUNT_SECRET = 'secret/observability-team/ci/elastic-observability-aws-account-auth' - RUNBLD_DISABLE_NOTIFICATIONS = 'true' + GOX_FLAGS = "-arch amd64" JOB_GCS_BUCKET = 'beats-ci-temp' JOB_GCS_CREDENTIALS = 'beats-ci-gcs-plugin' - XPACK_MODULE_PATTERN = '^x-pack\\/[a-z0-9]+beat\\/module\\/([^\\/]+)\\/.*' OSS_MODULE_PATTERN = '^[a-z0-9]+beat\\/module\\/([^\\/]+)\\/.*' - PYTEST_ADDOPTS = "${params.PYTEST_ADDOPTS}" + PIPELINE_LOG_LEVEL = 'INFO' + RUNBLD_DISABLE_NOTIFICATIONS = 'true' + TERRAFORM_VERSION = "0.12.24" + XPACK_MODULE_PATTERN = '^x-pack\\/[a-z0-9]+beat\\/module\\/([^\\/]+)\\/.*' } options { timeout(time: 2, unit: 'HOURS') @@ -52,23 +37,16 @@ pipeline { rateLimitBuilds(throttle: [count: 60, durationName: 'hour', userBoost: true]) } triggers { - issueCommentTrigger('(?i)(.*(?:jenkins\\W+)?run\\W+(?:the\\W+)?tests(?:\\W+please)?.*|^/test(\\W+macos)?$)') + issueCommentTrigger('(?i)(.*(?:jenkins\\W+)?run\\W+(?:the\\W+)?tests(?:\\W+please)?.*|^/test\\W+.*$)') } parameters { - booleanParam(name: 'runAllStages', defaultValue: false, description: 'Allow to run all stages.') - booleanParam(name: 'windowsTest', defaultValue: true, description: 'Allow Windows stages.') - booleanParam(name: 'macosTest', defaultValue: false, description: 'Allow macOS stages.') booleanParam(name: 'allCloudTests', defaultValue: false, description: 'Run all cloud integration tests.') - booleanParam(name: 'awsCloudTests', defaultValue: false, description: 'Run AWS cloud integration tests.') + booleanParam(name: 'awsCloudTests', defaultValue: true, description: 'Run AWS cloud integration tests.') string(name: 'awsRegion', defaultValue: 'eu-central-1', description: 'Default AWS region to use for testing.') - booleanParam(name: 'debug', defaultValue: false, description: 'Allow debug logging for Jenkins steps') - booleanParam(name: 'dry_run', defaultValue: false, description: 'Skip build steps, it is for testing pipeline flow') - string(name: 'PYTEST_ADDOPTS', defaultValue: '', description: 'Additional options to pass to pytest. Use PYTEST_ADDOPTS="-k pattern" to only run tests matching the specified pattern. For retries you can use `--reruns 3 --reruns-delay 15`') + booleanParam(name: 'runAllStages', defaultValue: false, description: 'Allow to run all stages.') + booleanParam(name: 'macosTest', defaultValue: false, description: 'Allow macOS stages.') } stages { - /** - Checkout the code and stash it, to use it on other stages. - */ stage('Checkout') { options { skipDefaultCheckout() } steps { @@ -77,711 +55,65 @@ pipeline { gitCheckout(basedir: "${BASE_DIR}", githubNotifyFirstTimeContributor: true) stashV2(name: 'source', bucket: "${JOB_GCS_BUCKET}", credentialsId: "${JOB_GCS_CREDENTIALS}") dir("${BASE_DIR}"){ - loadConfigEnvVars() - } - whenTrue(params.debug){ - dumpFilteredEnvironment() + // Skip all the stages except docs for PR's with asciidoc and md changes only + setEnvVar('ONLY_DOCS', isGitRegionMatch(patterns: [ '.*\\.(asciidoc|md)' ], shouldMatchAll: true).toString()) + setEnvVar('GO_VERSION', readFile(".go-version").trim()) + withEnv(["HOME=${env.WORKSPACE}"]) { + retryWithSleep(retries: 2, seconds: 5){ sh(label: "Install Go ${env.GO_VERSION}", script: '.ci/scripts/install-go.sh') } + } } } } stage('Lint'){ options { skipDefaultCheckout() } environment { - // See https://github.com/elastic/beats/pull/19823 GOFLAGS = '-mod=readonly' } steps { - makeTarget(context: "Lint", target: "check") + withGithubNotify(context: 'Lint') { + withBeatsEnv(archive: true) { + dumpVariables() + cmd(label: 'make check', script: 'make check') + } + } } } - stage('Build and Test'){ + stage('Build&Test') { + options { skipDefaultCheckout() } when { - beforeAgent true - expression { return env.ONLY_DOCS == "false" } - } - failFast false - parallel { - stage('Elastic Agent x-pack'){ - agent { label 'ubuntu-18 && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_ELASTIC_AGENT_XPACK != "false" - } - } - steps { - mageTarget(context: "Elastic Agent x-pack Linux", directory: "x-pack/elastic-agent", target: "build test") - } - } - stage('Elastic Agent x-pack Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_ELASTIC_AGENT_XPACK != "false" && params.windowsTest - } - } - steps { - mageTargetWin(context: "Elastic Agent x-pack Windows Unit test", directory: "x-pack/elastic-agent", target: "build unitTest") - } - } - stage('Elastic Agent Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_ELASTIC_AGENT_XPACK != "false" && env.BUILD_ON_MACOS != 'false' - } - } - steps { - mageTarget(context: "Elastic Agent x-pack Mac OS X", directory: "x-pack/elastic-agent", target: "build unitTest") - } - post { - always { - delete() - } - } - } - stage('Filebeat oss'){ - agent { label 'ubuntu-18 && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_FILEBEAT != "false" - } - } - steps { - mageTarget(context: "Filebeat oss Linux", directory: "filebeat", target: "build test", withModule: true) - } - } - stage('Filebeat x-pack'){ - agent { label 'ubuntu-18 && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_FILEBEAT_XPACK != "false" - } - } - steps { - mageTarget(context: "Filebeat x-pack Linux", directory: "x-pack/filebeat", target: "build test", withModule: true) - } - } - stage('Filebeat Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_FILEBEAT != "false" && env.BUILD_ON_MACOS != 'false' - } - } - steps { - mageTarget(context: "Filebeat oss Mac OS X", directory: "filebeat", target: "build unitTest") - } - post { - always { - delete() - } - } - } - stage('Filebeat x-pack Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_FILEBEAT_XPACK != "false" && env.BUILD_ON_MACOS != 'false' - } - } - steps { - mageTarget(context: "Filebeat x-pack Mac OS X", directory: "x-pack/filebeat", target: "build unitTest") - } - post { - always { - delete() - } - } - } - stage('Filebeat Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_FILEBEAT != "false" && params.windowsTest - } - } - steps { - mageTargetWin(context: "Filebeat oss Windows Unit test", directory: "filebeat", target: "build unitTest") - } - } - stage('Filebeat x-pack Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_FILEBEAT_XPACK != "false" && params.windowsTest - } - } - steps { - mageTargetWin(context: "Filebeat x-pack Windows", directory: "x-pack/filebeat", target: "build unitTest") - } - } - stage('Heartbeat oss'){ - agent { label 'ubuntu-18 && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_HEARTBEAT != "false" - } - } - steps { - mageTarget(context: "Heartbeat oss Linux", directory: "heartbeat", target: "build test") - } - } - stage('Heartbeat Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_ON_MACOS != 'false' && env.BUILD_HEARTBEAT != "false" - } - } - steps { - mageTarget(context: "Heartbeat oss Mac OS X", directory: "heartbeat", target: "build unitTest") - } - post { - always { - delete() - } - } - } - stage('Heartbeat Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return params.windowsTest && env.BUILD_HEARTBEAT != "false" - } - } - steps { - mageTargetWin(context: "Heartbeat oss Windows Unit test", directory: "heartbeat", target: "build unitTest") - } - } - stage('Auditbeat oss Linux'){ - agent { label 'ubuntu-18 && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_AUDITBEAT != "false" - } - } - steps { - mageTarget(context: "Auditbeat oss Linux", directory: "auditbeat", target: "build test") - } - } - stage('Auditbeat crosscompile'){ - agent { label 'ubuntu-18 && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_AUDITBEAT != "false" - } - } - steps { - makeTarget(context: "Auditbeat oss crosscompile", directory: 'auditbeat', target: "crosscompile") - } - } - stage('Auditbeat oss Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_AUDITBEAT != "false" && env.BUILD_ON_MACOS != 'false' - } - } - steps { - mageTarget(context: "Auditbeat oss Mac OS X", directory: "auditbeat", target: "build unitTest") - } - post { - always { - delete() - } - } - } - stage('Auditbeat oss Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_AUDITBEAT != "false" && params.windowsTest - } - } - steps { - mageTargetWin(context: "Auditbeat oss Windows Unit test", directory: "auditbeat", target: "build unitTest") - } - } - stage('Auditbeat x-pack'){ - agent { label 'ubuntu-18 && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_AUDITBEAT_XPACK != "false" - } - } - steps { - mageTarget(context: "Auditbeat x-pack Linux", directory: "x-pack/auditbeat", target: "update build test", withModule: true) - } - } - stage('Auditbeat x-pack Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_AUDITBEAT_XPACK != "false" && env.BUILD_ON_MACOS != 'false' - } - } - steps { - mageTarget(context: "Auditbeat x-pack Mac OS X", directory: "x-pack/auditbeat", target: "build unitTest") - } - } - stage('Auditbeat x-pack Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_AUDITBEAT_XPACK != "false" && params.windowsTest - } - } - steps { - mageTargetWin(context: "Auditbeat x-pack Windows", directory: "x-pack/auditbeat", target: "build unitTest") - } - } - stage('Libbeat'){ - agent { label 'ubuntu-18 && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_LIBBEAT != "false" - } - } - stages { - stage('Libbeat oss'){ - steps { - mageTarget(context: "Libbeat oss Linux", directory: "libbeat", target: "build test") - } - } - stage('Libbeat crosscompile'){ - steps { - makeTarget(context: "Libbeat oss crosscompile", directory: 'libbeat', target: "crosscompile") - } - } - stage('Libbeat stress-tests'){ - steps { - makeTarget(context: "Libbeat stress-tests", target: "STRESS_TEST_OPTIONS='-timeout=20m -race -v -parallel 1' -C libbeat stress-tests") - } - } - } - } - stage('Libbeat x-pack'){ - agent { label 'ubuntu-18 && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_LIBBEAT_XPACK != "false" - } - } - steps { - mageTarget(context: "Libbeat x-pack Linux", directory: "x-pack/libbeat", target: "build test") - } - } - stage('Metricbeat OSS Unit tests'){ - agent { label 'ubuntu-18 && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_METRICBEAT != "false" - } - } - steps { - mageTarget(context: "Metricbeat OSS linux/amd64 (unitTest)", directory: "metricbeat", target: "build unitTest") - } - } - stage('Metricbeat OSS Go Integration tests'){ - agent { label 'ubuntu-18 && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_METRICBEAT != "false" - } - } - steps { - mageTarget(context: "Metricbeat OSS linux/amd64 (goIntegTest)", directory: "metricbeat", target: "goIntegTest", withModule: true) - } - } - stage('Metricbeat OSS Python Integration tests'){ - agent { label 'ubuntu-18 && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_METRICBEAT != "false" - } - } - steps { - mageTarget(context: "Metricbeat OSS linux/amd64 (pythonIntegTest)", directory: "metricbeat", target: "pythonIntegTest", withModule: true) - } - } - stage('Metricbeat x-pack'){ - agent { label 'ubuntu-18 && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_METRICBEAT_XPACK != "false" - } - } - stages { - stage('Prepare cloud integration tests environments'){ - options { skipDefaultCheckout() } - steps { - startCloudTestEnv('x-pack-metricbeat', [ - [cond: params.awsCloudTests, dir: 'x-pack/metricbeat/module/aws'], - ]) - } - } - stage('Metricbeat x-pack'){ - options { skipDefaultCheckout() } - steps { - withCloudTestEnv() { - mageTarget(context: "Metricbeat x-pack Linux", directory: "x-pack/metricbeat", target: "build test", withModule: true) - } - } - } - } - post { - cleanup { - terraformCleanup('x-pack-metricbeat', 'x-pack/metricbeat') - } - } - } - stage('Metricbeat crosscompile'){ - agent { label 'ubuntu-18 && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_METRICBEAT != "false" - } - } - steps { - makeTarget(context: "Metricbeat OSS crosscompile", directory: 'metricbeat', target: "crosscompile") - } - } - stage('Metricbeat Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_METRICBEAT != "false" && env.BUILD_ON_MACOS != 'false' - } - } - steps { - mageTarget(context: "Metricbeat OSS Mac OS X", directory: "metricbeat", target: "build unitTest") - } - } - stage('Metricbeat x-pack Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_METRICBEAT_XPACK != "false" && env.BUILD_ON_MACOS != 'false' - } - } - steps { - mageTarget(context: "Metricbeat x-pack Mac OS X", directory: "x-pack/metricbeat", target: "build unitTest") - } - post { - always { - delete() - } - } - } - stage('Metricbeat Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_METRICBEAT != "false" && params.windowsTest - } - } - steps { - mageTargetWin(context: "Metricbeat Windows Unit test", directory: "metricbeat", target: "build unitTest") - } - } - stage('Metricbeat x-pack Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_METRICBEAT_XPACK != "false" && params.windowsTest - } - } - steps { - mageTargetWin(context: "Metricbeat x-pack Windows", directory: "x-pack/metricbeat", target: "build unitTest") - } - } - stage('Packetbeat Linux'){ - agent { label 'ubuntu-18 && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_PACKETBEAT != "false" - } - } - steps { - mageTarget(context: "Packetbeat OSS Linux", directory: "packetbeat", target: "build test") + // Always when running builds on branches/tags + // On a PR basis, skip if changes are only related to docs. + // Always when forcing the input parameter + anyOf { + not { changeRequest() } // If no PR + allOf { // If PR and no docs changes + expression { return env.ONLY_DOCS == "false" } + changeRequest() } + expression { return params.runAllStages } // If UI forced } - stage('Packetbeat Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_ON_MACOS != 'false' && env.BUILD_PACKETBEAT != "false" - } - } - steps { - mageTarget(context: "Packetbeat OSS Mac OS X", directory: "packetbeat", target: "build unitTest") - } - post { - always { - delete() - } - } - } - stage('Packetbeat Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return params.windowsTest && env.BUILD_PACKETBEAT != "false" - } - } - steps { - mageTargetWin(context: "Packetbeat OSS Windows", directory: "packetbeat", target: "build unitTest") - } - } - stage('dockerlogbeat'){ - agent { label 'ubuntu-18 && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_DOCKERLOGBEAT_XPACK != "false" - } - } - steps { - mageTarget(context: "Elastic Docker Logging Driver Plugin unit tests", directory: "x-pack/dockerlogbeat", target: "build test") - } - } - stage('Winlogbeat oss'){ - agent { label 'ubuntu-18 && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_WINLOGBEAT != "false" - } - } - steps { - makeTarget(context: "Winlogbeat oss crosscompile", directory: 'winlogbeat', target: "crosscompile") - } - } - stage('Winlogbeat Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return params.windowsTest && env.BUILD_WINLOGBEAT != "false" - } - } - steps { - mageTargetWin(context: "Winlogbeat Windows Unit test", directory: "winlogbeat", target: "build unitTest") - } - } - stage('Winlogbeat Windows x-pack'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return params.windowsTest && env.BUILD_WINLOGBEAT_XPACK != "false" - } - } - steps { - mageTargetWin(context: "Winlogbeat Windows Unit test", directory: "x-pack/winlogbeat", target: "build unitTest", withModule: true) - } - } - stage('Functionbeat x-pack'){ - agent { label 'ubuntu-18 && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_FUNCTIONBEAT_XPACK != "false" - } - } - steps { - mageTarget(context: "Functionbeat x-pack Linux", directory: "x-pack/functionbeat", target: "update build test") - withEnv(["GO_VERSION=1.13.1"]){ - mageTarget(context: "Functionbeat x-pack Linux", directory: "x-pack/functionbeat", target: "testGCPFunctions") - } - } - } - stage('Functionbeat Mac OS X x-pack'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_ON_MACOS != 'false' && env.BUILD_FUNCTIONBEAT_XPACK != "false" - } - } - steps { - mageTarget(context: "Functionbeat x-pack Mac OS X", directory: "x-pack/functionbeat", target: "build unitTest") - } - post { - always { - delete() - } - } - } - stage('Functionbeat Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return params.windowsTest && env.BUILD_FUNCTIONBEAT_XPACK != "false" - } - } - steps { - mageTargetWin(context: "Functionbeat Windows Unit test", directory: "x-pack/functionbeat", target: "build unitTest") - } - } - stage('Journalbeat'){ - agent { label 'ubuntu-18 && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_JOURNALBEAT != "false" - } - } - steps { - mageTarget(context: "Journalbeat Linux", directory: "journalbeat", target: "build unitTest") - } - } - stage('Generators'){ - agent { label 'ubuntu-18 && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_GENERATOR != "false" - } - } - stages { - stage('Generators Metricbeat Linux'){ - steps { - makeTarget(context: "Generators Metricbeat Linux", directory: 'generator/_templates/metricbeat', target: "test") - makeTarget(context: "Generators Metricbeat Linux", directory: 'generator/_templates/metricbeat', target: "test-package") - } - } - stage('Generators Beat Linux'){ - steps { - makeTarget(context: "Generators Beat Linux", directory: 'generator/_templates/beat', target: "test") - makeTarget(context: "Generators Beat Linux", directory: 'generator/_templates/beat', target: "test-package") + } + steps { + deleteDir() + unstashV2(name: 'source', bucket: "${JOB_GCS_BUCKET}", credentialsId: "${JOB_GCS_CREDENTIALS}") + dir("${BASE_DIR}"){ + script { + def mapParallelTasks = [:] + def content = readYaml(file: 'Jenkinsfile.yml') + content['projects'].each { projectName -> + generateStages(project: projectName, changeset: content['changeset']).each { k,v -> + mapParallelTasks["${k}"] = v } } + parallel(mapParallelTasks) } } - stage('Generators Metricbeat Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_ON_MACOS != 'false' && env.BUILD_GENERATOR != "false" - } - } - steps { - makeTarget(context: "Generators Metricbeat Mac OS X", directory: 'generator/_templates/metricbeat', target: "test") - } - post { - always { - delete() - } - } - } - stage('Generators Beat Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_ON_MACOS != 'false' && env.BUILD_GENERATOR != "false" - } - } - steps { - makeTarget(context: "Generators Beat Mac OS X", directory: 'generator/_templates/beat', target: "test") - } - post { - always { - delete() - } - } - } - stage('Kubernetes'){ - agent { label 'ubuntu-18 && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_KUBERNETES != "false" - } - } - steps { - k8sTest(["v1.18.2","v1.17.2","v1.16.4","v1.15.7","v1.14.10"]) + } + post { + always { + dir("${BASE_DIR}"){ + // Archive the markdown files that contain the build reasons + archiveArtifacts(allowEmptyArchive: false, artifacts: 'build-reasons/*.md') } } } @@ -797,131 +129,158 @@ pipeline { } } -def delete() { - dir("${env.BASE_DIR}") { - fixPermissions("${WORKSPACE}") +/** +* This method is the one used for running the parallel stages, therefore +* its arguments are passed by the beatsStages step. +*/ +def generateStages(Map args = [:]) { + def projectName = args.project + def changeset = args.changeset + def mapParallelStages = [:] + def fileName = "${projectName}/Jenkinsfile.yml" + if (fileExists(fileName)) { + def content = readYaml(file: fileName) + // changesetFunction argument is only required for the top-level when, stage specific when don't need it since it's an aggregation. + if (beatsWhen(project: projectName, content: content?.when, changeset: changeset, changesetFunction: new GetProjectDependencies(steps: this))) { + mapParallelStages = beatsStages(project: projectName, content: content, changeset: changeset, function: new RunCommand(steps: this)) + } + } else { + log(level: 'WARN', text: "${fileName} file does not exist. Please review the top-level Jenkinsfile.yml") } - deleteDir() -} - -def fixPermissions(location) { - sh(label: 'Fix permissions', script: """#!/usr/bin/env bash - source ./dev-tools/common.bash - docker_setup - script/fix_permissions.sh ${location}""", returnStatus: true) + return mapParallelStages } -def makeTarget(Map args = [:]) { - def context = args.context - def target = args.target - def directory = args.get('directory', '') - def clean = args.get('clean', true) - def withModule = args.get('withModule', false) - def directoryFlag = directory.trim() ? "-C ${directory}" : '' - withGithubNotify(context: "${context}") { - withBeatsEnv(archive: true, withModule: withModule, directory: directory) { - whenTrue(params.debug) { - dumpFilteredEnvironment() - dumpMage() - } - sh(label: "Make ${target}", script: "make ${directoryFlag} ${target}") - whenTrue(clean) { - fixPermissions("${HOME}") - } +def cloud(Map args = [:]) { + node(args.label) { + startCloudTestEnv(name: args.directory, dirs: args.dirs) + } + withCloudTestEnv() { + try { + target(context: args.context, command: args.command, directory: args.directory, label: args.label, withModule: args.withModule, isMage: true, id: args.id) + } finally { + terraformCleanup(name: args.directory, dir: args.directory) } } } -def mageTarget(Map args = [:]) { - def context = args.context - def directory = args.directory - def target = args.target - def withModule = args.get('withModule', false) - withGithubNotify(context: "${context}") { - withBeatsEnv(archive: true, withModule: withModule, directory: directory) { - whenTrue(params.debug) { - dumpFilteredEnvironment() - dumpMage() - } - - def verboseFlag = params.debug ? "-v" : "" - dir(directory) { - sh(label: "Mage ${target}", script: "mage ${verboseFlag} ${target}") +def k8sTest(Map args = [:]) { + def versions = args.versions + node(args.label) { + versions.each{ v -> + stage("${args.context} ${v}"){ + withEnv(["K8S_VERSION=${v}", "KIND_VERSION=v0.7.0", "KUBECONFIG=${env.WORKSPACE}/kubecfg"]){ + withGithubNotify(context: "${args.context} ${v}") { + withBeatsEnv(archive: false, withModule: false) { + retryWithSleep(retries: 2, seconds: 5, backoff: true){ sh(label: "Install kind", script: ".ci/scripts/install-kind.sh") } + retryWithSleep(retries: 2, seconds: 5, backoff: true){ sh(label: "Install kubectl", script: ".ci/scripts/install-kubectl.sh") } + try { + sh(label: "Setup kind", script: ".ci/scripts/kind-setup.sh") + sh(label: "Integration tests", script: "MODULE=kubernetes make -C metricbeat integration-tests") + sh(label: "Deploy to kubernetes",script: "make -C deploy/kubernetes test") + } finally { + sh(label: 'Delete cluster', script: 'kind delete cluster') + } + } + } + } } } } } -def mageTargetWin(Map args = [:]) { +/** +* This method runs the given command supporting two kind of scenarios: +* - make -C then the dir(location) is not required, aka by disaling isMage: false +* - mage then the dir(location) is required, aka by enabling isMage: true. +*/ +def target(Map args = [:]) { def context = args.context - def directory = args.directory - def target = args.target + def command = args.command + def directory = args.get('directory', '') def withModule = args.get('withModule', false) - withGithubNotify(context: "${context}") { - withBeatsEnvWin(withModule: withModule, directory: directory) { - whenTrue(params.debug) { - dumpFilteredEnvironment() - dumpMageWin() - } - - def verboseFlag = params.debug ? "-v" : "" - dir(directory) { - bat(label: "Mage ${target}", script: "mage ${verboseFlag} ${target}") + def isMage = args.get('isMage', false) + node(args.label) { + withGithubNotify(context: "${context}") { + withBeatsEnv(archive: true, withModule: withModule, directory: directory, id: args.id) { + dumpVariables() + // make commands use -C while mage commands require the dir(folder) + // let's support this scenario with the location variable. + dir(isMage ? directory : '') { + cmd(label: "${command}", script: "${command}") + } } } } } -def getModulePattern(String toCompare) { - // Use contains to support the makeTarget(target: '-C ') while mageTarget(directory: '') - return (toCompare.contains('x-pack') ? env.XPACK_MODULE_PATTERN : env.OSS_MODULE_PATTERN) -} - +/** +* This method wraps all the environment setup and pre-requirements to run any commands. +*/ def withBeatsEnv(Map args = [:], Closure body) { def archive = args.get('archive', true) def withModule = args.get('withModule', false) def directory = args.get('directory', '') - def modulePattern - if (withModule) { - modulePattern = getModulePattern(directory) + + def goRoot, path, magefile, pythonEnv, testResults, artifacts + + if(isUnix()) { + goRoot = "${env.WORKSPACE}/.gvm/versions/go${GO_VERSION}.${nodeOS()}.amd64" + path = "${env.WORKSPACE}/bin:${goRoot}/bin:${env.PATH}" + magefile = "${WORKSPACE}/.magefile" + pythonEnv = "${WORKSPACE}/python-env" + testResults = '**/build/TEST*.xml' + artifacts = '**/build/TEST*.out' + } else { + def chocoPath = 'C:\\ProgramData\\chocolatey\\bin' + def chocoPython3Path = 'C:\\Python38;C:\\Python38\\Scripts' + goRoot = "${env.USERPROFILE}\\.gvm\\versions\\go${GO_VERSION}.windows.amd64" + path = "${env.WORKSPACE}\\bin;${goRoot}\\bin;${chocoPath};${chocoPython3Path};${env.PATH}" + magefile = "${env.WORKSPACE}\\.magefile" + testResults = "**\\build\\TEST*.xml" + artifacts = "**\\build\\TEST*.out" } - def os = goos() - def goRoot = "${env.WORKSPACE}/.gvm/versions/go${GO_VERSION}.${os}.amd64" deleteDir() unstashV2(name: 'source', bucket: "${JOB_GCS_BUCKET}", credentialsId: "${JOB_GCS_CREDENTIALS}") - // NOTE: This is required to run after the unstash - def module = withModule ? getCommonModuleInTheChangeSet(modulePattern, directory) : '' - + def module = withModule ? getCommonModuleInTheChangeSet(directory) : '' withEnv([ - "HOME=${env.WORKSPACE}", + "DOCKER_PULL=0", "GOPATH=${env.WORKSPACE}", "GOROOT=${goRoot}", - "PATH=${env.WORKSPACE}/bin:${goRoot}/bin:${env.PATH}", - "MAGEFILE_CACHE=${WORKSPACE}/.magefile", - "TEST_COVERAGE=true", + "HOME=${env.WORKSPACE}", + "MAGEFILE_CACHE=${magefile}", + "MODULE=${module}", + "PATH=${path}", + "PYTHON_ENV=${pythonEnv}", "RACE_DETECTOR=true", - "PYTHON_ENV=${WORKSPACE}/python-env", - "TEST_TAGS=${env.TEST_TAGS},oracle", - "DOCKER_PULL=0", - "MODULE=${module}" + "TEST_COVERAGE=true", + "TEST_TAGS=${env.TEST_TAGS},oracle" ]) { - if(isDockerInstalled()){ + if(isDockerInstalled()) { dockerLogin(secret: "${DOCKERELASTIC_SECRET}", registry: "${DOCKER_REGISTRY}") } dir("${env.BASE_DIR}") { installTools() - // TODO (2020-04-07): This is a work-around to fix the Beat generator tests. - // See https://github.com/elastic/beats/issues/17787. - setGitConfig() + if(isUnix()) { + // TODO (2020-04-07): This is a work-around to fix the Beat generator tests. + // See https://github.com/elastic/beats/issues/17787. + sh(label: 'check git config', script: ''' + if [ -z "$(git config --get user.email)" ]; then + git config user.email "beatsmachine@users.noreply.github.com" + git config user.name "beatsmachine" + fi''') + } try { - if(!params.dry_run){ - body() - } + body() } finally { if (archive) { - archiveTestOutput(testResults: '**/build/TEST*.xml', artifacts: '**/build/TEST*.out') + archiveTestOutput(testResults: testResults, artifacts: artifacts, id: args.id) + } + // Tear down the setup for the permamnent workers. + catchError(buildResult: 'SUCCESS', stageResult: 'SUCCESS') { + fixPermissions("${WORKSPACE}") + deleteDir() } } } @@ -929,8 +288,57 @@ def withBeatsEnv(Map args = [:], Closure body) { } /** - This method archives and report the tests output, for such, it searches in certain folders - to bypass some issues when working with big repositories. +* This method fixes the filesystem permissions after the build has happenend. The reason is to +* ensure any non-ephemeral workers don't have any leftovers that could cause some environmental +* issues. +*/ +def fixPermissions(location) { + if(isUnix()) { + sh(label: 'Fix permissions', script: """#!/usr/bin/env bash + set +x + source ./dev-tools/common.bash + docker_setup + script/fix_permissions.sh ${location}""", returnStatus: true) + } +} + +/** +* This method installs the required dependencies that are for some reason not available in the +* CI Workers. +*/ +def installTools() { + if(isUnix()) { + retryWithSleep(retries: 2, seconds: 5, backoff: true){ sh(label: "Install Go/Mage/Python/Docker/Terraform ${GO_VERSION}", script: '.ci/scripts/install-tools.sh') } + } else { + retryWithSleep(retries: 2, seconds: 5, backoff: true){ bat(label: "Install Go/Mage/Python ${GO_VERSION}", script: ".ci/scripts/install-tools.bat") } + } +} + +/** +* This method gathers the module name, if required, in order to run the ITs only if +* the changeset affects a specific module. +* +* For such, it's required to look for changes under the module folder and exclude anything else +* such as asciidoc and png files. +*/ +def getCommonModuleInTheChangeSet(String directory) { + // Use contains to support the target(target: 'make -C ') while target(directory: '', target: '...') + def pattern = (directory.contains('x-pack') ? env.XPACK_MODULE_PATTERN : env.OSS_MODULE_PATTERN) + def module = '' + + // Transform folder structure in regex format since path separator is required to be escaped + def transformedDirectory = directory.replaceAll('/', '\\/') + def directoryExclussion = "((?!^${transformedDirectory}\\/).)*\$" + def exclude = "^(${directoryExclussion}|((?!\\/module\\/).)*\$|.*\\.asciidoc|.*\\.png)" + dir("${env.BASE_DIR}") { + module = getGitMatchingGroup(pattern: pattern, exclude: exclude) + } + return module +} + +/** +* This method archives and report the tests output, for such, it searches in certain folders +* to bypass some issues when working with big repositories. */ def archiveTestOutput(Map args = [:]) { catchError(buildResult: 'SUCCESS', stageResult: 'UNSTABLE') { @@ -939,222 +347,24 @@ def archiveTestOutput(Map args = [:]) { } cmd(label: 'Prepare test output', script: 'python .ci/scripts/pre_archive_test.py') dir('build') { - junitAndStore(allowEmptyResults: true, keepLongStdio: true, testResults: args.testResults, stashedTestReports: stashedTestReports, id: env.STAGE_NAME) + junitAndStore(allowEmptyResults: true, keepLongStdio: true, testResults: args.testResults, stashedTestReports: stashedTestReports, id: args.id) archiveArtifacts(allowEmptyArchive: true, artifacts: args.artifacts) } catchError(buildResult: 'SUCCESS', message: 'Failed to archive the build test results', stageResult: 'SUCCESS') { def folder = cmd(label: 'Find system-tests', returnStdout: true, script: 'python .ci/scripts/search_system_tests.py').trim() log(level: 'INFO', text: "system-tests='${folder}'. If no empty then let's create a tarball") if (folder.trim()) { - def name = folder.replaceAll('/', '-').replaceAll('\\\\', '-').replaceAll('build', '').replaceAll('^-', '') + '-' + goos() + def name = folder.replaceAll('/', '-').replaceAll('\\\\', '-').replaceAll('build', '').replaceAll('^-', '') + '-' + nodeOS() tar(file: "${name}.tgz", archive: true, dir: folder) } } } } -def withBeatsEnvWin(Map args = [:], Closure body) { - def withModule = args.get('withModule', false) - def directory = args.get('directory', '') - def modulePattern - if (withModule) { - modulePattern = getModulePattern(directory) - } - final String chocoPath = 'C:\\ProgramData\\chocolatey\\bin' - final String chocoPython3Path = 'C:\\Python38;C:\\Python38\\Scripts' - def goRoot = "${env.USERPROFILE}\\.gvm\\versions\\go${GO_VERSION}.windows.amd64" - - deleteDir() - unstashV2(name: 'source', bucket: "${JOB_GCS_BUCKET}", credentialsId: "${JOB_GCS_CREDENTIALS}") - - // NOTE: This is required to run after the unstash - def module = withModule ? getCommonModuleInTheChangeSet(modulePattern, directory) : '' - - withEnv([ - "HOME=${env.WORKSPACE}", - "GOPATH=${env.WORKSPACE}", - "GOROOT=${goRoot}", - "PATH=${env.WORKSPACE}\\bin;${goRoot}\\bin;${chocoPath};${chocoPython3Path};${env.PATH}", - "MAGEFILE_CACHE=${env.WORKSPACE}\\.magefile", - "TEST_COVERAGE=true", - "RACE_DETECTOR=true", - "MODULE=${module}" - ]){ - dir("${env.BASE_DIR}"){ - installTools() - try { - if(!params.dry_run){ - body() - } - } finally { - archiveTestOutput(testResults: "**\\build\\TEST*.xml", artifacts: "**\\build\\TEST*.out") - } - } - } -} - -def installTools() { - def i = 2 // Number of retries - if(isUnix()) { - retryWithSleep(retries: i, seconds: 5, backoff: true){ sh(label: "Install Go ${GO_VERSION}", script: ".ci/scripts/install-go.sh") } - retryWithSleep(retries: i, seconds: 5, backoff: true){ sh(label: "Install docker-compose ${DOCKER_COMPOSE_VERSION}", script: ".ci/scripts/install-docker-compose.sh") } - retryWithSleep(retries: i, seconds: 5, backoff: true){ sh(label: "Install Terraform ${TERRAFORM_VERSION}", script: ".ci/scripts/install-terraform.sh") } - retryWithSleep(retries: i, seconds: 5, backoff: true){ sh(label: "Install Mage", script: "make mage") } - } else { - // Install python3 with the specific step, even though install-tools.bat will verify if it's there anyway. - // TODO: as soon as python3 is installed in the CI Workers we will be able to remove the line below. - retryWithSleep(retries: i, seconds: 5, backoff: true){ installTools([ [tool: 'python3', version: '3.8', exclude: 'rc'] ]) } - retryWithSleep(retries: i, seconds: 5, backoff: true){ bat(label: "Install Go/Mage/Python ${GO_VERSION}", script: ".ci/scripts/install-tools.bat") } - } -} - -def goos(){ - def labels = env.NODE_LABELS - - if (labels.contains('linux')) { - return 'linux' - } else if (labels.contains('windows')) { - return 'windows' - } else if (labels.contains('darwin')) { - return 'darwin' - } - - error("Unhandled OS name in NODE_LABELS: " + labels) -} - -def dumpMage(){ - echo "### MAGE DUMP ###" - sh(label: "Dump mage variables", script: "mage dumpVariables") - echo "### END MAGE DUMP ###" -} - -def dumpMageWin(){ - echo "### MAGE DUMP ###" - bat(label: "Dump mage variables", script: "mage dumpVariables") - echo "### END MAGE DUMP ###" -} - -def dumpFilteredEnvironment(){ - echo "### ENV DUMP ###" - echo "PATH: ${env.PATH}" - echo "HOME: ${env.HOME}" - echo "USERPROFILE: ${env.USERPROFILE}" - echo "BUILD_DIR: ${env.BUILD_DIR}" - echo "COVERAGE_DIR: ${env.COVERAGE_DIR}" - echo "BEATS: ${env.BEATS}" - echo "PROJECTS: ${env.PROJECTS}" - echo "PROJECTS_ENV: ${env.PROJECTS_ENV}" - echo "PYTHON_ENV: ${env.PYTHON_ENV}" - echo "PYTHON_EXE: ${env.PYTHON_EXE}" - echo "PYTHON_ENV_EXE: ${env.PYTHON_ENV_EXE}" - echo "VENV_PARAMS: ${env.VENV_PARAMS}" - echo "FIND: ${env.FIND}" - echo "GOLINT: ${env.GOLINT}" - echo "GOLINT_REPO: ${env.GOLINT_REPO}" - echo "REVIEWDOG: ${env.REVIEWDOG}" - echo "REVIEWDOG_OPTIONS: ${env.REVIEWDOG_OPTIONS}" - echo "REVIEWDOG_REPO: ${env.REVIEWDOG_REPO}" - echo "XPACK_SUFFIX: ${env.XPACK_SUFFIX}" - echo "PKG_BUILD_DIR: ${env.PKG_BUILD_DIR}" - echo "PKG_UPLOAD_DIR: ${env.PKG_UPLOAD_DIR}" - echo "COVERAGE_TOOL: ${env.COVERAGE_TOOL}" - echo "COVERAGE_TOOL_REPO: ${env.COVERAGE_TOOL_REPO}" - echo "TESTIFY_TOOL_REPO: ${env.TESTIFY_TOOL_REPO}" - echo "NOW: ${env.NOW}" - echo "GOBUILD_FLAGS: ${env.GOBUILD_FLAGS}" - echo "GOIMPORTS: ${env.GOIMPORTS}" - echo "GOIMPORTS_REPO: ${env.GOIMPORTS_REPO}" - echo "GOIMPORTS_LOCAL_PREFIX: ${env.GOIMPORTS_LOCAL_PREFIX}" - echo "PROCESSES: ${env.PROCESSES}" - echo "TIMEOUT: ${env.TIMEOUT}" - echo "PYTHON_TEST_FILES: ${env.PYTHON_TEST_FILES}" - echo "PYTEST_ADDOPTS: ${env.PYTEST_ADDOPTS}" - echo "PYTEST_OPTIONS: ${env.PYTEST_OPTIONS}" - echo "TEST_ENVIRONMENT: ${env.TEST_ENVIRONMENT}" - echo "SYSTEM_TESTS: ${env.SYSTEM_TESTS}" - echo "STRESS_TESTS: ${env.STRESS_TESTS}" - echo "STRESS_TEST_OPTIONS: ${env.STRESS_TEST_OPTIONS}" - echo "TEST_TAGS: ${env.TEST_TAGS}" - echo "GOX_OS: ${env.GOX_OS}" - echo "GOX_OSARCH: ${env.GOX_OSARCH}" - echo "GOX_FLAGS: ${env.GOX_FLAGS}" - echo "TESTING_ENVIRONMENT: ${env.TESTING_ENVIRONMENT}" - echo "BEAT_VERSION: ${env.BEAT_VERSION}" - echo "COMMIT_ID: ${env.COMMIT_ID}" - echo "DOCKER_COMPOSE_PROJECT_NAME: ${env.DOCKER_COMPOSE_PROJECT_NAME}" - echo "DOCKER_COMPOSE: ${env.DOCKER_COMPOSE}" - echo "DOCKER_CACHE: ${env.DOCKER_CACHE}" - echo "GOPACKAGES_COMMA_SEP: ${env.GOPACKAGES_COMMA_SEP}" - echo "PIP_INSTALL_PARAMS: ${env.PIP_INSTALL_PARAMS}" - echo "### END ENV DUMP ###" -} - -def k8sTest(versions){ - versions.each{ v -> - stage("k8s ${v}"){ - withEnv(["K8S_VERSION=${v}", "KIND_VERSION=v0.7.0", "KUBECONFIG=${env.WORKSPACE}/kubecfg"]){ - withGithubNotify(context: "K8s ${v}") { - withBeatsEnv(archive: false, withModule: false) { - sh(label: "Install kind", script: ".ci/scripts/install-kind.sh") - sh(label: "Install kubectl", script: ".ci/scripts/install-kubectl.sh") - sh(label: "Setup kind", script: ".ci/scripts/kind-setup.sh") - sh(label: "Integration tests", script: "MODULE=kubernetes make -C metricbeat integration-tests") - sh(label: "Deploy to kubernetes",script: "make -C deploy/kubernetes test") - sh(label: 'Delete cluster', script: 'kind delete cluster') - } - } - } - } - } -} - /** -* isChanged treats the patterns as regular expressions. In order to check if -* any file in a directoy is modified use `^/.*`. -* -* In addition, there are another two alternatives to report that there are -* changes, when `runAllStages` parameter is set to true or when running on a -* branch/tag basis. +* This method executes a closure with credentials for cloud test +* environments. */ -def isChanged(patterns){ - return ( - params.runAllStages // when runAllStages UI parameter is set to true - || !isPR() // when running on a branch/tag - || isGitRegionMatch(patterns: patterns, comparator: 'regexp') - ) -} - -def isChangedOSSCode(patterns) { - def allPatterns = [ - "^Jenkinsfile", - "^go.mod", - "^pytest.ini", - "^libbeat/.*", - "^testing/.*", - "^dev-tools/.*", - "^\\.ci/scripts/.*", - ] - allPatterns.addAll(patterns) - return isChanged(allPatterns) -} - -def isChangedXPackCode(patterns) { - def allPatterns = [ - "^Jenkinsfile", - "^go.mod", - "^pytest.ini", - "^libbeat/.*", - "^dev-tools/.*", - "^testing/.*", - "^x-pack/libbeat/.*", - "^\\.ci/scripts/.*", - ] - allPatterns.addAll(patterns) - return isChanged(allPatterns) -} - -// withCloudTestEnv executes a closure with credentials for cloud test -// environments. def withCloudTestEnv(Closure body) { def maskedVars = [] def testTags = "${env.TEST_TAGS}" @@ -1185,58 +395,60 @@ def withCloudTestEnv(Closure body) { } } -def terraformInit(String directory) { - dir(directory) { - sh(label: "Terraform Init on ${directory}", script: "terraform init") - } -} - -def terraformApply(String directory) { - terraformInit(directory) - dir(directory) { - sh(label: "Terraform Apply on ${directory}", script: "terraform apply -auto-approve") - } -} - -// Start testing environment on cloud using terraform. Terraform files are -// stashed so they can be used by other stages. They are also archived in -// case manual cleanup is needed. -// -// Example: -// startCloudTestEnv('x-pack-metricbeat', [ -// [cond: params.awsCloudTests, dir: 'x-pack/metricbeat/module/aws'], -// ]) -// ... -// terraformCleanup('x-pack-metricbeat', 'x-pack/metricbeat') -def startCloudTestEnv(String name, environments = []) { - withCloudTestEnv() { - withBeatsEnv(archive: false, withModule: false) { - def runAll = params.runAllCloudTests - try { - for (environment in environments) { - if (environment.cond || runAll) { +/** +* Start testing environment on cloud using terraform. Terraform files are +* stashed so they can be used by other stages. They are also archived in +* case manual cleanup is needed. +* +* Example: +* startCloudTestEnv(name: 'x-pack-metricbeat', dirs: ['x-pack/metricbeat/module/aws']) +* ... +* terraformCleanup(name: 'x-pack-metricbeat', dir: 'x-pack/metricbeat') +*/ +def startCloudTestEnv(Map args = [:]) { + String name = normalise(args.name) + def dirs = args.get('dirs',[]) + stage("${name}-prepare-cloud-env"){ + withCloudTestEnv() { + withBeatsEnv(archive: false, withModule: false) { + try { + for (folder in dirs) { retryWithSleep(retries: 2, seconds: 5, backoff: true){ - terraformApply(environment.dir) + terraformApply(folder) } } + } finally { + // Archive terraform states in case manual cleanup is needed. + archiveArtifacts(allowEmptyArchive: true, artifacts: '**/terraform.tfstate') } - } finally { - // Archive terraform states in case manual cleanup is needed. - archiveArtifacts(allowEmptyArchive: true, artifacts: '**/terraform.tfstate') + stash(name: "terraform-${name}", allowEmpty: true, includes: '**/terraform.tfstate,**/.terraform/**') } - stash(name: "terraform-${name}", allowEmpty: true, includes: '**/terraform.tfstate,**/.terraform/**') } } } +/** +* Run terraform in the given directory +*/ +def terraformApply(String directory) { + terraformInit(directory) + dir(directory) { + sh(label: "Terraform Apply on ${directory}", script: "terraform apply -auto-approve") + } +} -// Looks for all terraform states in directory and runs terraform destroy for them, -// it uses terraform states previously stashed by startCloudTestEnv. -def terraformCleanup(String stashName, String directory) { - stage("Remove cloud scenarios in ${directory}"){ +/** +* Tear down the terraform environments, by looking for all terraform states in directory +* then it runs terraform destroy for each one. +* It uses terraform states previously stashed by startCloudTestEnv. +*/ +def terraformCleanup(Map args = [:]) { + String name = normalise(args.name) + String directory = args.dir + stage("${name}-tear-down-cloud-env"){ withCloudTestEnv() { withBeatsEnv(archive: false, withModule: false) { - unstash("terraform-${stashName}") + unstash("terraform-${name}") retryWithSleep(retries: 2, seconds: 5, backoff: true) { sh(label: "Terraform Cleanup", script: ".ci/scripts/terraform-cleanup.sh ${directory}") } @@ -1245,151 +457,138 @@ def terraformCleanup(String stashName, String directory) { } } -def loadConfigEnvVars(){ - def empty = [] - env.GO_VERSION = readFile(".go-version").trim() - - withEnv(["HOME=${env.WORKSPACE}"]) { - retryWithSleep(retries: 2, seconds: 5, backoff: true){ sh(label: "Install Go ${env.GO_VERSION}", script: ".ci/scripts/install-go.sh") } +/** +* Prepare the terraform context in the given directory +*/ +def terraformInit(String directory) { + dir(directory) { + sh(label: "Terraform Init on ${directory}", script: "terraform init") } - - // Libbeat is the core framework of Beats. It has no additional dependencies - // on other projects in the Beats repository. - env.BUILD_LIBBEAT = isChangedOSSCode(empty) - env.BUILD_LIBBEAT_XPACK = isChangedXPackCode(empty) - - // Auditbeat depends on metricbeat as framework, but does not include any of - // the modules from Metricbeat. - // The Auditbeat x-pack build contains all functionality from OSS Auditbeat. - env.BUILD_AUDITBEAT = isChangedOSSCode(getProjectDependencies('auditbeat')) - env.BUILD_AUDITBEAT_XPACK = isChangedXPackCode(getProjectDependencies('x-pack/auditbeat')) - - // Dockerlogbeat is a standalone Beat that only relies on libbeat. - env.BUILD_DOCKERLOGBEAT_XPACK = isChangedXPackCode(getProjectDependencies('x-pack/dockerlogbeat')) - - // Filebeat depends on libbeat only. - // The Filebeat x-pack build contains all functionality from OSS Filebeat. - env.BUILD_FILEBEAT = isChangedOSSCode(getProjectDependencies('filebeat')) - env.BUILD_FILEBEAT_XPACK = isChangedXPackCode(getProjectDependencies('x-pack/filebeat')) - - // Metricbeat depends on libbeat only. - // The Metricbeat x-pack build contains all functionality from OSS Metricbeat. - env.BUILD_METRICBEAT = isChangedOSSCode(getProjectDependencies('metricbeat')) - env.BUILD_METRICBEAT_XPACK = isChangedXPackCode(getProjectDependencies('x-pack/metricbeat')) - - // Functionbeat is a standalone beat that depends on libbeat only. - // Functionbeat is available as x-pack build only. - env.BUILD_FUNCTIONBEAT_XPACK = isChangedXPackCode(getProjectDependencies('x-pack/functionbeat')) - - // Heartbeat depends on libbeat only. - // The Heartbeat x-pack build contains all functionality from OSS Heartbeat. - env.BUILD_HEARTBEAT = isChangedOSSCode(getProjectDependencies('heartbeat')) - env.BUILD_HEARTBEAT_XPACK = isChangedXPackCode(getProjectDependencies('x-pack/heartbeat')) - - // Journalbeat depends on libbeat only. - // The Journalbeat x-pack build contains all functionality from OSS Journalbeat. - env.BUILD_JOURNALBEAT = isChangedOSSCode(getProjectDependencies('journalbeat')) - env.BUILD_JOURNALBEAT_XPACK = isChangedXPackCode(getProjectDependencies('x-pack/journalbeat')) - - // Packetbeat depends on libbeat only. - // The Packetbeat x-pack build contains all functionality from OSS Packetbeat. - env.BUILD_PACKETBEAT = isChangedOSSCode(getProjectDependencies('packetbeat')) - env.BUILD_PACKETBEAT_XPACK = isChangedXPackCode(getProjectDependencies('x-pack/packetbeat')) - - // Winlogbeat depends on libbeat only. - // The Winlogbeat x-pack build contains all functionality from OSS Winlogbeat. - env.BUILD_WINLOGBEAT = isChangedOSSCode(getProjectDependencies('winlogbeat')) - env.BUILD_WINLOGBEAT_XPACK = isChangedXPackCode(getProjectDependencies('x-pack/winlogbeat')) - - // Elastic-agent is a self-contained product, that depends on libbeat only. - // The agent acts as a supervisor for other Beats like Filebeat or Metricbeat. - // The agent is available as x-pack build only. - env.BUILD_ELASTIC_AGENT_XPACK = isChangedXPackCode(getProjectDependencies('x-pack/elastic-agent')) - - // The Kubernetes test use Filebeat and Metricbeat, but only need to be run - // if the deployment scripts have been updated. No Beats specific testing is - // involved. - env.BUILD_KUBERNETES = isChanged(["^deploy/kubernetes/.*"]) - - def generatorPatterns = ['^generator/.*'] - generatorPatterns.addAll(getProjectDependencies('generator/common/beatgen')) - generatorPatterns.addAll(getProjectDependencies('metricbeat/beater')) - env.BUILD_GENERATOR = isChangedOSSCode(generatorPatterns) - - // Skip all the stages for changes only related to the documentation - env.ONLY_DOCS = isDocChangedOnly() - - // Enable macOS builds when required - env.BUILD_ON_MACOS = (params.macosTest // UI Input parameter is set to true - || !isPR() // For branches and tags - || matchesPrLabel(label: 'macOS') // If `macOS` GH label (Case-Sensitive) - || (env.GITHUB_COMMENT?.toLowerCase()?.contains('/test macos'))) // If `/test macos` in the GH comment (Case-Insensitive) } /** - This method gathers the module name, if required, in order to run the ITs only if - the changeset affects a specific module. - - For such, it's required to look for changes under the module folder and exclude anything else - such as ascidoc and png files. +* Replace the slashes in the directory in case there are nested folders. */ -def getCommonModuleInTheChangeSet(String pattern, String directory) { - def module = '' - // Transform folder structure in regex format since path separator is required to be escaped - def transformedDirectory = directory.replaceAll('/', '\\/') - def directoryExclussion = "((?!^${transformedDirectory}\\/).)*\$" - def exclude = "^(${directoryExclussion}|((?!\\/module\\/).)*\$|.*\\.asciidoc|.*\\.png)" - dir("${env.BASE_DIR}") { - module = getGitMatchingGroup(pattern: pattern, exclude: exclude) - } - return module +def normalise(String directory) { + return directory.replaceAll("[\\W]|_",'-') } /** - This method verifies if the changeset for the current pull request affect only changes related - to documentation, such as asciidoc and png files. +* For debugging purposes. */ -def isDocChangedOnly(){ - if (params.runAllStages || !env.CHANGE_ID?.trim()) { - log(level: 'INFO', text: 'Speed build for docs only is disabled for branches/tags or when forcing with the runAllStages parameter.') - return 'false' +def dumpVariables(){ + echo "### MAGE DUMP ###" + cmd(label: 'Dump mage variables', script: 'mage dumpVariables') + echo "### END MAGE DUMP ###" + echo """ + ### ENV DUMP ### + BEAT_VERSION: ${env.BEAT_VERSION} + BEATS: ${env.BEATS} + BUILD_DIR: ${env.BUILD_DIR} + COMMIT_ID: ${env.COMMIT_ID} + COVERAGE_DIR: ${env.COVERAGE_DIR} + COVERAGE_TOOL: ${env.COVERAGE_TOOL} + COVERAGE_TOOL_REPO: ${env.COVERAGE_TOOL_REPO} + DOCKER_CACHE: ${env.DOCKER_CACHE} + DOCKER_COMPOSE_PROJECT_NAME: ${env.DOCKER_COMPOSE_PROJECT_NAME} + DOCKER_COMPOSE: ${env.DOCKER_COMPOSE} + FIND: ${env.FIND} + GOBUILD_FLAGS: ${env.GOBUILD_FLAGS} + GOIMPORTS: ${env.GOIMPORTS} + GOIMPORTS_REPO: ${env.GOIMPORTS_REPO} + GOIMPORTS_LOCAL_PREFIX: ${env.GOIMPORTS_LOCAL_PREFIX} + GOLINT: ${env.GOLINT} + GOLINT_REPO: ${env.GOLINT_REPO} + GOPACKAGES_COMMA_SEP: ${env.GOPACKAGES_COMMA_SEP} + GOX_FLAGS: ${env.GOX_FLAGS} + GOX_OS: ${env.GOX_OS} + GOX_OSARCH: ${env.GOX_OSARCH} + HOME: ${env.HOME} + NOSETESTS_OPTIONS: ${env.NOSETESTS_OPTIONS} + NOW: ${env.NOW} + PATH: ${env.PATH} + PKG_BUILD_DIR: ${env.PKG_BUILD_DIR} + PKG_UPLOAD_DIR: ${env.PKG_UPLOAD_DIR} + PIP_INSTALL_PARAMS: ${env.PIP_INSTALL_PARAMS} + PROJECTS: ${env.PROJECTS} + PROJECTS_ENV: ${env.PROJECTS_ENV} + PYTHON_ENV: ${env.PYTHON_ENV} + PYTHON_ENV_EXE: ${env.PYTHON_ENV_EXE} + PYTHON_EXE: ${env.PYTHON_EXE} + PYTHON_TEST_FILES: ${env.PYTHON_TEST_FILES} + PROCESSES: ${env.PROCESSES} + REVIEWDOG: ${env.REVIEWDOG} + REVIEWDOG_OPTIONS: ${env.REVIEWDOG_OPTIONS} + REVIEWDOG_REPO: ${env.REVIEWDOG_REPO} + STRESS_TESTS: ${env.STRESS_TESTS} + STRESS_TEST_OPTIONS: ${env.STRESS_TEST_OPTIONS} + SYSTEM_TESTS: ${env.SYSTEM_TESTS} + TESTIFY_TOOL_REPO: ${env.TESTIFY_TOOL_REPO} + TEST_ENVIRONMENT: ${env.TEST_ENVIRONMENT} + TEST_TAGS: ${env.TEST_TAGS} + TESTING_ENVIRONMENT: ${env.TESTING_ENVIRONMENT} + TIMEOUT: ${env.TIMEOUT} + USERPROFILE: ${env.USERPROFILE} + VENV_PARAMS: ${env.VENV_PARAMS} + XPACK_SUFFIX: ${env.XPACK_SUFFIX} + ### END ENV DUMP ### + """ +} + +def isDockerInstalled(){ + if (isUnix()) { + // TODO: some issues with macosx if(isInstalled(tool: 'docker', flag: '--version')) { + return sh(label: 'check for Docker', script: 'command -v docker', returnStatus: true) } else { - log(level: "INFO", text: 'Check if the speed build for docs is enabled.') - return isGitRegionMatch(patterns: ['.*\\.(asciidoc|png)'], shouldMatchAll: true) + return false } } /** - This method grab the dependencies of a Go module and transform them on regexp +* This class is the one used for running the parallel stages, therefore +* its arguments are passed by the beatsStages step. +* +* What parameters/arguments are supported: +* - label -> the worker labels +* - project -> the name of the project that should match with the folder name. +* - content -> the specific stage data in the /Jenkinsfile.yml +* - context -> the name of the stage, normally -(-)? */ -def getProjectDependencies(beatName){ - def os = goos() - def goRoot = "${env.WORKSPACE}/.gvm/versions/go${GO_VERSION}.${os}.amd64" - def output = "" - - withEnv([ - "HOME=${env.WORKSPACE}/${env.BASE_DIR}", - "PATH=${env.WORKSPACE}/bin:${goRoot}/bin:${env.PATH}", - ]) { - output = sh(label: 'Get vendor dependency patterns', returnStdout: true, script: """ - go list -deps ./${beatName} \ - | grep 'elastic/beats' \ - | sed -e "s#github.com/elastic/beats/v7/##g" \ - | awk '{print "^" \$1 "/.*"}' - """) +class RunCommand extends co.elastic.beats.BeatsFunction { + public RunCommand(Map args = [:]){ + super(args) + } + public run(Map args = [:]){ + def withModule = args.content.get('withModule', false) + if(args?.content?.containsKey('make')) { + steps.target(context: args.context, command: args.content.make, directory: args.project, label: args.label, withModule: withModule, isMage: false, id: args.id) + } + if(args?.content?.containsKey('mage')) { + steps.target(context: args.context, command: args.content.mage, directory: args.project, label: args.label, withModule: withModule, isMage: true, id: args.id) + } + if(args?.content?.containsKey('k8sTest')) { + steps.k8sTest(context: args.context, versions: args.content.k8sTest.split(','), label: args.label, id: args.id) + } + if(args?.content?.containsKey('cloud')) { + steps.cloud(context: args.context, command: args.content.cloud, directory: args.project, label: args.label, withModule: withModule, dirs: args.content.dirs, id: args.id) + } } - return output?.split('\n').collect{ item -> item as String } -} - -def setGitConfig(){ - sh(label: 'check git config', script: ''' - if [ -z "$(git config --get user.email)" ]; then - git config user.email "beatsmachine@users.noreply.github.com" - git config user.name "beatsmachine" - fi - ''') } -def isDockerInstalled(){ - return sh(label: 'check for Docker', script: 'command -v docker', returnStatus: true) +/** +* This class retrieves the dependencies of a Go module for such it transforms them in a +* regex pattern. +*/ +class GetProjectDependencies extends co.elastic.beats.BeatsFunction { + public GetProjectDependencies(Map args = [:]){ + super(args) + } + public run(Map args = [:]){ + def output = "" + steps.withEnv(["HOME=${steps.env.WORKSPACE}"]) { + output = steps.sh(label: 'Get vendor dependency patterns', returnStdout: true, + script: ".ci/scripts/get-vendor-dependencies.sh ${args.project}") + } + return output?.split('\n').collect{ item -> item as String } + } } diff --git a/Jenkinsfile.yml b/Jenkinsfile.yml new file mode 100644 index 00000000000..2f720bf055b --- /dev/null +++ b/Jenkinsfile.yml @@ -0,0 +1,47 @@ +projects: + - "auditbeat" + - "deploy/kubernetes" + - "filebeat" + - "generator" + - "heartbeat" + - "journalbeat" + - "libbeat" + - "metricbeat" + - "packetbeat" + - "winlogbeat" + - "x-pack/auditbeat" + - "x-pack/dockerlogbeat" + - "x-pack/elastic-agent" + - "x-pack/filebeat" + - "x-pack/functionbeat" + - "x-pack/libbeat" + - "x-pack/metricbeat" + - "x-pack/winlogbeat" + ##- "x-pack/heartbeat" It's not yet in the 1.0 pipeline. + ##- "x-pack/journalbeat" It's not yet in the 1.0 pipeline. + ##- "x-pack/packetbeat" It's not yet in the 1.0 pipeline. + +## Changeset macros that are defined here and used in each specific 2.0 pipeline. +changeset: + ci: + - "^Jenkinsfile" + - "^\\.ci/scripts/.*" + oss: + - "^go.mod" + - "^dev-tools/.*" + - "^libbeat/.*" + - "^testing/.*" + xpack: + - "^go.mod" + - "^dev-tools/.*" + - "^libbeat/.*" + - "^testing/.*" + - "^x-pack/libbeat/.*" + +## Proposal +## TBC: This will allow to configure what to do based on the PR configuration +disabled: + when: + labels: ## Skip the GitHub Pull Request builds if there is a GitHub label match + - "skip-ci" + draft: true ## Skip the GitHub Pull Request builds with Draft PRs. diff --git a/README.md b/README.md index 28965e1734c..28fbe081d04 100644 --- a/README.md +++ b/README.md @@ -93,12 +93,16 @@ For testing purposes, we generate snapshot builds that you can find [here](https ## CI +### PR Comments + It is possible to trigger some jobs by putting a comment on a GitHub PR. (This service is only available for users affiliated with Elastic and not for open-source contributors.) * [beats][] * `jenkins run the tests please` or `jenkins run tests` or `/test` will kick off a default build. * `/test macos` will kick off a default build with also the `macos` stages. + * `/test ` will kick off the default build for the given PR in addition to the `` build itself. + * `/test for macos` will kick off a default build with also the `macos` stage for the ``. * [apm-beats-update][] * `/run apm-beats-update` * [apm-beats-packaging][] @@ -106,6 +110,13 @@ It is possible to trigger some jobs by putting a comment on a GitHub PR. * [apm-beats-tester][] * `/beats-tester` will kick of a build to validate the generated packages. +### PR Labels + +It's possible to configure the build on a GitHub PR by labelling the PR with the below labels + +* `` to force the following builds to run the stages for the `` +* `macOS` to force the following builds to run the `macos` stages. + [beats]: https://beats-ci.elastic.co/job/Beats/job/beats/ [apm-beats-update]: https://beats-ci.elastic.co/job/Beats/job/apm-beats-update/ [apm-beats-packaging]: https://beats-ci.elastic.co/job/Beats/job/packaging/ diff --git a/auditbeat/Jenkinsfile.yml b/auditbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..873e2c319f3 --- /dev/null +++ b/auditbeat/Jenkinsfile.yml @@ -0,0 +1,34 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^auditbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@oss" ## special token regarding the changeset for the oss + comments: ## when PR comment contains any of those entries + - "/test auditbeat" + labels: ## when PR labels matches any of those entries + - "auditbeat" + parameters: ## when parameter was selected in the UI. + - "auditbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage build test" + crosscompile: + make: "make -C auditbeat crosscompile" + macos: + mage: "mage build unitTest" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test auditbeat for macos" + labels: + - "macOS" + parameters: + - "macosTest" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/auditbeat/docs/running-on-docker.asciidoc b/auditbeat/docs/running-on-docker.asciidoc index 74007cdeb35..dee50fa254a 100644 --- a/auditbeat/docs/running-on-docker.asciidoc +++ b/auditbeat/docs/running-on-docker.asciidoc @@ -10,5 +10,5 @@ It is also essential to run {beatname_uc} in the host PID namespace. ["source","sh",subs="attributes"] ---- -docker run --cap-add=AUDIT_CONTROL,AUDIT_READ --pid=host {dockerimage} +docker run --cap-add=AUDIT_CONTROL --cap-add=AUDIT_READ --user=root --pid=host {dockerimage} ---- diff --git a/auditbeat/magefile.go b/auditbeat/magefile.go index 73110b17354..bc99856a890 100644 --- a/auditbeat/magefile.go +++ b/auditbeat/magefile.go @@ -92,7 +92,7 @@ func Package() { // TestPackages tests the generated packages (i.e. file modes, owners, groups). func TestPackages() error { - return devtools.TestPackages(devtools.WithRootUserContainer()) + return devtools.TestPackages() } // Update is an alias for running fields, dashboards, config, includes. diff --git a/auditbeat/scripts/mage/package.go b/auditbeat/scripts/mage/package.go index fbda2077f4f..09591705121 100644 --- a/auditbeat/scripts/mage/package.go +++ b/auditbeat/scripts/mage/package.go @@ -95,7 +95,6 @@ func CustomizePackaging(pkgFlavor PackagingFlavor) { args.Spec.ReplaceFile("/etc/{{.BeatName}}/{{.BeatName}}.reference.yml", referenceConfig) sampleRulesTarget = "/etc/{{.BeatName}}/" + defaultSampleRulesTarget case devtools.Docker: - args.Spec.ExtraVar("user", "root") default: panic(errors.Errorf("unhandled package type: %v", pkgType)) } diff --git a/deploy/kubernetes/Jenkinsfile.yml b/deploy/kubernetes/Jenkinsfile.yml new file mode 100644 index 00000000000..452771edfb5 --- /dev/null +++ b/deploy/kubernetes/Jenkinsfile.yml @@ -0,0 +1,15 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^deploy/kubernetes/.*" + comments: ## when PR comment contains any of those entries + - "/test deploy/kubernetes" + labels: ## when PR labels matches any of those entries + - "kubernetes" + parameters: ## when parameter was selected in the UI. + - "kubernetes" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + k8sTest: + k8sTest: "v1.18.2,v1.17.2,v1.16.4,v1.15.7,v1.14.10" diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml index 1cfd2402193..dbfbc9f4b7a 100644 --- a/dev-tools/packaging/packages.yml +++ b/dev-tools/packaging/packages.yml @@ -340,7 +340,7 @@ shared: buildFrom: 'centos:7' dockerfile: 'Dockerfile.elastic-agent.tmpl' docker_entrypoint: 'docker-entrypoint.elastic-agent.tmpl' - user: 'root' + user: '{{ .BeatName }}' linux_capabilities: '' files: 'elastic-agent.yml': diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl index 5e6c0fcd6cd..7ab87f6f3ec 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl @@ -12,6 +12,8 @@ RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_s chown -R root:root {{ $beatHome }} && \ find {{ $beatHome }} -type d -exec chmod 0750 {} \; && \ find {{ $beatHome }} -type f -exec chmod 0640 {} \; && \ + find {{ $beatHome }}/data -type d -exec chmod 0770 {} \; && \ + find {{ $beatHome }}/data -type f -exec chmod 0660 {} \; && \ rm {{ $beatBinary }} && \ ln -s {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/elastic-agent {{ $beatBinary }} && \ chmod 0750 {{ $beatHome }}/data/elastic-agent-*/elastic-agent && \ @@ -21,7 +23,7 @@ RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_s {{- range $i, $modulesd := .ModulesDirs }} chmod 0770 {{ $beatHome}}/{{ $modulesd }} && \ {{- end }} - chmod 0770 {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/logs + true FROM {{ .from }} @@ -69,6 +71,10 @@ RUN chmod 755 /usr/local/bin/docker-entrypoint COPY --from=home {{ $beatHome }} {{ $beatHome }} +# Elastic Agent needs group permissions in the home itself to be able to +# create fleet.yml when running as non-root. +RUN chmod 0770 {{ $beatHome }} + RUN mkdir /licenses COPY --from=home {{ $beatHome }}/LICENSE.txt /licenses COPY --from=home {{ $beatHome }}/NOTICE.txt /licenses diff --git a/docs/devguide/modules-dev-guide.asciidoc b/docs/devguide/modules-dev-guide.asciidoc index b8aa133f1f8..b3a8cb22592 100644 --- a/docs/devguide/modules-dev-guide.asciidoc +++ b/docs/devguide/modules-dev-guide.asciidoc @@ -486,6 +486,6 @@ locally for a specific module, using the following procedure under Filebeat dire . Run an Elasticsearch instance locally using docker: `docker run -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" docker.elastic.co/elasticsearch/elasticsearch:8.0.0-SNAPSHOT` . Create python env: `make python-env` -. Source python env: `./build/python-env/bin/activate` +. Source python env: `source ./build/python-env/bin/activate` . Create the testing binary: `make filebeat.test` . Run the test, ie: `GENERATE=1 INTEGRATION_TESTS=1 BEAT_STRICT_PERMS=false TESTING_FILEBEAT_MODULES=nginx pytest tests/system/test_modules.py` diff --git a/filebeat/Jenkinsfile.yml b/filebeat/Jenkinsfile.yml new file mode 100644 index 00000000000..45b032accfb --- /dev/null +++ b/filebeat/Jenkinsfile.yml @@ -0,0 +1,33 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^filebeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@oss" ## special token regarding the changeset for the oss + comments: ## when PR comment contains any of those entries + - "/test filebeat" + labels: ## when PR labels matches any of those entries + - "filebeat" + parameters: ## when parameter was selected in the UI. + - "filebeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage build test" + withModule: true ## run the ITs only if the changeset affects a specific module. + macos: + mage: "mage build unitTest" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test filebeat for macos" + labels: + - "macOS" + parameters: + - "macosTest" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/filebeat/module/osquery/result/config/result.yml b/filebeat/module/osquery/result/config/result.yml index f35881687e8..1d6d2e0d042 100644 --- a/filebeat/module/osquery/result/config/result.yml +++ b/filebeat/module/osquery/result/config/result.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/osquery/result/ingest/pipeline.json b/filebeat/module/osquery/result/ingest/pipeline.json index c14b9664d1e..2a0329133fa 100644 --- a/filebeat/module/osquery/result/ingest/pipeline.json +++ b/filebeat/module/osquery/result/ingest/pipeline.json @@ -206,6 +206,14 @@ "value": "{{osquery.result.name}}", "ignore_empty_value": true } + }, + { + "append": { + "field": "related.hosts", + "value": "{{host.hostname}}", + "if": "ctx?.host?.hostname != null && ctx.host?.hostname != ''", + "allow_duplicates": false + } } ], "on_failure" : [{ diff --git a/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json b/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json index bedd286615d..953a63b299c 100644 --- a/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json +++ b/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json @@ -29,6 +29,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -66,6 +69,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -103,6 +109,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -140,6 +149,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -177,6 +189,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -214,6 +229,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -251,6 +269,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -288,6 +309,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -325,6 +349,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -362,6 +389,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -399,6 +429,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -436,6 +469,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -473,6 +509,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -510,6 +549,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -547,6 +589,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -584,6 +629,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -621,6 +669,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -658,6 +709,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -695,6 +749,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -732,6 +789,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -769,6 +829,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -806,6 +869,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -843,6 +909,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -880,6 +949,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -917,6 +989,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -954,6 +1029,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -991,6 +1069,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1028,6 +1109,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1065,6 +1149,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1102,6 +1189,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1139,6 +1229,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1176,6 +1269,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1213,6 +1309,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1250,6 +1349,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1287,6 +1389,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1324,6 +1429,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1361,6 +1469,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1398,6 +1509,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1435,6 +1549,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1472,6 +1589,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1509,6 +1629,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1546,6 +1669,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1583,6 +1709,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1620,6 +1749,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1657,6 +1789,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1694,6 +1829,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1731,6 +1869,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1768,6 +1909,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1805,6 +1949,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1842,6 +1989,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1879,6 +2029,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1916,6 +2069,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1953,6 +2109,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1990,6 +2149,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2027,6 +2189,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2064,6 +2229,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2101,6 +2269,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2138,6 +2309,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2195,6 +2369,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_ossec-rootkit_slapper_installed", "osquery.result.unix_time": "1515431189", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2252,6 +2429,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_ossec-rootkit_adore_worm", "osquery.result.unix_time": "1515431988", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], diff --git a/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json b/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json index bc722ee249f..5a8083a37e2 100644 --- a/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json +++ b/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json @@ -22,6 +22,9 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "org.python.python.app", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -52,6 +55,9 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.ruby", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -82,6 +88,9 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.a2p", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -112,6 +121,9 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.javajdk16.cmd", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -142,6 +154,9 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.php", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -172,6 +187,9 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.nc", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -202,6 +220,9 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.ksh", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -234,6 +255,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "httpd", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -266,6 +290,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "cupsd", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -298,6 +325,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "AEServer", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -330,6 +360,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "ftpd", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -362,6 +395,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "AppleFileServer", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -394,6 +430,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "sshd-keygen-wrapper", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -426,6 +465,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "smbd", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -458,6 +500,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "AppleVNCServer", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -490,6 +535,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "ODSAgent", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -544,6 +592,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -599,6 +650,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -653,6 +707,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -707,6 +764,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -761,6 +821,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -815,6 +878,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -869,6 +935,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -923,6 +992,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -977,6 +1049,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1031,6 +1106,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1085,6 +1163,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1139,6 +1220,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1193,6 +1277,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1226,6 +1313,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1258,6 +1348,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1290,6 +1383,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1322,6 +1418,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1354,6 +1453,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1386,6 +1488,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1418,6 +1523,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1450,6 +1558,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1482,6 +1593,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1514,6 +1628,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1546,6 +1663,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1578,6 +1698,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1610,6 +1733,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1642,6 +1768,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1674,6 +1803,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1706,6 +1838,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1738,6 +1873,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1770,6 +1908,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1802,6 +1943,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1834,6 +1978,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1866,6 +2013,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1898,6 +2048,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1930,6 +2083,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1962,6 +2118,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1994,6 +2153,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2026,6 +2188,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2058,6 +2223,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2090,6 +2258,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2122,6 +2293,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2154,6 +2328,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2186,6 +2363,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2218,6 +2398,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2250,6 +2433,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2282,6 +2468,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2314,6 +2503,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2346,6 +2538,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2378,6 +2573,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2410,6 +2608,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2442,6 +2643,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2474,6 +2678,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2506,6 +2713,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2538,6 +2748,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2570,6 +2783,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2602,6 +2818,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2634,6 +2853,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2666,6 +2888,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2698,6 +2923,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2730,6 +2958,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2762,6 +2993,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2794,6 +3028,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2826,6 +3063,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2858,6 +3098,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2890,6 +3133,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2922,6 +3168,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2954,6 +3203,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2986,6 +3238,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3018,6 +3273,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3050,6 +3308,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3082,6 +3343,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3114,6 +3378,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3146,6 +3413,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3178,6 +3448,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3210,6 +3483,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3242,6 +3518,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3274,6 +3553,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3306,6 +3588,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3338,6 +3623,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3370,6 +3658,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3402,6 +3693,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3434,6 +3728,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3466,6 +3763,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], diff --git a/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json b/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json index c339f8183fd..0f9afe755c1 100644 --- a/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json +++ b/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json @@ -26,6 +26,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "system_info", "osquery.result.unix_time": "1512649280", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -60,6 +63,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -94,6 +100,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -128,6 +137,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -162,6 +174,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -196,6 +211,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -230,6 +248,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -264,6 +285,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -298,6 +322,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -332,6 +359,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -366,6 +396,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -400,6 +433,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -434,6 +470,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -468,6 +507,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -502,6 +544,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -536,6 +581,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -570,6 +618,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -604,6 +655,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -638,6 +692,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -672,6 +729,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -706,6 +766,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -740,6 +803,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -774,6 +840,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -808,6 +877,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -842,6 +914,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -876,6 +951,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -910,6 +988,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -944,6 +1025,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -978,6 +1062,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1012,6 +1099,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1046,6 +1136,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1080,6 +1173,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1114,6 +1210,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1148,6 +1247,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1182,6 +1284,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1216,6 +1321,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1250,6 +1358,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1284,6 +1395,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1318,6 +1432,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1352,6 +1469,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1386,6 +1506,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1420,6 +1543,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1454,6 +1580,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1488,6 +1617,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1522,6 +1654,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1556,6 +1691,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1590,6 +1728,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1624,6 +1765,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1658,6 +1802,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1692,6 +1839,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1726,6 +1876,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1760,6 +1913,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1794,6 +1950,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1828,6 +1987,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1862,6 +2024,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1896,6 +2061,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1930,6 +2098,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1964,6 +2135,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1998,6 +2172,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2032,6 +2209,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2066,6 +2246,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2100,6 +2283,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2134,6 +2320,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2168,6 +2357,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2202,6 +2394,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2236,6 +2431,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2270,6 +2468,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2304,6 +2505,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2341,6 +2545,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_os_version", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2394,6 +2601,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_osquery_info", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2428,6 +2638,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2462,6 +2675,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2496,6 +2712,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2530,6 +2749,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2564,6 +2786,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2598,6 +2823,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2632,6 +2860,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2666,6 +2897,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2700,6 +2934,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2734,6 +2971,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2768,6 +3008,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2805,6 +3048,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_os_version", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2858,6 +3104,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_osquery_info", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2899,6 +3148,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2940,6 +3192,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2981,6 +3236,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3022,6 +3280,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3063,6 +3324,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3104,6 +3368,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3145,6 +3412,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3186,6 +3456,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3227,6 +3500,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3268,6 +3544,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3309,6 +3588,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3350,6 +3632,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3391,6 +3676,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3432,6 +3720,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3473,6 +3764,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3514,6 +3808,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3555,6 +3852,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], diff --git a/filebeat/module/osquery/result/test/test.log-expected.json b/filebeat/module/osquery/result/test/test.log-expected.json index 37a56ff8f13..4f7d0589a04 100644 --- a/filebeat/module/osquery/result/test/test.log-expected.json +++ b/filebeat/module/osquery/result/test/test.log-expected.json @@ -33,6 +33,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1514472008", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], diff --git a/filebeat/module/system/auth/config/auth.yml b/filebeat/module/system/auth/config/auth.yml index 3cdbd459e68..13f8c95656d 100644 --- a/filebeat/module/system/auth/config/auth.yml +++ b/filebeat/module/system/auth/config/auth.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/system/auth/ingest/pipeline.yml b/filebeat/module/system/auth/ingest/pipeline.yml index a958855936a..54ab0dbf8f5 100644 --- a/filebeat/module/system/auth/ingest/pipeline.yml +++ b/filebeat/module/system/auth/ingest/pipeline.yml @@ -142,6 +142,11 @@ processors: field: related.ip value: "{{source.ip}}" if: "ctx?.source?.ip != null" +- append: + field: related.hosts + value: "{{host.hostname}}" + if: "ctx.host?.hostname != null && ctx.host?.hostname != ''" + allow_duplicates: false on_failure: - set: field: error.message diff --git a/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json b/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json index 74654cb6dc1..cff887d76e8 100644 --- a/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json +++ b/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json @@ -11,6 +11,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -23,6 +26,9 @@ "input.type": "log", "log.offset": 81, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -44,6 +50,9 @@ "log.offset": 464, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -57,6 +66,9 @@ "log.offset": 570, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -71,6 +83,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -83,6 +98,9 @@ "input.type": "log", "log.offset": 736, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -104,6 +122,9 @@ "log.offset": 1121, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -117,6 +138,9 @@ "log.offset": 1227, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -131,6 +155,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -143,6 +170,9 @@ "input.type": "log", "log.offset": 1393, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -164,6 +194,9 @@ "log.offset": 1776, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -177,6 +210,9 @@ "log.offset": 1882, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -191,6 +227,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -203,6 +242,9 @@ "input.type": "log", "log.offset": 2048, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -224,6 +266,9 @@ "log.offset": 2426, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -237,6 +282,9 @@ "log.offset": 2532, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -251,6 +299,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -263,6 +314,9 @@ "input.type": "log", "log.offset": 2698, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -284,6 +338,9 @@ "log.offset": 3083, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -297,6 +354,9 @@ "log.offset": 3189, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -311,6 +371,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -336,6 +399,9 @@ "input.type": "log", "log.offset": 3414, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -357,6 +423,9 @@ "log.offset": 3977, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -370,6 +439,9 @@ "log.offset": 4083, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -384,6 +456,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -396,6 +471,9 @@ "input.type": "log", "log.offset": 4249, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -417,6 +495,9 @@ "log.offset": 4632, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -430,6 +511,9 @@ "log.offset": 4738, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -444,6 +528,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -456,6 +543,9 @@ "input.type": "log", "log.offset": 4904, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -477,6 +567,9 @@ "log.offset": 5289, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -490,6 +583,9 @@ "log.offset": 5395, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -504,6 +600,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -516,6 +615,9 @@ "input.type": "log", "log.offset": 5561, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -537,6 +639,9 @@ "log.offset": 5942, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -550,6 +655,9 @@ "log.offset": 6048, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -564,6 +672,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -576,6 +687,9 @@ "input.type": "log", "log.offset": 6214, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -597,6 +711,9 @@ "log.offset": 6597, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -610,6 +727,9 @@ "log.offset": 6703, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -624,6 +744,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -636,6 +759,9 @@ "input.type": "log", "log.offset": 6869, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -657,6 +783,9 @@ "log.offset": 7254, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -670,6 +799,9 @@ "log.offset": 7360, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -684,6 +816,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -696,6 +831,9 @@ "input.type": "log", "log.offset": 7526, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -717,6 +855,9 @@ "log.offset": 7911, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -730,6 +871,9 @@ "log.offset": 8017, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -744,6 +888,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -756,6 +903,9 @@ "input.type": "log", "log.offset": 8183, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -777,6 +927,9 @@ "log.offset": 8564, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -790,6 +943,9 @@ "log.offset": 8670, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -804,6 +960,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -816,6 +975,9 @@ "input.type": "log", "log.offset": 8836, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -837,6 +999,9 @@ "log.offset": 9215, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -850,6 +1015,9 @@ "log.offset": 9321, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -864,6 +1032,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -876,6 +1047,9 @@ "input.type": "log", "log.offset": 9487, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -897,6 +1071,9 @@ "log.offset": 9869, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -910,6 +1087,9 @@ "log.offset": 9975, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -922,6 +1102,9 @@ "input.type": "log", "log.offset": 10060, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -943,6 +1126,9 @@ "log.offset": 11099, "message": " vagrant : (command continued) '/etc/metricbeat/metricbeat.yml)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -956,6 +1142,9 @@ "log.offset": 11195, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -969,6 +1158,9 @@ "log.offset": 11301, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -983,6 +1175,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -997,6 +1192,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1009,6 +1207,9 @@ "input.type": "log", "log.offset": 11548, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1030,6 +1231,9 @@ "log.offset": 11928, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1043,6 +1247,9 @@ "log.offset": 12034, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1057,6 +1264,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1069,6 +1279,9 @@ "input.type": "log", "log.offset": 12200, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1090,6 +1303,9 @@ "log.offset": 12583, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1103,6 +1319,9 @@ "log.offset": 12689, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1117,6 +1336,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1129,6 +1351,9 @@ "input.type": "log", "log.offset": 12855, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1150,6 +1375,9 @@ "log.offset": 13241, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1163,6 +1391,9 @@ "log.offset": 13347, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1177,6 +1408,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1189,6 +1423,9 @@ "input.type": "log", "log.offset": 13513, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1210,6 +1447,9 @@ "log.offset": 13898, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1223,6 +1463,9 @@ "log.offset": 14004, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1237,6 +1480,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1249,6 +1495,9 @@ "input.type": "log", "log.offset": 14170, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1270,6 +1519,9 @@ "log.offset": 14549, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1283,6 +1535,9 @@ "log.offset": 14655, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1297,6 +1552,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1309,6 +1567,9 @@ "input.type": "log", "log.offset": 14821, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1330,6 +1591,9 @@ "log.offset": 15203, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1343,6 +1607,9 @@ "log.offset": 15309, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1357,6 +1624,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1369,6 +1639,9 @@ "input.type": "log", "log.offset": 15475, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1390,6 +1663,9 @@ "log.offset": 15860, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1403,6 +1679,9 @@ "log.offset": 15966, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1417,6 +1696,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1429,6 +1711,9 @@ "input.type": "log", "log.offset": 16132, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1450,6 +1735,9 @@ "log.offset": 16517, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1463,6 +1751,9 @@ "log.offset": 16623, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1477,6 +1768,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1489,6 +1783,9 @@ "input.type": "log", "log.offset": 16789, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], diff --git a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json index 5242ff398d9..7d8ece1d7f2 100644 --- a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json +++ b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json @@ -19,6 +19,9 @@ "log.offset": 0, "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -52,6 +55,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -74,6 +80,9 @@ "log.offset": 209, "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -107,6 +116,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -129,6 +141,9 @@ "log.offset": 418, "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -162,6 +177,9 @@ "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -176,6 +194,9 @@ "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -190,6 +211,9 @@ "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -204,6 +228,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -218,6 +245,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -240,6 +270,9 @@ "log.offset": 1105, "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -273,6 +306,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -295,6 +331,9 @@ "log.offset": 1314, "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -328,6 +367,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -350,6 +392,9 @@ "log.offset": 1523, "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -383,6 +428,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -405,6 +453,9 @@ "log.offset": 1732, "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -438,6 +489,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -460,6 +514,9 @@ "log.offset": 1941, "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -493,6 +550,9 @@ "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -507,6 +567,9 @@ "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -521,6 +584,9 @@ "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -535,6 +601,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -549,6 +618,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -563,6 +635,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27 user=root", "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -577,6 +652,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -599,6 +677,9 @@ "log.offset": 2889, "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -632,6 +713,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -654,6 +738,9 @@ "log.offset": 3098, "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "related.ip": [ "116.31.116.27" ], @@ -687,6 +774,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -709,6 +799,9 @@ "log.offset": 3306, "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -742,6 +835,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -764,6 +860,9 @@ "log.offset": 3515, "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "related.ip": [ "116.31.116.27" ], @@ -797,6 +896,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -819,6 +921,9 @@ "log.offset": 3723, "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -852,6 +957,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -874,6 +982,9 @@ "log.offset": 3932, "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "related.ip": [ "116.31.116.27" ], @@ -907,6 +1018,9 @@ "message": "Received disconnect from 116.31.116.27: 11: [preauth]", "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -921,6 +1035,9 @@ "message": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27 user=root", "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -943,6 +1060,9 @@ "log.offset": 4259, "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -976,6 +1096,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -998,6 +1121,9 @@ "log.offset": 4468, "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1031,6 +1157,9 @@ "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1045,6 +1174,9 @@ "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1059,6 +1191,9 @@ "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1073,6 +1208,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1087,6 +1225,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1109,6 +1250,9 @@ "log.offset": 5155, "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1142,6 +1286,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1164,6 +1311,9 @@ "log.offset": 5364, "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1197,6 +1347,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1219,6 +1372,9 @@ "log.offset": 5573, "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1252,6 +1408,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1274,6 +1433,9 @@ "log.offset": 5782, "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1307,6 +1469,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1329,6 +1494,9 @@ "log.offset": 5991, "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1362,6 +1530,9 @@ "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1376,6 +1547,9 @@ "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1390,6 +1564,9 @@ "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1404,6 +1581,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1418,6 +1598,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1440,6 +1623,9 @@ "log.offset": 6678, "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1473,6 +1659,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1495,6 +1684,9 @@ "log.offset": 6887, "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1528,6 +1720,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1550,6 +1745,9 @@ "log.offset": 7096, "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1583,6 +1781,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1605,6 +1806,9 @@ "log.offset": 7305, "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1638,6 +1842,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1660,6 +1867,9 @@ "log.offset": 7514, "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1693,6 +1903,9 @@ "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1707,6 +1920,9 @@ "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1721,6 +1937,9 @@ "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1735,6 +1954,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27 user=root", "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1749,6 +1971,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1771,6 +1996,9 @@ "log.offset": 8199, "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "related.ip": [ "116.31.116.27" ], @@ -1804,6 +2032,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1826,6 +2057,9 @@ "log.offset": 8407, "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "related.ip": [ "116.31.116.27" ], @@ -1859,6 +2093,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1881,6 +2118,9 @@ "log.offset": 8615, "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "related.ip": [ "116.31.116.27" ], @@ -1914,6 +2154,9 @@ "message": "Received disconnect from 116.31.116.27: 11: [preauth]", "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1928,6 +2171,9 @@ "message": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27 user=root", "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1942,6 +2188,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1956,6 +2205,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1978,6 +2230,9 @@ "log.offset": 9205, "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -2011,6 +2266,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2033,6 +2291,9 @@ "log.offset": 9414, "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -2066,6 +2327,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2088,6 +2352,9 @@ "log.offset": 9623, "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -2121,6 +2388,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2143,6 +2413,9 @@ "log.offset": 9832, "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -2176,6 +2449,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2198,6 +2474,9 @@ "log.offset": 10041, "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -2231,6 +2510,9 @@ "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2245,6 +2527,9 @@ "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2259,6 +2544,9 @@ "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2273,6 +2561,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2797, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2287,6 +2578,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2797, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2309,6 +2603,9 @@ "log.offset": 10728, "process.name": "sshd", "process.pid": 2797, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -2342,6 +2639,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2797, + "related.hosts": [ + "slave22" + ], "service.type": "system" } ] \ No newline at end of file diff --git a/filebeat/module/system/auth/test/test.log-expected.json b/filebeat/module/system/auth/test/test.log-expected.json index 0203b1a1f3b..88d32188bb7 100644 --- a/filebeat/module/system/auth/test/test.log-expected.json +++ b/filebeat/module/system/auth/test/test.log-expected.json @@ -19,6 +19,9 @@ "log.offset": 0, "process.name": "sshd", "process.pid": 3402, + "related.hosts": [ + "localhost" + ], "related.ip": [ "10.0.2.2" ], @@ -53,6 +56,9 @@ "log.offset": 152, "process.name": "sshd", "process.pid": 7483, + "related.hosts": [ + "localhost" + ], "related.ip": [ "192.168.33.1" ], @@ -86,6 +92,9 @@ "log.offset": 254, "process.name": "sshd", "process.pid": 3430, + "related.hosts": [ + "localhost" + ], "related.ip": [ "10.0.2.2" ], @@ -117,6 +126,9 @@ "log.offset": 324, "process.name": "sshd", "process.pid": 5774, + "related.hosts": [ + "slave22" + ], "related.ip": [ "116.31.116.24" ], @@ -148,6 +160,9 @@ "input.type": "log", "log.offset": 420, "process.name": "sudo", + "related.hosts": [ + "localhost" + ], "related.user": [ "vagrant" ], @@ -169,6 +184,9 @@ "log.offset": 522, "process.name": "sshd", "process.pid": 18406, + "related.hosts": [ + "slave22" + ], "related.ip": [ "123.57.245.163" ], @@ -195,6 +213,9 @@ "input.type": "log", "log.offset": 617, "process.name": "sudo", + "related.hosts": [ + "localhost" + ], "related.user": [ "vagrant" ], @@ -215,6 +236,9 @@ "input.type": "log", "log.offset": 736, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "tsg" ], @@ -247,6 +271,9 @@ "log.offset": 861, "process.name": "groupadd", "process.pid": 6991, + "related.hosts": [ + "localhost" + ], "service.type": "system" }, { @@ -269,6 +296,9 @@ "log.offset": 934, "process.name": "useradd", "process.pid": 6995, + "related.hosts": [ + "localhost" + ], "related.user": [ "apache" ], diff --git a/filebeat/module/system/auth/test/timestamp.log-expected.json b/filebeat/module/system/auth/test/timestamp.log-expected.json index 8903b63e89e..4d428b4d1cc 100644 --- a/filebeat/module/system/auth/test/timestamp.log-expected.json +++ b/filebeat/module/system/auth/test/timestamp.log-expected.json @@ -12,6 +12,9 @@ "log.offset": 0, "message": "pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)", "process.name": "sudo", + "related.hosts": [ + "localhost" + ], "service.type": "system" }, { @@ -27,6 +30,9 @@ "log.offset": 118, "message": "user nobody logged out.", "process.name": "pam", + "related.hosts": [ + "localhost" + ], "service.type": "system" } ] \ No newline at end of file diff --git a/filebeat/module/system/syslog/config/syslog.yml b/filebeat/module/system/syslog/config/syslog.yml index 3cdbd459e68..13f8c95656d 100644 --- a/filebeat/module/system/syslog/config/syslog.yml +++ b/filebeat/module/system/syslog/config/syslog.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/system/syslog/ingest/pipeline.yml b/filebeat/module/system/syslog/ingest/pipeline.yml index e45cacec6b6..b1352f2ad62 100644 --- a/filebeat/module/system/syslog/ingest/pipeline.yml +++ b/filebeat/module/system/syslog/ingest/pipeline.yml @@ -54,6 +54,11 @@ processors: - set: field: event.kind value: event +- append: + field: related.hosts + value: "{{host.hostname}}" + if: "ctx.host?.hostname != null && ctx.host?.hostname != ''" + allow_duplicates: false on_failure: - set: field: error.message diff --git a/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json b/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json index 7fd9929cf9e..a5957f19b94 100644 --- a/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json +++ b/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json @@ -14,6 +14,9 @@ "message": "2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for \"All Products\" using engine \n\t\t>>\n\t\tprocessor=\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t>\n\t\tdelegate=(null)\n\t\tserverInfoStore=(null)\n\t\terrors=0\n\t>", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -28,6 +31,9 @@ "message": "2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { diff --git a/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json b/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json index f1abb5047d5..6f12a7a5656 100644 --- a/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json +++ b/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json @@ -11,6 +11,9 @@ "message": "2016-12-13 11:35:28.419 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp performSelfUpdateWithEngine:] Finished self update check.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -28,6 +31,9 @@ "message": "2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for \"All Products\" using engine \n\t\t>>\n\t\tprocessor=\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t>\n\t\tdelegate=(null)\n\t\tserverInfoStore=(null)\n\t\terrors=0\n\t>", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -42,6 +48,9 @@ "message": "2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -56,6 +65,9 @@ "message": "2016-12-13 11:35:28.422 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSCheckAction performAction] KSCheckAction checking 2 ticket(s).", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -73,6 +85,9 @@ "message": "2016-12-13 11:35:28.428 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction starting update check for ticket(s): {(\n\t\t\n\t\t\tserverType=Omaha\n\t\t\turl=https://tools.google.com/service/update2\n\t\t\tcreationDate=2015-06-25 15:40:23\n\t\t\ttagPath=/Applications/Google Chrome.app/Contents/Info.plist\n\t\t\ttagKey=KSChannelID\n\t\t\tbrandPath=/Users/tsg/Library/Google/Google Chrome Brand.plist\n\t\t\tbrandKey=KSBrandID\n\t\t\tversionPath=/Applications/Google Chrome.app/Contents/Info.plist\n\t\t\tversionKey=KSVersion\n\t\t\tcohort=1:1y5:gy3@0.05\n\t\t\tcohortName=Stable\n\t\t\tticketVersion=1\n\t\t>,\n\t\t\n\t\t\tserverType=Omaha\n\t\t\turl=https://tools.google.com/service/update2\n\t\t\tcreationDate=2015-09-11 20:38:12\n\t\t\tticketVersion=1\n\t\t>\n\t)}\n\tUsing server: \n\t>", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -87,6 +102,9 @@ "message": "2016-12-13 11:35:28.446 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Chrome.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and (identifier=\"com.google.Chrome\")'", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -101,6 +119,9 @@ "message": "2016-12-13 11:35:29.430 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Drive.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and (identifier=\"com.google.GoogleDrive\")'", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -118,6 +139,9 @@ "message": "2016-12-13 11:35:30.115 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction running KSServerUpdateRequest: \n\t\turl=\"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"\n\t\tfallbackURLs=(\n\t\t\thttp://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1617080069\n\t\t)\n\t\trunningFetchers=0\n\t\ttickets=2\n\t\tbody=\n\t\t\t\n\t\t\t\n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t\n\t\theaders={\n\t\t\t\"X-GoogleUpdate-Interactivity\" = bg;\n\t\t}\n\t>", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -132,6 +156,9 @@ "message": "2016-12-13 11:35:30.116 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher start fetch from URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -146,6 +173,9 @@ "message": "2016-12-13 11:35:30.117 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) launchedHelperTaskForToolPath:error:] KSOutOfProcessFetcher launched '/Users/tsg/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksfetch' with process id: 21414", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -160,6 +190,9 @@ "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher sending both request and download file location to the helper.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -174,6 +207,9 @@ "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] KSSendAllDataToHelper() KSHelperTool wrote 2383 bytes to the helper input.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -188,6 +224,9 @@ "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] Closing the file handle.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -202,6 +241,9 @@ "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher fetching from URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -216,6 +258,9 @@ "message": "2016-12-13 11:35:30.149 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] KSHelperReceiveAllData() KSHelperTool read 2383 bytes from stdin.", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -230,6 +275,9 @@ "message": "2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a request: { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822 }", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -244,6 +292,9 @@ "message": "2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a download path: /tmp/KSOutOfProcessFetcher.QTqOLkktQz/download", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -258,6 +309,9 @@ "message": "2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch fetching URL ( { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822 }) to folder:/tmp/KSOutOfProcessFetcher.QTqOLkktQz/download", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -272,6 +326,9 @@ "message": "2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Setting up download file handles...", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -286,6 +343,9 @@ "message": "2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] -[FetchDelegate fetcher:finishedWithData:] Fetcher downloaded successfully data of length: 0", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -300,6 +360,9 @@ "message": "2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch done fetching.", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -314,6 +377,9 @@ "message": "2016-12-13 11:35:30.351 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher is exiting.", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -331,6 +397,9 @@ "message": "2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperErrorAvailable:] KSOutOfProcessFetcher helper tool raw STDERR:\n\t:\t<>", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -345,6 +414,9 @@ "message": "2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperDidTerminate:] KSOutOfProcessFetcher fetch ended for URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -362,6 +434,9 @@ "message": "2016-12-13 11:35:30.355 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(KSServerUpdateRequestDelegate) serverRequest:fetchedWithResponse:] KSUpdateCheckAction received KSServerUpdateResponse: \n\t\turl=\"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"\n\t\ttickets=2\n\t\tstatus=200\n\t\tdata=\n\t\t\t\n\t\t\t\n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t\n\t>", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -376,6 +451,9 @@ "message": "2016-12-13 11:35:30.356 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOmahaServer updateInfosForUpdateResponse:updateRequest:infoStore:upToDateTickets:updatedTickets:events:errors:] Response passed CUP validation.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -390,6 +468,9 @@ "message": "2016-12-13 11:35:30.381 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(PrivateMethods) finishAction] KSUpdateCheckAction found updates: {( )}", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -404,6 +485,9 @@ "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSPrefetchAction performAction] KSPrefetchAction no updates to prefetch.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -418,6 +502,9 @@ "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSSilentUpdateAction had no updates to apply.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -432,6 +519,9 @@ "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSPromptAction had no updates to apply.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -446,6 +536,9 @@ "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneDelegate) updateEngineFinishedWithErrors:] Keystone finished: errors=0", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -460,6 +553,9 @@ "message": "2016-12-13 11:35:30.385 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine(PrivateMethods) updateFinish] KSUpdateEngine update processing complete.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -477,6 +573,9 @@ "message": "2016-12-13 11:35:31.142 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Done checking for updates for '\"All Products\"' using engine \n\t\t>>\n\t\tprocessor=\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t>\n\t\tdelegate=\n\t\tserverInfoStore=\n\t\terrors=0\n\t>", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -491,6 +590,9 @@ "message": "2016-12-13 11:35:31.302 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentUploader fetcher:finishedWithData:] Successfully uploaded stats to { URL: https://tools.google.com/service/update2 }", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -508,6 +610,9 @@ "message": "2016-12-13 11:35:31.431 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp uploadStats:] Successfully uploaded stats ", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -522,6 +627,9 @@ "message": "2016-12-13 11:35:32.508 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneThread) runKeystonesInThreadWithArg:] Finished with engine thread", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -536,6 +644,9 @@ "message": "2016-12-13 11:35:32.825 GoogleSoftwareUpdateAgent[21412/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp checkForUpdates] Finished update check.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -550,6 +661,9 @@ "message": "objc[85294]: __weak variable at 0x60000a8499d0 holds 0x2121212121212121 instead of 0x600006a22fa0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -564,6 +678,9 @@ "message": "objc[85294]: __weak variable at 0x60800f047240 holds 0x2121212121212121 instead of 0x608002231220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -577,6 +694,9 @@ "log.offset": 15501, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21498])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -591,6 +711,9 @@ "message": "objc[85294]: __weak variable at 0x60000a256990 holds 0x2121212121212121 instead of 0x600006a22420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -605,6 +728,9 @@ "message": "objc[85294]: __weak variable at 0x6080096475d0 holds 0x2121212121212121 instead of 0x608004e21280. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -619,6 +745,9 @@ "message": "ASL Sender Statistics", "process.name": "syslogd", "process.pid": 46, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -632,6 +761,9 @@ "log.offset": 16312, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21556])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -645,6 +777,9 @@ "log.offset": 16527, "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -659,6 +794,9 @@ "message": "objc[85294]: __weak variable at 0x60000a85a860 holds 0x2121212121212121 instead of 0x600004a3b9a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -672,6 +810,9 @@ "log.offset": 16952, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21581])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -686,6 +827,9 @@ "message": "objc[85294]: __weak variable at 0x608009840580 holds 0x2121212121212121 instead of 0x608004a22940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -700,6 +844,9 @@ "message": "objc[85294]: __weak variable at 0x608009c5b700 holds 0x2121212121212121 instead of 0x608005830020. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -713,6 +860,9 @@ "log.offset": 17693, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21586])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -727,6 +877,9 @@ "message": "objc[85294]: __weak variable at 0x60800ee592d0 holds 0x2121212121212121 instead of 0x608005627220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -741,6 +894,9 @@ "message": "ASL Sender Statistics", "process.name": "syslogd", "process.pid": 46, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -755,6 +911,9 @@ "message": "objc[85294]: __weak variable at 0x60000c648290 holds 0x2121212121212121 instead of 0x6000050242a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -768,6 +927,9 @@ "log.offset": 18504, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21589])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -782,6 +944,9 @@ "message": "objc[85294]: __weak variable at 0x600009840460 holds 0x2121212121212121 instead of 0x60000122e940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -795,6 +960,9 @@ "log.offset": 18982, "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -809,6 +977,9 @@ "message": "objc[85294]: __weak variable at 0x60000ee5b730 holds 0x2121212121212121 instead of 0x600007821c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -822,6 +993,9 @@ "log.offset": 19407, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21946])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -836,6 +1010,9 @@ "message": "objc[85294]: __weak variable at 0x600006a49940 holds 0x2121212121212121 instead of 0x6000078202e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -850,6 +1027,9 @@ "message": "ASL Sender Statistics", "process.name": "syslogd", "process.pid": 46, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -864,6 +1044,9 @@ "message": "Invoked notification with id: d63743fb-f17b-4e9e-97d0-88e0e7304682", "process.name": "Slack Helper", "process.pid": 55199, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -877,6 +1060,9 @@ "log.offset": 20078, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21966])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -891,6 +1077,9 @@ "message": "objc[85294]: __weak variable at 0x60800f043dc0 holds 0x2121212121212121 instead of 0x6080026228c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -904,6 +1093,9 @@ "log.offset": 20556, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21981])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -918,6 +1110,9 @@ "message": "objc[85294]: __weak variable at 0x608009a53600 holds 0x2121212121212121 instead of 0x608000629420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -932,6 +1127,9 @@ "message": "objc[85294]: __weak variable at 0x60800f259c30 holds 0x2121212121212121 instead of 0x608004a21c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -946,6 +1144,9 @@ "message": "ASL Sender Statistics", "process.name": "syslogd", "process.pid": 46, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -959,6 +1160,9 @@ "log.offset": 21367, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22226])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -973,6 +1177,9 @@ "message": "objc[85294]: __weak variable at 0x60000c647d80 holds 0x2121212121212121 instead of 0x600006e3ee80. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -987,6 +1194,9 @@ "message": "objc[85294]: __weak variable at 0x60800f053a80 holds 0x2121212121212121 instead of 0x608007227ce0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1000,6 +1210,9 @@ "log.offset": 22108, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22241])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1014,6 +1227,9 @@ "message": "objc[85294]: __weak variable at 0x60000a64ce80 holds 0x2121212121212121 instead of 0x600006629940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1028,6 +1244,9 @@ "message": "objc[85294]: __weak variable at 0x60000a843580 holds 0x2121212121212121 instead of 0x600006629540. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1041,6 +1260,9 @@ "log.offset": 22849, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22254])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1055,6 +1277,9 @@ "message": "objc[85294]: __weak variable at 0x60800f45b910 holds 0x2121212121212121 instead of 0x608005822c40. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1069,6 +1294,9 @@ "message": "ASL Sender Statistics", "process.name": "syslogd", "process.pid": 46, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1082,6 +1310,9 @@ "log.offset": 23397, "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1096,6 +1327,9 @@ "message": "objc[85294]: __weak variable at 0x60000ea5edf0 holds 0x2121212121212121 instead of 0x600003a35a60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1109,6 +1343,9 @@ "log.offset": 23822, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22265])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1123,6 +1360,9 @@ "message": "Invoked notification with id: 52bf37d9-0c4e-4276-8789-9fc7704bdf5b", "process.name": "Slack Helper", "process.pid": 55199, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1136,6 +1376,9 @@ "log.offset": 24160, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22292])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1150,6 +1393,9 @@ "message": "Invoked notification with id: c6c7e356-60a7-4b9e-a9b1-ecc2b8ad09f2", "process.name": "Slack Helper", "process.pid": 55199, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1164,6 +1410,9 @@ "message": "objc[85294]: __weak variable at 0x60800f246430 holds 0x2121212121212121 instead of 0x608001c26d00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1178,6 +1427,9 @@ "message": "objc[85294]: __weak variable at 0x60800c85fd80 holds 0x2121212121212121 instead of 0x608005a3a420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1192,6 +1444,9 @@ "message": "ASL Sender Statistics", "process.name": "syslogd", "process.pid": 46, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1205,6 +1460,9 @@ "log.offset": 25094, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22305])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1219,6 +1477,9 @@ "message": "objc[85294]: __weak variable at 0x600006452400 holds 0x2121212121212121 instead of 0x60000763bac0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1233,6 +1494,9 @@ "message": "2016-12-13 12:35:56.416 GoogleSoftwareUpdateAgent[22318/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp setupLoggerOutput] Agent settings: ", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 22318, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1246,6 +1510,9 @@ "log.offset": 26456, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22324])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1260,6 +1527,9 @@ "message": "objc[85294]: __weak variable at 0x60800f24d0f0 holds 0x2121212121212121 instead of 0x608007423ee0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1274,6 +1544,9 @@ "message": "Invoked notification with id: aa608788-d049-4d1a-9112-521c71702371", "process.name": "Slack Helper", "process.pid": 55199, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1287,6 +1560,9 @@ "log.offset": 27057, "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1301,6 +1577,9 @@ "message": "Invoked notification with id: d75f9ec1-a8fd-41c2-a45e-6df2952f0702", "process.name": "Slack Helper", "process.pid": 55199, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1314,6 +1593,9 @@ "log.offset": 27342, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22336])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1328,6 +1610,9 @@ "message": "objc[85294]: __weak variable at 0x60800a2535a0 holds 0x2121212121212121 instead of 0x608003828e20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1342,6 +1627,9 @@ "message": "ASL Sender Statistics", "process.name": "syslogd", "process.pid": 46, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1356,6 +1644,9 @@ "message": "objc[85294]: __weak variable at 0x60800f241d50 holds 0x2121212121212121 instead of 0x60800562f380. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1369,6 +1660,9 @@ "log.offset": 28153, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22348])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1383,6 +1677,9 @@ "message": "objc[85294]: __weak variable at 0x60000c444450 holds 0x2121212121212121 instead of 0x600007237f00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1397,6 +1694,9 @@ "message": "objc[85294]: __weak variable at 0x60000c4424a0 holds 0x2121212121212121 instead of 0x600007026520. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" } ] \ No newline at end of file diff --git a/filebeat/module/system/syslog/test/suse-syslog.log-expected.json b/filebeat/module/system/syslog/test/suse-syslog.log-expected.json index 48cbc44161b..4090efed2e7 100644 --- a/filebeat/module/system/syslog/test/suse-syslog.log-expected.json +++ b/filebeat/module/system/syslog/test/suse-syslog.log-expected.json @@ -11,6 +11,9 @@ "message": "Stopped target Basic System.", "process.name": "systemd", "process.pid": 4179, + "related.hosts": [ + "linux-sqrz" + ], "service.type": "system" }, { @@ -25,6 +28,9 @@ "message": "Stopped target Paths.", "process.name": "systemd", "process.pid": 4179, + "related.hosts": [ + "linux-sqrz" + ], "service.type": "system" } ] \ No newline at end of file diff --git a/filebeat/module/system/syslog/test/tz-offset.log-expected.json b/filebeat/module/system/syslog/test/tz-offset.log-expected.json index 2dfd146dedc..905d8cfd95d 100644 --- a/filebeat/module/system/syslog/test/tz-offset.log-expected.json +++ b/filebeat/module/system/syslog/test/tz-offset.log-expected.json @@ -13,6 +13,9 @@ "message": "shutting down for system halt", "process.name": "shutdown", "process.pid": 2649, + "related.hosts": [ + "rmbkmonitor04" + ], "service.type": "system" }, { @@ -28,6 +31,9 @@ "log.offset": 89, "message": "constraint_0_power_limit_uw exceeded.", "process.name": "thermald", + "related.hosts": [ + "rmbkmonitor04" + ], "service.type": "system" }, { @@ -43,6 +49,9 @@ "log.offset": 184, "message": "pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)", "process.name": "sudo", + "related.hosts": [ + "localhost" + ], "service.type": "system" } ] \ No newline at end of file diff --git a/filebeat/tests/system/test_autodiscover.py b/filebeat/tests/system/test_autodiscover.py index 0f8b44b0750..62dd7916437 100644 --- a/filebeat/tests/system/test_autodiscover.py +++ b/filebeat/tests/system/test_autodiscover.py @@ -1,8 +1,10 @@ -import os +import docker import filebeat +import os import unittest from beat.beat import INTEGRATION_TESTS +from contextlib import contextmanager class TestAutodiscover(filebeat.BaseTest): @@ -16,47 +18,30 @@ def test_docker(self): """ Test docker autodiscover starts input """ - import docker - docker_client = docker.from_env() - - self.render_config_template( - inputs=False, - autodiscover={ - 'docker': { - 'cleanup_timeout': '0s', - 'templates': ''' - - condition: - equals.docker.container.image: busybox - config: - - type: log - paths: - - %s/${data.docker.container.image}.log - ''' % self.working_dir, + with self.container_running() as container: + self.render_config_template( + inputs=False, + autodiscover={ + 'docker': { + 'cleanup_timeout': '0s', + 'templates': f''' + - condition: + equals.docker.container.name: {container.name} + config: + - type: log + paths: + - %s/${{data.docker.container.name}}.log + ''' % self.working_dir, + }, }, - }, - ) + ) - with open(os.path.join(self.working_dir, 'busybox.log'), 'wb') as f: - f.write(b'Busybox output 1\n') - - proc = self.start_beat() - docker_client.images.pull('busybox') - docker_client.containers.run('busybox', 'sleep 1') + proc = self.start_beat() + self._test(container) - self.wait_until(lambda: self.log_contains('Starting runner: input')) self.wait_until(lambda: self.log_contains('Stopping runner: input')) - - output = self.read_output_json() proc.check_kill_and_wait() - # Check metadata is added - assert output[0]['message'] == 'Busybox output 1' - assert output[0]['container']['image']['name'] == 'busybox' - assert output[0]['docker']['container']['labels'] == {} - assert 'name' in output[0]['container'] - - self.assert_fields_are_documented(output[0]) - @unittest.skipIf(not INTEGRATION_TESTS or os.getenv("TESTING_ENVIRONMENT") == "2x", "integration test not available on 2.x") @@ -64,41 +49,47 @@ def test_default_settings(self): """ Test docker autodiscover default config settings """ - import docker - docker_client = docker.from_env() - - self.render_config_template( - inputs=False, - autodiscover={ - 'docker': { - 'cleanup_timeout': '0s', - 'hints.enabled': 'true', - 'hints.default_config': ''' - type: log - paths: - - %s/${data.container.image}.log - ''' % self.working_dir, + with self.container_running() as container: + self.render_config_template( + inputs=False, + autodiscover={ + 'docker': { + 'cleanup_timeout': '0s', + 'hints.enabled': 'true', + 'hints.default_config': ''' + type: log + paths: + - %s/${data.container.name}.log + ''' % self.working_dir, + }, }, - }, - ) + ) + proc = self.start_beat() + self._test(container) - with open(os.path.join(self.working_dir, 'busybox.log'), 'wb') as f: - f.write(b'Busybox output 1\n') + self.wait_until(lambda: self.log_contains('Stopping runner: input')) + proc.check_kill_and_wait() - proc = self.start_beat() - docker_client.images.pull('busybox') - docker_client.containers.run('busybox', 'sleep 1') + def _test(self, container): + with open(os.path.join(self.working_dir, f'{container.name}.log'), 'wb') as f: + f.write(b'Busybox output 1\n') self.wait_until(lambda: self.log_contains('Starting runner: input')) - self.wait_until(lambda: self.log_contains('Stopping runner: input')) + self.wait_until(lambda: self.output_has(lines=1)) output = self.read_output_json() - proc.check_kill_and_wait() # Check metadata is added assert output[0]['message'] == 'Busybox output 1' - assert output[0]['container']['image']['name'] == 'busybox' - assert output[0]['docker']['container']['labels'] == {} + assert output[0]['container']['name'] == container.name + assert output[0]['docker']['container']['labels'] == container.labels assert 'name' in output[0]['container'] self.assert_fields_are_documented(output[0]) + + @contextmanager + def container_running(self, image_name='busybox:latest'): + docker_client = docker.from_env() + container = docker_client.containers.run(image_name, 'sleep 60', detach=True, remove=True) + yield container + container.remove(force=True) diff --git a/generator/Jenkinsfile.yml b/generator/Jenkinsfile.yml new file mode 100644 index 00000000000..071d24858bb --- /dev/null +++ b/generator/Jenkinsfile.yml @@ -0,0 +1,43 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^generator/.*" + - "#generator/common/beatgen" ## special token regarding the project dependency + - "#metricbeat/beater" ## special token regarding the project dependency + - "@ci" ## special token regarding the changeset for the ci + - "@oss" ## special token regarding the changeset for the oss + comments: ## when PR comment contains any of those entries + - "/test generator" + labels: ## when PR labels matches any of those entries + - "generator" + parameters: ## when parameter was selected in the UI. + - "generator" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + metricbeat-test: + make: "make -C generator/_templates/metricbeat test test-package" + beat-test: + make: "make -C generator/_templates/beat test test-package" + macos-metricbeat: + make: "make -C generator/_templates/metricbeat test" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test generator for macos" + labels: + - "macOS" + parameters: + - "macosTest" + macos-beat: + make: "make -C generator/_templates/beat test" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test generator for macos" + labels: + - "macOS" + parameters: + - "macosTest" diff --git a/heartbeat/Jenkinsfile.yml b/heartbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..b8668715c3c --- /dev/null +++ b/heartbeat/Jenkinsfile.yml @@ -0,0 +1,32 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^heartbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@oss" ## special token regarding the changeset for the oss + comments: ## when PR comment contains any of those entries + - "/test heartbeat" + labels: ## when PR labels matches any of those entries + - "heartbeat" + parameters: ## when parameter was selected in the UI. + - "heartbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage build test" + macos: + mage: "mage build unitTest" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test heartbeat for macos" + labels: + - "macOS" + parameters: + - "macosTest" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/journalbeat/Jenkinsfile.yml b/journalbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..12bb63f4cc6 --- /dev/null +++ b/journalbeat/Jenkinsfile.yml @@ -0,0 +1,17 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^journalbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@oss" ## special token regarding the changeset for the oss + comments: ## when PR comment contains any of those entries + - "/test journalbeat" + labels: ## when PR labels matches any of those entries + - "journalbeat" + parameters: ## when parameter was selected in the UI. + - "journalbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + unitTest: + mage: "mage build unitTest" diff --git a/libbeat/Jenkinsfile.yml b/libbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..64a43269b13 --- /dev/null +++ b/libbeat/Jenkinsfile.yml @@ -0,0 +1,20 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "@ci" ## special token regarding the changeset for the ci + - "@oss" ## special token regarding the changeset for the oss + comments: ## when PR comment contains any of those entries + - "/test libbeat" + labels: ## when PR labels matches any of those entries + - "libbeat" + parameters: ## when parameter was selected in the UI. + - "libbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage build test" + crosscompile: + make: "make -C libbeat crosscompile" + stress-tests: + make: "make STRESS_TEST_OPTIONS='-timeout=20m -race -v -parallel 1' -C libbeat stress-tests" diff --git a/metricbeat/Jenkinsfile.yml b/metricbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..1219a27af77 --- /dev/null +++ b/metricbeat/Jenkinsfile.yml @@ -0,0 +1,40 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^metricbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@oss" ## special token regarding the changeset for the oss + comments: ## when PR comment contains any of those entries + - "/test metricbeat" + labels: ## when PR labels matches any of those entries + - "metricbeat" + parameters: ## when parameter was selected in the UI. + - "metricbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + unitTest: + mage: "mage build unitTest" + goIntegTest: + mage: "mage goIntegTest" + withModule: true + pythonIntegTest: + mage: "mage pythonIntegTest" + withModule: true + crosscompile: + make: "make -C metricbeat crosscompile" + macos: + mage: "mage build unitTest" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test metricbeat for macos" + labels: + - "macOS" + parameters: + - "macosTest" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/metricbeat/docs/modules/aws/lambda.asciidoc b/metricbeat/docs/modules/aws/lambda.asciidoc index 5e31c8fdc56..202820844ad 100644 --- a/metricbeat/docs/modules/aws/lambda.asciidoc +++ b/metricbeat/docs/modules/aws/lambda.asciidoc @@ -6,8 +6,6 @@ This file is generated! See scripts/mage/docs_collector.go [role="xpack"] === AWS lambda metricset -beta[] - include::../../../../x-pack/metricbeat/module/aws/lambda/_meta/docs.asciidoc[] This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. diff --git a/metricbeat/docs/modules_list.asciidoc b/metricbeat/docs/modules_list.asciidoc index bfe9052b8e6..2232cf3b070 100644 --- a/metricbeat/docs/modules_list.asciidoc +++ b/metricbeat/docs/modules_list.asciidoc @@ -22,7 +22,7 @@ This file is generated! See scripts/mage/docs_collector.go |<> |<> |<> -|<> beta[] +|<> |<> beta[] |<> |<> diff --git a/packetbeat/Jenkinsfile.yml b/packetbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..416e69a203b --- /dev/null +++ b/packetbeat/Jenkinsfile.yml @@ -0,0 +1,32 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^packetbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@oss" ## special token regarding the changeset for the oss + comments: ## when PR comment contains any of those entries + - "/test packetbeat" + labels: ## when PR labels matches any of those entries + - "packetbeat" + parameters: ## when parameter was selected in the UI. + - "packetbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage build test" + macos: + mage: "mage build unitTest" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test packetbeat for macos" + labels: + - "macOS" + parameters: + - "macosTest" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/winlogbeat/Jenkinsfile.yml b/winlogbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..74eb55586d0 --- /dev/null +++ b/winlogbeat/Jenkinsfile.yml @@ -0,0 +1,21 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^winlogbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@oss" ## special token regarding the changeset for the oss + comments: ## when PR comment contains any of those entries + - "/test winlogbeat" + labels: ## when PR labels matches any of those entries + - "winlogbeat" + parameters: ## when parameter was selected in the UI. + - "winlogbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + crosscompile: + make: "make -C winlogbeat crosscompile" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/x-pack/auditbeat/Jenkinsfile.yml b/x-pack/auditbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..86f0832d3f2 --- /dev/null +++ b/x-pack/auditbeat/Jenkinsfile.yml @@ -0,0 +1,33 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^x-pack/auditbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@xpack" ## special token regarding the changeset for the xpack + comments: ## when PR comment contains any of those entries + - "/test auditbeat" + labels: ## when PR labels matches any of those entries + - "auditbeat" + parameters: ## when parameter was selected in the UI. + - "auditbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage update build test" + withModule: true ## run the ITs only if the changeset affects a specific module. + macos: + mage: "mage build unitTest" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test auditbeat for macos" + labels: + - "macOS" + parameters: + - "macosTest" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/x-pack/auditbeat/magefile.go b/x-pack/auditbeat/magefile.go index f484cbb371d..7484e6465b7 100644 --- a/x-pack/auditbeat/magefile.go +++ b/x-pack/auditbeat/magefile.go @@ -84,7 +84,7 @@ func Package() { // TestPackages tests the generated packages (i.e. file modes, owners, groups). func TestPackages() error { - return devtools.TestPackages(devtools.WithRootUserContainer()) + return devtools.TestPackages() } // Update is an alias for running fields, dashboards, config. @@ -132,13 +132,13 @@ var ( "linux/386": installLinux386, "linux/amd64": installLinuxAMD64, "linux/arm64": installLinuxARM64, - "linux/armv5": installLinuxARMLE, - "linux/armv6": installLinuxARMLE, + "linux/armv5": installLinuxARMEL, + "linux/armv6": installLinuxARMEL, "linux/armv7": installLinuxARMHF, "linux/mips": installLinuxMIPS, - "linux/mipsle": installLinuxMIPSLE, - "linux/mips64le": installLinuxMIPS64LE, - "linux/ppc64le": installLinuxPPC64LE, + "linux/mipsle": installLinuxMIPSEL, + "linux/mips64le": installLinuxMIPS64EL, + "linux/ppc64le": installLinuxPPC64EL, "linux/s390x": installLinuxS390X, //"linux/ppc64": installLinuxPpc64, @@ -148,49 +148,56 @@ var ( const ( librpmDevPkgName = "librpm-dev" + + // Dependency of librpm-dev in ARM architectures, that needs to be explicitly + // installed to replace other conflicting packages pre-installed in the image. + libicuDevPkgName = "libicu-dev" ) func installLinuxAMD64() error { - return installDependencies(librpmDevPkgName, "") + return installDependencies("", librpmDevPkgName) } func installLinuxARM64() error { - return installDependencies(librpmDevPkgName+":arm64", "arm64") + return installDependencies("arm64", librpmDevPkgName+":arm64") } func installLinuxARMHF() error { - return installDependencies(librpmDevPkgName+":armhf", "armhf") + return installDependencies("armhf", librpmDevPkgName+":armhf", libicuDevPkgName+":armhf") } -func installLinuxARMLE() error { - return installDependencies(librpmDevPkgName+":armel", "armel") +func installLinuxARMEL() error { + return installDependencies("armel", librpmDevPkgName+":armel", libicuDevPkgName+":armel") } func installLinux386() error { - return installDependencies(librpmDevPkgName+":i386", "i386") + return installDependencies("i386", librpmDevPkgName+":i386") } func installLinuxMIPS() error { - return installDependencies(librpmDevPkgName+":mips", "mips") + return installDependencies("mips", librpmDevPkgName+":mips") } -func installLinuxMIPS64LE() error { - return installDependencies(librpmDevPkgName+":mips64el", "mips64el") +func installLinuxMIPS64EL() error { + return installDependencies("mips64el", librpmDevPkgName+":mips64el") } -func installLinuxMIPSLE() error { - return installDependencies(librpmDevPkgName+":mipsel", "mipsel") +func installLinuxMIPSEL() error { + return installDependencies("mispel", librpmDevPkgName+":mipsel") } -func installLinuxPPC64LE() error { - return installDependencies(librpmDevPkgName+":ppc64el", "ppc64el") +func installLinuxPPC64EL() error { + return installDependencies("ppc64el", librpmDevPkgName+":ppc64el") } func installLinuxS390X() error { - return installDependencies(librpmDevPkgName+":s390x", "s390x") + return installDependencies("s390x", librpmDevPkgName+":s390x") } -func installDependencies(pkg, arch string) error { +func installDependencies(arch string, pkgs ...string) error { + if len(pkgs) == 0 { + return nil + } if arch != "" { err := sh.Run("dpkg", "--add-architecture", arch) if err != nil { @@ -206,5 +213,6 @@ func installDependencies(pkg, arch string) error { return err } - return sh.Run("apt-get", "install", "-y", "--no-install-recommends", pkg) + args := append([]string{"install", "-y", "--no-install-recommends"}, pkgs...) + return sh.Run("apt-get", args...) } diff --git a/x-pack/dockerlogbeat/Jenkinsfile.yml b/x-pack/dockerlogbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..703bb3d66a9 --- /dev/null +++ b/x-pack/dockerlogbeat/Jenkinsfile.yml @@ -0,0 +1,18 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^x-pack/dockerlogbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@xpack" ## special token regarding the changeset for the xpack + comments: ## when PR comment contains any of those entries + - "/test x-pack/dockerlogbeat" + labels: ## when PR labels matches any of those entries + - "x-pack-dockerlogbeat" + parameters: ## when parameter was selected in the UI. + - "x-pack-dockerlogbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage build test" + withModule: true ## run the ITs only if the changeset affects a specific module. diff --git a/x-pack/elastic-agent/CHANGELOG.next.asciidoc b/x-pack/elastic-agent/CHANGELOG.next.asciidoc index d9475d35be3..c466d0c656d 100644 --- a/x-pack/elastic-agent/CHANGELOG.next.asciidoc +++ b/x-pack/elastic-agent/CHANGELOG.next.asciidoc @@ -7,7 +7,11 @@ ==== Breaking changes +- Docker container is not run as root by default. {pull}21213[21213] + ==== Bugfixes +- Copy Action store on upgrade {pull}21298[21298] +- Include inputs in action store actions {pull}21298[21298] ==== New features diff --git a/x-pack/elastic-agent/Jenkinsfile.yml b/x-pack/elastic-agent/Jenkinsfile.yml new file mode 100644 index 00000000000..8f99e11da3c --- /dev/null +++ b/x-pack/elastic-agent/Jenkinsfile.yml @@ -0,0 +1,32 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^x-pack/elastic-agent/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@xpack" ## special token regarding the changeset for the xpack + comments: ## when PR comment contains any of those entries + - "/test x-pack/elastic-agent" + labels: ## when PR labels matches any of those entries + - "x-pack-elastic-agent" + parameters: ## when parameter was selected in the UI. + - "x-pack-elastic-agent" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage build test" + macos: + mage: "mage build unitTest" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test x-pack/elastic-agent for macos" + labels: + - "macOS" + parameters: + - "macosTest" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/x-pack/elastic-agent/magefile.go b/x-pack/elastic-agent/magefile.go index ec6e76a0995..7296e8189be 100644 --- a/x-pack/elastic-agent/magefile.go +++ b/x-pack/elastic-agent/magefile.go @@ -81,6 +81,9 @@ type Format mg.Namespace // Demo runs agent out of container. type Demo mg.Namespace +// Dev runs package and build for dev purposes. +type Dev mg.Namespace + // Env returns information about the environment. func (Prepare) Env() { mg.Deps(Mkdir("build"), Build.GenerateConfig) @@ -88,6 +91,26 @@ func (Prepare) Env() { RunGo("env") } +// Build builds the agent binary with DEV flag set. +func (Dev) Build() { + dev := os.Getenv(devEnv) + defer os.Setenv(devEnv, dev) + + os.Setenv(devEnv, "true") + devtools.DevBuild = true + mg.Deps(Build.All) +} + +// Package packages the agent binary with DEV flag set. +func (Dev) Package() { + dev := os.Getenv(devEnv) + defer os.Setenv(devEnv, dev) + + os.Setenv(devEnv, "true") + devtools.DevBuild = true + Package() +} + // InstallGoLicenser install go-licenser to check license of the files. func (Prepare) InstallGoLicenser() error { return GoGet(goLicenserRepo) @@ -313,7 +336,7 @@ func requiredPackagesPresent(basePath, beat, version string, requiredPackages [] // TestPackages tests the generated packages (i.e. file modes, owners, groups). func TestPackages() error { - return devtools.TestPackages(devtools.WithRootUserContainer()) + return devtools.TestPackages() } // RunGo runs go command and output the feedback to the stdout and the stderr. diff --git a/x-pack/elastic-agent/pkg/agent/application/config.go b/x-pack/elastic-agent/pkg/agent/application/config.go index ff15ca44074..e42f3dcab28 100644 --- a/x-pack/elastic-agent/pkg/agent/application/config.go +++ b/x-pack/elastic-agent/pkg/agent/application/config.go @@ -11,6 +11,7 @@ import ( "gopkg.in/yaml.v2" + "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" @@ -54,7 +55,10 @@ func LoadConfigFromFile(path string) (*config.Config, error) { // // This must be used to load the Agent configuration, so that variables defined in the inputs are not // parsed by go-ucfg. Variables from the inputs should be parsed by the transpiler. -func LoadConfig(m map[string]interface{}) (*config.Config, error) { +func LoadConfig(in map[string]interface{}) (*config.Config, error) { + // make copy of a map so we dont affect a caller + m := common.MapStr(in).Clone() + inputs, ok := m["inputs"] if ok { // remove the inputs diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go index cc27846051f..08c38aba8c5 100644 --- a/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go @@ -14,6 +14,7 @@ import ( "gopkg.in/yaml.v2" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" @@ -78,6 +79,10 @@ func (u *Upgrader) Upgrade(ctx context.Context, a *fleetapi.ActionUpgrade) error return errors.New("upgrading to same version") } + if err := copyActionStore(newHash); err != nil { + return errors.New(err, "failed to copy action store") + } + if err := u.changeSymlink(ctx, newHash); err != nil { rollbackInstall(newHash) return err @@ -137,3 +142,21 @@ func isSubdir(base, target string) (bool, error) { func rollbackInstall(hash string) { os.RemoveAll(filepath.Join(paths.Data(), fmt.Sprintf("%s-%s", agentName, hash))) } + +func copyActionStore(newHash string) error { + currentActionStorePath := info.AgentActionStoreFile() + + newHome := filepath.Join(filepath.Dir(paths.Home()), fmt.Sprintf("%s-%s", agentName, newHash)) + newActionStorePath := filepath.Join(newHome, filepath.Base(currentActionStorePath)) + + currentActionStore, err := ioutil.ReadFile(currentActionStorePath) + if os.IsNotExist(err) { + // nothing to copy + return nil + } + if err != nil { + return err + } + + return ioutil.WriteFile(newActionStorePath, currentActionStore, 0600) +} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/run.go b/x-pack/elastic-agent/pkg/agent/cmd/run.go index a7b56a664ba..77beeb6fe1a 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/run.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/run.go @@ -23,6 +23,7 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" ) func newRunCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStreams) *cobra.Command { @@ -82,6 +83,10 @@ func run(flags *globalFlags, streams *cli.IOStreams) error { // Windows: Mark se return err } + if allowEmptyPgp, _ := release.PGP(); allowEmptyPgp { + logger.Warn("Artifact has been build with security disabled. Elastic Agent will not verify signatures of used artifacts.") + } + execPath, err := os.Executable() if err != nil { return err diff --git a/x-pack/filebeat/Jenkinsfile.yml b/x-pack/filebeat/Jenkinsfile.yml new file mode 100644 index 00000000000..d3d5e6d862e --- /dev/null +++ b/x-pack/filebeat/Jenkinsfile.yml @@ -0,0 +1,33 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^x-pack/filebeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@xpack" ## special token regarding the changeset for the xpack + comments: ## when PR comment contains any of those entries + - "/test x-pack/filebeat" + labels: ## when PR labels matches any of those entries + - "x-pack-filebeat" + parameters: ## when parameter was selected in the UI. + - "x-pack-filebeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage build test" + withModule: true ## run the ITs only if the changeset affects a specific module. + macos: + mage: "mage build unitTest" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test x-pack/filebeat for macos" + labels: + - "macOS" + parameters: + - "macosTest" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml b/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml index c93494c2dbb..cdafe4ebde0 100644 --- a/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml +++ b/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml b/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml index 67018925f0f..2ae84bd17e5 100644 --- a/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{url.domain}}' + if: ctx?.url?.domain != null && ctx?.url?.domain != "" + allow_duplicates: false + - append: + field: related.hosts + value: '{{server.domain}}' + if: ctx?.server?.domain != null && ctx?.url?.domain != "" + allow_duplicates: false on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json index 247344bdbfe..ff70486fab5 100644 --- a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json @@ -46,6 +46,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "etdo" + ], "related.ip": [ "10.173.228.223" ], @@ -256,6 +259,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "tempor" + ], "related.ip": [ "10.138.137.28" ], @@ -296,6 +302,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "ari" + ], "related.ip": [ "10.108.180.105" ], @@ -422,6 +431,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "aveniam" + ], "related.ip": [ "10.82.201.113" ], @@ -484,8 +496,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", "related.ip": [ - "10.110.109.5", - "10.18.165.35" + "10.18.165.35", + "10.110.109.5" ], "rsa.internal.messageid": "outbound/smtp", "rsa.investigations.event_cat": 1901000000, @@ -518,6 +530,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "dolore" + ], "related.ip": [ "10.195.109.134" ], @@ -857,6 +872,10 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "hitect", + "lit5929.test" + ], "related.ip": [ "10.198.6.166" ], @@ -937,6 +956,10 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "equat", + "uptat3156.www5.test" + ], "related.ip": [ "10.77.137.72" ], @@ -980,6 +1003,10 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "vitaedi", + "neav6028.internal.domain" + ], "related.ip": [ "10.128.114.77" ], @@ -1225,6 +1252,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "olupta" + ], "related.ip": [ "10.98.92.244" ], @@ -1423,6 +1453,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "tquov" + ], "related.ip": [ "10.211.93.62" ], @@ -1480,6 +1513,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "qui" + ], "related.ip": [ "10.199.182.123" ], @@ -1824,6 +1860,10 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "aveni", + "oremagna3521.mail.home" + ], "related.ip": [ "10.29.155.171" ], @@ -2509,6 +2549,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "obeataev" + ], "related.ip": [ "10.139.127.232" ], @@ -2550,6 +2593,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "inv" + ], "related.ip": [ "10.163.209.70" ], @@ -2719,6 +2765,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "eritatis" + ], "related.ip": [ "10.209.184.60" ], @@ -2818,6 +2867,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "plic" + ], "related.ip": [ "10.17.87.79" ], @@ -2933,6 +2985,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "taedi" + ], "related.ip": [ "10.17.98.243" ], @@ -3209,6 +3264,10 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "der", + "piciatis2460.api.host" + ], "related.ip": [ "10.77.182.191" ], @@ -3251,6 +3310,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "iame" + ], "related.ip": [ "10.193.110.71" ], diff --git a/x-pack/filebeat/module/barracuda/waf/config/input.yml b/x-pack/filebeat/module/barracuda/waf/config/input.yml index 30e0d5f2745..d90859f5f61 100644 --- a/x-pack/filebeat/module/barracuda/waf/config/input.yml +++ b/x-pack/filebeat/module/barracuda/waf/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/bluecoat/director/config/input.yml b/x-pack/filebeat/module/bluecoat/director/config/input.yml index 7fc587fb028..3e7d940acf9 100644 --- a/x-pack/filebeat/module/bluecoat/director/config/input.yml +++ b/x-pack/filebeat/module/bluecoat/director/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml b/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml index 9d462241ae8..97fbbb72c92 100644 --- a/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml +++ b/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json b/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json index 94a001da91a..1d0de305beb 100644 --- a/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json +++ b/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json @@ -247,6 +247,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.hosts": [ + "seq3874.mail.domain" + ], "rsa.internal.messageid": "dmd", "rsa.misc.change_new": "fug", "rsa.misc.change_old": "quid", @@ -988,6 +991,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.hosts": [ + "elitse6672.internal.localdomain" + ], "rsa.db.index": "mquisno", "rsa.internal.event_desc": "info on device connection", "rsa.internal.messageid": "ccd", @@ -1218,6 +1224,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.hosts": [ + "itation4168.api.domain" + ], "rsa.db.index": "dipisci", "rsa.internal.event_desc": "This file is automatically generated", "rsa.internal.messageid": "configd", @@ -1569,6 +1578,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.hosts": [ + "sBonor2001.www5.example" + ], "rsa.internal.messageid": "dmd", "rsa.misc.client": "dmd:", "rsa.misc.severity": "medium", @@ -1639,6 +1651,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.hosts": [ + "ersp6625.internal.domain" + ], "rsa.internal.messageid": "dmd", "rsa.misc.client": "dmd:", "rsa.misc.severity": "high", @@ -1754,6 +1769,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.hosts": [ + "eleumiu2454.api.local" + ], "rsa.db.index": "tat", "rsa.internal.event_desc": "info on device connection", "rsa.internal.messageid": "ccd", @@ -1866,6 +1884,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.hosts": [ + "olu5333.www.domain" + ], "rsa.db.index": "orumSe", "rsa.internal.event_desc": "info on device connection", "rsa.internal.messageid": "ccd", diff --git a/x-pack/filebeat/module/cisco/asa/config/input.yml b/x-pack/filebeat/module/cisco/asa/config/input.yml index 0cffa76a01f..b5271fe8598 100644 --- a/x-pack/filebeat/module/cisco/asa/config/input.yml +++ b/x-pack/filebeat/module/cisco/asa/config/input.yml @@ -23,4 +23,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index 8d8b28fe30f..73d42d43af7 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -40,6 +40,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -95,6 +98,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -140,6 +146,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -184,6 +193,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "192.168.2.2" ], @@ -223,6 +235,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "192.168.2.2" ], @@ -265,6 +280,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -317,6 +335,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -370,6 +391,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.192.18.4", "10.192.70.66" @@ -415,6 +439,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -463,6 +490,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "192.168.2.2", "10.192.18.4" @@ -501,6 +531,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -536,6 +569,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -574,6 +610,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -615,6 +654,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.10.10" ], @@ -657,6 +699,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.10.10" ], @@ -699,6 +744,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.192.46.90", "10.10.10.10" @@ -743,6 +791,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -796,6 +847,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -850,6 +904,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -902,6 +959,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -949,6 +1009,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -995,6 +1058,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -1043,6 +1109,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -1105,6 +1174,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.10.10", "192.186.2.2" @@ -1159,6 +1231,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -1214,6 +1289,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -1265,6 +1343,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -1311,6 +1392,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -1358,6 +1442,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -1403,6 +1490,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -1448,6 +1538,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -1493,6 +1586,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -1531,6 +1627,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -1562,6 +1661,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -1595,6 +1697,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -1628,6 +1733,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -1671,6 +1779,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -1721,6 +1832,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -1759,6 +1873,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -1790,6 +1907,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -1828,6 +1948,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -1866,6 +1989,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -1897,6 +2023,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -1939,6 +2068,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.10.10", "10.10.10.10" @@ -1983,6 +2115,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -2025,6 +2160,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.10.10", "10.10.10.10" @@ -2072,6 +2210,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -2114,6 +2255,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.20.30.40", "10.20.30.40" @@ -2156,6 +2300,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.20.30.40", "10.20.30.40" @@ -2198,6 +2345,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.20.30.40", "10.20.30.40" @@ -2240,6 +2390,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.20.30.40", "10.20.30.40" @@ -2302,6 +2455,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "1.2.3.4", "2.3.4.5" @@ -2359,6 +2515,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.10.2", "192.168.2.2" @@ -2418,6 +2577,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "somedomainname.local" + ], "related.ip": [ "195.122.12.242" ], @@ -2456,6 +2619,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "console" + ], "service.type": "cisco", "source.address": "console", "source.domain": "console", @@ -2491,6 +2658,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.0.87" ], @@ -2530,6 +2700,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -2568,6 +2741,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.1.212", "10.10.1.254" @@ -2609,6 +2785,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.0.87" ], @@ -2652,6 +2831,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.0.87", "10.10.1.254" @@ -2693,6 +2875,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "10.10.0.87" ], @@ -2729,6 +2914,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "91.240.17.178" ], @@ -2789,6 +2977,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "91.240.17.178" ], @@ -2826,6 +3017,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "8.8.8.8" ], @@ -2869,6 +3063,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "8.8.8.8" ], @@ -2928,6 +3125,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], "related.ip": [ "104.46.88.19", "195.74.114.34" diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index 90ec4ed3a8f..94f2b616d27 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -40,6 +40,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.233.123.123" @@ -89,6 +92,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -187,6 +193,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -229,6 +238,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -274,6 +286,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01" + ], "related.ip": [ "fe80::1ff:fe23:4567:890a" ], diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index 18ea450c55f..ea4dcecdef3 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -37,6 +37,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -94,6 +97,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.205.104", "172.31.98.44" @@ -151,6 +157,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.211.242", "172.31.98.44" @@ -208,6 +217,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.211.242", "172.31.98.44" @@ -265,6 +277,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.185.90", "172.31.98.44" @@ -322,6 +337,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.185.90", "172.31.98.44" @@ -379,6 +397,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.160.197", "172.31.98.44" @@ -436,6 +457,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.205.14", "172.31.98.44" @@ -493,6 +517,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.124.33", "172.31.98.44" @@ -550,6 +577,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.35.9", "172.31.98.44" @@ -607,6 +637,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.211.242", "172.31.98.44" @@ -664,6 +697,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.218.21", "172.31.98.44" @@ -721,6 +757,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.198.27", "172.31.98.44" @@ -778,6 +817,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.198.27", "172.31.98.44" @@ -835,6 +877,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.202.211", "172.31.98.44" @@ -892,6 +937,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.124.15", "172.31.98.44" @@ -949,6 +997,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.124.15", "172.31.98.44" @@ -1006,6 +1057,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.209.247", "172.31.98.44" @@ -1063,6 +1117,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.35.162", "172.31.98.44" @@ -1114,6 +1171,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -1171,6 +1231,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.80.32", "172.31.98.44" @@ -1228,6 +1291,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.80.32", "172.31.98.44" @@ -1285,6 +1351,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.252.6", "172.31.98.44" @@ -1342,6 +1411,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.252.6", "172.31.98.44" @@ -1393,6 +1465,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -1450,6 +1525,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.252.226", "172.31.98.44" @@ -1501,6 +1579,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -1558,6 +1639,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.252.226", "172.31.98.44" @@ -1615,6 +1699,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.238.126", "172.31.98.44" @@ -1672,6 +1759,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.93.51", "172.31.98.44" @@ -1729,6 +1819,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.238.126", "172.31.98.44" @@ -1786,6 +1879,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.93.51", "172.31.98.44" @@ -1837,6 +1933,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -1894,6 +1993,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.225.103", "172.31.98.44" @@ -1945,6 +2047,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -2002,6 +2107,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.240.126", "172.31.98.44" @@ -2059,6 +2167,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.44.45", "172.31.98.44" @@ -2116,6 +2227,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.240.126", "172.31.98.44" @@ -2173,6 +2287,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.44.45", "172.31.98.44" @@ -2224,6 +2341,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -2281,6 +2401,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.179.219", "172.31.98.44" @@ -2338,6 +2461,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.157.232", "172.31.98.44" @@ -2395,6 +2521,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.178.133", "172.31.98.44" @@ -2452,6 +2581,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.157.232", "172.31.98.44" @@ -2509,6 +2641,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.178.133", "172.31.98.44" @@ -2560,6 +2695,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -2617,6 +2755,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.133.112", "172.31.98.44" @@ -2674,6 +2815,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.133.112", "172.31.98.44" @@ -2731,6 +2875,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.204.197", "172.31.98.44" @@ -2788,6 +2935,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.157.232", "172.31.98.44" @@ -2845,6 +2995,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.204.197", "172.31.98.44" @@ -2896,6 +3049,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -2953,6 +3109,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.128.3", "172.31.98.44" @@ -3004,6 +3163,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3061,6 +3223,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.128.3", "172.31.98.44" @@ -3112,6 +3277,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3169,6 +3337,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.128.3", "172.31.98.44" @@ -3226,6 +3397,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.100.4", "172.31.98.44" @@ -3283,6 +3457,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.100.4", "172.31.98.44" @@ -3334,6 +3511,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3391,6 +3571,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.198.40", "172.31.98.44" @@ -3442,6 +3625,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3499,6 +3685,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.198.40", "172.31.98.44" @@ -3556,6 +3745,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.1.107", "172.31.98.44" @@ -3613,6 +3805,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.198.40", "172.31.98.44" @@ -3664,6 +3859,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3721,6 +3919,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.198.40", "172.31.98.44" @@ -3778,6 +3979,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.1.107", "172.31.98.44" @@ -3829,6 +4033,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3886,6 +4093,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.192.44", "172.31.98.44" @@ -3928,6 +4138,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -3972,6 +4185,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.156.80", "100.66.98.44" @@ -4029,6 +4245,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.156.80" @@ -4071,6 +4290,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -4106,6 +4328,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -4141,6 +4366,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -4176,6 +4404,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -4211,6 +4442,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -4246,6 +4480,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -4296,6 +4533,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.115.46", "172.31.156.80" @@ -4353,6 +4593,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.156.80" @@ -4404,6 +4647,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.156.80", "100.66.98.44" @@ -4461,6 +4707,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.115.46", "172.31.156.80" @@ -4515,6 +4764,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4569,6 +4821,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4623,6 +4878,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4677,6 +4935,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4731,6 +4992,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4785,6 +5049,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4839,6 +5106,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4893,6 +5163,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4947,6 +5220,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -5001,6 +5277,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -5055,6 +5334,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -5109,6 +5391,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -5163,6 +5448,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -5214,6 +5502,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -5271,6 +5562,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.205.99", "172.31.98.44" @@ -5322,6 +5616,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -5379,6 +5676,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.14.30", "172.31.98.44" diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json index e0c78694ae9..948f6c85ab4 100644 --- a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json @@ -26,6 +26,9 @@ "observer.vendor": "Cisco", "process.name": "asa", "process.pid": 1234, + "related.hosts": [ + "beats" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -69,6 +72,9 @@ "observer.vendor": "Cisco", "process.name": "asa", "process.pid": 1234, + "related.hosts": [ + "beats" + ], "related.ip": [ "10.13.12.11", "192.168.33.12" diff --git a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json index 7d010afe62c..70df45cbf91 100644 --- a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json @@ -31,6 +31,11 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "localhost", + "target.destination.hostname.local", + "Prod-host.name.addr" + ], "service.type": "cisco", "source.domain": "Prod-host.name.addr", "source.nat.ip": "10.0.55.66", @@ -73,6 +78,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "MYHOSTNAME" + ], "related.ip": [ "192.0.2.134", "192.0.2.15" diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json index 74097780ab2..85bfef8b52a 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -36,6 +36,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244" + ], "related.ip": [ "203.0.113.42" ], @@ -82,6 +85,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "localhost" + ], "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -140,6 +146,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "localhost", + "example.org" + ], "related.ip": [ "10.10.10.1", "172.24.177.3" diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index d27f89ab5b9..fcf7d339222 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -189,6 +189,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "INT-FW01" + ], "related.ip": [ "172.29.2.101", "192.0.2.10" @@ -241,6 +244,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "INT-FW01" + ], "related.ip": [ "172.29.2.3", "192.0.2.57" @@ -700,6 +706,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "FJSG2NRFW01" + ], "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -2154,6 +2163,9 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "", + "related.hosts": [ + "OCSP_Server" + ], "related.ip": [ "192.0.2.222" ], @@ -2207,6 +2219,9 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "", + "related.hosts": [ + "OCSP_Server" + ], "related.ip": [ "192.0.2.222" ], @@ -2772,6 +2787,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2817,6 +2835,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2862,6 +2883,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2907,6 +2931,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2952,6 +2979,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2997,6 +3027,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -3042,6 +3075,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -3087,6 +3123,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -3138,6 +3177,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "192.0.2.95", "10.32.112.125" @@ -3186,6 +3228,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "10.2.3.5" ], @@ -3285,6 +3330,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "bad.example.com" + ], "related.ip": [ "10.1.1.45", "192.88.99.129" diff --git a/x-pack/filebeat/module/cisco/ftd/config/input.yml b/x-pack/filebeat/module/cisco/ftd/config/input.yml index a505d3030eb..4892400a8b9 100644 --- a/x-pack/filebeat/module/cisco/ftd/config/input.yml +++ b/x-pack/filebeat/module/cisco/ftd/config/input.yml @@ -22,4 +22,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json index 21dc57d3315..72b115c6975 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json @@ -41,6 +41,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.233.123.123" @@ -91,6 +94,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -191,6 +197,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -234,6 +243,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.123.123.123" diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json index b1b3a633ad1..70e87e332d9 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json @@ -36,6 +36,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -92,6 +95,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.205.104", "172.31.98.44" @@ -148,6 +154,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.211.242", "172.31.98.44" @@ -204,6 +213,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.211.242", "172.31.98.44" @@ -260,6 +272,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.185.90", "172.31.98.44" @@ -316,6 +331,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.185.90", "172.31.98.44" @@ -372,6 +390,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.160.197", "172.31.98.44" @@ -428,6 +449,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.205.14", "172.31.98.44" @@ -484,6 +508,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.124.33", "172.31.98.44" @@ -540,6 +567,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.35.9", "172.31.98.44" @@ -596,6 +626,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.211.242", "172.31.98.44" @@ -652,6 +685,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.218.21", "172.31.98.44" @@ -708,6 +744,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.198.27", "172.31.98.44" @@ -764,6 +803,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.198.27", "172.31.98.44" @@ -820,6 +862,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.202.211", "172.31.98.44" @@ -876,6 +921,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.124.15", "172.31.98.44" @@ -932,6 +980,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.124.15", "172.31.98.44" @@ -988,6 +1039,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.209.247", "172.31.98.44" @@ -1044,6 +1098,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.35.162", "172.31.98.44" @@ -1094,6 +1151,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -1150,6 +1210,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.80.32", "172.31.98.44" @@ -1206,6 +1269,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.80.32", "172.31.98.44" @@ -1262,6 +1328,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.252.6", "172.31.98.44" @@ -1318,6 +1387,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.252.6", "172.31.98.44" @@ -1368,6 +1440,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -1424,6 +1499,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.252.226", "172.31.98.44" @@ -1474,6 +1552,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -1530,6 +1611,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.252.226", "172.31.98.44" @@ -1586,6 +1670,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.238.126", "172.31.98.44" @@ -1642,6 +1729,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.93.51", "172.31.98.44" @@ -1698,6 +1788,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.238.126", "172.31.98.44" @@ -1754,6 +1847,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.93.51", "172.31.98.44" @@ -1804,6 +1900,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -1860,6 +1959,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.225.103", "172.31.98.44" @@ -1910,6 +2012,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -1966,6 +2071,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.240.126", "172.31.98.44" @@ -2022,6 +2130,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.44.45", "172.31.98.44" @@ -2078,6 +2189,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.240.126", "172.31.98.44" @@ -2134,6 +2248,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.44.45", "172.31.98.44" @@ -2184,6 +2301,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -2240,6 +2360,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.179.219", "172.31.98.44" @@ -2296,6 +2419,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.157.232", "172.31.98.44" @@ -2352,6 +2478,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.178.133", "172.31.98.44" @@ -2408,6 +2537,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.157.232", "172.31.98.44" @@ -2464,6 +2596,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.178.133", "172.31.98.44" @@ -2514,6 +2649,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -2570,6 +2708,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.133.112", "172.31.98.44" @@ -2626,6 +2767,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.133.112", "172.31.98.44" @@ -2682,6 +2826,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.204.197", "172.31.98.44" @@ -2738,6 +2885,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.157.232", "172.31.98.44" @@ -2794,6 +2944,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.204.197", "172.31.98.44" @@ -2844,6 +2997,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -2900,6 +3056,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.128.3", "172.31.98.44" @@ -2950,6 +3109,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3006,6 +3168,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.128.3", "172.31.98.44" @@ -3056,6 +3221,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3112,6 +3280,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.128.3", "172.31.98.44" @@ -3168,6 +3339,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.100.4", "172.31.98.44" @@ -3224,6 +3398,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.100.4", "172.31.98.44" @@ -3274,6 +3451,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3330,6 +3510,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.198.40", "172.31.98.44" @@ -3380,6 +3563,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3436,6 +3622,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.198.40", "172.31.98.44" @@ -3492,6 +3681,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.1.107", "172.31.98.44" @@ -3548,6 +3740,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.198.40", "172.31.98.44" @@ -3598,6 +3793,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3654,6 +3852,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.198.40", "172.31.98.44" @@ -3710,6 +3911,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.1.107", "172.31.98.44" @@ -3760,6 +3964,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3816,6 +4023,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.192.44", "172.31.98.44" @@ -3857,6 +4067,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -3900,6 +4113,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.156.80", "100.66.98.44" @@ -3956,6 +4172,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.156.80" @@ -3997,6 +4216,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -4031,6 +4253,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -4065,6 +4290,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -4099,6 +4327,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -4133,6 +4364,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -4167,6 +4401,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -4216,6 +4453,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.115.46", "172.31.156.80" @@ -4272,6 +4512,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.156.80" @@ -4322,6 +4565,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.156.80", "100.66.98.44" @@ -4378,6 +4624,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.115.46", "172.31.156.80" @@ -4431,6 +4680,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4484,6 +4736,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4537,6 +4792,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4590,6 +4848,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4643,6 +4904,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4696,6 +4960,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4749,6 +5016,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4802,6 +5072,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4855,6 +5128,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4908,6 +5184,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4961,6 +5240,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -5014,6 +5296,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -5067,6 +5352,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -5117,6 +5405,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -5173,6 +5464,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.205.99", "172.31.98.44" @@ -5223,6 +5517,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -5279,6 +5576,9 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.14.30", "172.31.98.44" diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index ae2b729ada8..37efb99f483 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -82,6 +82,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -187,6 +190,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -290,6 +296,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -395,6 +404,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -499,6 +511,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -602,6 +617,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -708,6 +726,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -811,6 +832,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -915,6 +939,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1020,6 +1047,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1126,6 +1156,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "205.251.196.144" @@ -1225,6 +1258,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1329,6 +1365,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "9.9.9.9" @@ -1432,6 +1471,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "9.9.9.9" @@ -1536,6 +1578,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "9.9.9.9" @@ -1641,6 +1686,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1744,6 +1792,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1847,6 +1898,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1950,6 +2004,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -2051,6 +2108,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -2156,6 +2216,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" diff --git a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json index 2364b5ed1a1..6e77e652aff 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json @@ -27,6 +27,9 @@ "observer.vendor": "Cisco", "process.name": "asa", "process.pid": 1234, + "related.hosts": [ + "beats" + ], "service.type": "cisco", "tags": [ "cisco-ftd", diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json index 83616ceec8b..681c8052cb0 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json @@ -62,6 +62,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -144,6 +147,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -222,6 +228,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -300,6 +309,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.100.30", "10.0.1.20" diff --git a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json index e2939392ef5..b204f179fa3 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json @@ -37,6 +37,9 @@ "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, + "related.hosts": [ + "beats" + ], "related.ip": [ "10.1.123.45", "10.8.12.47" @@ -81,6 +84,9 @@ "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, + "related.hosts": [ + "beats" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -120,6 +126,9 @@ "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, + "related.hosts": [ + "beats" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -171,6 +180,9 @@ "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, + "related.hosts": [ + "beats" + ], "related.ip": [ "127.0.0.1", "192.168.3.33" diff --git a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json index 90fd65d46cd..cc0af87b551 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json @@ -35,6 +35,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244" + ], "related.ip": [ "203.0.113.42" ], @@ -80,6 +83,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "localhost" + ], "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -137,6 +143,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "localhost", + "example.org" + ], "related.ip": [ "10.10.10.1", "172.24.177.3" diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index 371218e511b..592e7ae85e9 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -185,6 +185,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "INT-FW01" + ], "related.ip": [ "172.29.2.101", "192.0.2.10" @@ -236,6 +239,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "INT-FW01" + ], "related.ip": [ "172.29.2.3", "192.0.2.57" @@ -686,6 +692,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "FJSG2NRFW01" + ], "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -1959,6 +1968,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], "related.ip": [ "192.168.77.12", "10.0.13.13" @@ -2010,6 +2022,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], "related.ip": [ "192.168.1.33", "192.0.0.12" @@ -2061,6 +2076,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], "related.ip": [ "192.168.1.33", "192.0.0.12" @@ -2115,6 +2133,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1", + "OCSP_Server" + ], "related.ip": [ "192.0.2.222" ], @@ -2168,6 +2190,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1", + "OCSP_Server" + ], "related.ip": [ "192.0.2.222" ], @@ -2221,6 +2247,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -2275,6 +2304,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "192.168.1.35" @@ -2329,6 +2361,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "192.168.1.35" @@ -2375,6 +2410,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -2421,6 +2459,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -2472,6 +2513,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], "related.ip": [ "192.168.1.34", "192.0.0.12" @@ -2526,6 +2570,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -2580,6 +2627,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -2634,6 +2684,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "10.10.10.10" @@ -2731,6 +2784,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2775,6 +2831,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2819,6 +2878,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2863,6 +2925,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2907,6 +2972,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2951,6 +3019,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2995,6 +3066,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -3039,6 +3113,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -3089,6 +3166,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "192.0.2.95", "10.32.112.125" @@ -3136,6 +3216,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "10.2.3.5" ], @@ -3233,6 +3316,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "bad.example.com" + ], "related.ip": [ "10.1.1.45", "192.88.99.129" diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index 7d48283bdaa..3cef5df9a0f 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -65,6 +65,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -154,6 +157,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -251,6 +257,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -355,6 +364,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -447,6 +459,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "52.59.244.233" @@ -557,6 +572,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "52.59.244.233" @@ -652,6 +670,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "213.211.198.62" @@ -758,6 +779,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "213.211.198.62" @@ -843,6 +867,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -941,6 +968,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json index c9105b957ab..8ab3e55fc87 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json @@ -51,6 +51,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -122,6 +125,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -193,6 +199,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -264,6 +273,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -344,6 +356,9 @@ "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -424,6 +439,9 @@ "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -508,6 +526,9 @@ "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -600,6 +621,9 @@ "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "213.211.198.62" @@ -683,6 +707,9 @@ "related.hash": [ "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" ], + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -776,6 +803,9 @@ "related.hash": [ "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" ], + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "18.197.225.123" diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index 2fe9194946a..73ab6378da1 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -86,6 +86,9 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "Alerts", + "related.hosts": [ + "CISCO-SENSOR-3D" + ], "related.ip": [ "3.3.3.3", "2.2.2.2" diff --git a/x-pack/filebeat/module/cisco/ios/config/input.yml b/x-pack/filebeat/module/cisco/ios/config/input.yml index 2ed8ae959c2..e3e336cbe03 100644 --- a/x-pack/filebeat/module/cisco/ios/config/input.yml +++ b/x-pack/filebeat/module/cisco/ios/config/input.yml @@ -23,7 +23,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 - script: lang: javascript id: cisco_ios diff --git a/x-pack/filebeat/module/cisco/meraki/config/input.yml b/x-pack/filebeat/module/cisco/meraki/config/input.yml index ccc2cd1a6af..be15aeb075c 100644 --- a/x-pack/filebeat/module/cisco/meraki/config/input.yml +++ b/x-pack/filebeat/module/cisco/meraki/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml index 6172ce75db7..cf0d61d1a52 100644 --- a/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + if: ctx.host?.name != null + allow_duplicates: false + - append: + field: related.hosts + value: '{{host.hostname}}' + if: ctx.host?.hostname != null && ctx.host?.hostname != '' + allow_duplicates: false on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json index f8677343c20..beeffa9b5eb 100644 --- a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json @@ -17,8 +17,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.15.44.253", - "10.193.124.51" + "10.193.124.51", + "10.15.44.253" ], "rsa.internal.event_desc": "olaborissecurity_event tur", "rsa.internal.messageid": "security_event", @@ -57,8 +57,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.15.16.212", - "10.102.218.31" + "10.102.218.31", + "10.15.16.212" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -519,8 +519,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.53.150.119", - "10.85.10.165" + "10.85.10.165", + "10.53.150.119" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -557,8 +557,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.187.77.245", - "10.88.231.224" + "10.88.231.224", + "10.187.77.245" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -692,8 +692,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.182.178.217", - "10.63.194.87" + "10.63.194.87", + "10.182.178.217" ], "rsa.counters.dclass_r1": "fdeFi", "rsa.internal.messageid": "events", @@ -831,8 +831,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.12.182.70", - "10.31.77.157" + "10.31.77.157", + "10.12.182.70" ], "rsa.internal.event_desc": "uiac security_event epte", "rsa.internal.messageid": "security_event", @@ -896,8 +896,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.93.68.231", - "10.135.217.12" + "10.135.217.12", + "10.93.68.231" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1025,8 +1025,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.173.136.186", - "10.221.102.245" + "10.221.102.245", + "10.173.136.186" ], "rsa.internal.event_desc": "idestlab", "rsa.internal.messageid": "security_event", @@ -1064,8 +1064,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.58.64.108", - "10.54.37.86" + "10.54.37.86", + "10.58.64.108" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1100,8 +1100,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.163.93.20", - "10.147.76.202" + "10.147.76.202", + "10.163.93.20" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1142,8 +1142,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.0.200.27", - "10.183.44.198" + "10.183.44.198", + "10.0.200.27" ], "rsa.internal.event_desc": "uradi security_event tot", "rsa.internal.messageid": "security_event", @@ -1312,8 +1312,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.242.77.170", - "10.150.245.88" + "10.150.245.88", + "10.242.77.170" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1486,8 +1486,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.193.219.34", - "10.179.40.170" + "10.179.40.170", + "10.193.219.34" ], "rsa.counters.dclass_r1": "emip", "rsa.internal.messageid": "events", @@ -1638,8 +1638,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.90.99.245", - "10.124.63.4" + "10.124.63.4", + "10.90.99.245" ], "rsa.internal.event_desc": "etconsec", "rsa.internal.messageid": "security_event", @@ -1791,6 +1791,9 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "remips188.api.invalid" + ], "related.ip": [ "10.40.101.224", "10.78.199.43" @@ -1864,8 +1867,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.39.172.93", - "10.83.131.245" + "10.83.131.245", + "10.39.172.93" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -2008,8 +2011,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.97.46.16", - "10.120.4.9" + "10.120.4.9", + "10.97.46.16" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2077,9 +2080,12 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "uames4985.mail.localdomain" + ], "related.ip": [ - "10.144.57.239", - "10.150.163.151" + "10.150.163.151", + "10.144.57.239" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2246,8 +2252,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.103.49.129", - "10.2.110.73" + "10.2.110.73", + "10.103.49.129" ], "rsa.counters.dclass_r1": "orumS", "rsa.internal.messageid": "events", @@ -2323,9 +2329,12 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "lors2232.api.example" + ], "related.ip": [ - "10.105.136.146", - "10.46.217.155" + "10.46.217.155", + "10.105.136.146" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2428,8 +2437,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.16.230.121", - "10.196.176.243" + "10.196.176.243", + "10.16.230.121" ], "rsa.counters.dclass_r1": "velites", "rsa.internal.messageid": "events", @@ -2471,8 +2480,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.34.62.190", - "10.246.152.72" + "10.246.152.72", + "10.34.62.190" ], "rsa.internal.event_desc": "Nem", "rsa.internal.messageid": "security_event", @@ -2710,8 +2719,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.103.91.159", - "10.199.19.205" + "10.199.19.205", + "10.103.91.159" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2749,8 +2758,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.17.111.91", - "10.65.0.157" + "10.65.0.157", + "10.17.111.91" ], "rsa.db.index": "nostrum", "rsa.internal.messageid": "flows", @@ -3018,8 +3027,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.254.96.130", - "10.247.118.132" + "10.247.118.132", + "10.254.96.130" ], "rsa.counters.dclass_r1": "ectet", "rsa.internal.messageid": "events", @@ -3058,8 +3067,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.101.13.122", - "10.200.98.243" + "10.200.98.243", + "10.101.13.122" ], "rsa.counters.dclass_r1": "uteirur", "rsa.internal.messageid": "events", @@ -3321,8 +3330,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.85.59.172", - "10.75.122.111" + "10.75.122.111", + "10.85.59.172" ], "rsa.counters.dclass_r1": "sequat", "rsa.internal.messageid": "events", diff --git a/x-pack/filebeat/module/cisco/nexus/config/input.yml b/x-pack/filebeat/module/cisco/nexus/config/input.yml index 5608926d955..747a6cf0085 100644 --- a/x-pack/filebeat/module/cisco/nexus/config/input.yml +++ b/x-pack/filebeat/module/cisco/nexus/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml index ae975fb7e86..b85ab503dda 100644 --- a/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + if: ctx.host?.name != null && ctx.host?.name != '' + allow_duplicates: false + - append: + field: related.hosts + value: '{{host.hostname}}' + if: ctx.host?.hostname != null && ctx.host?.hostname != '' + allow_duplicates: false on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 7671bb649b9..c828c45250a 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -1547,6 +1547,26 @@ processors: field: related.hash value: "{{file.hash.sha256}}" if: "ctx?.file?.hash?.sha256 != null" + - append: + field: related.hosts + value: "{{host.hostname}}" + if: ctx.host?.hostname != null && ctx.host?.hostname != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{observer.hostname}}" + if: ctx.observer?.hostname != null && ctx.observer?.hostname != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{destination.domain}}" + if: ctx.destination?.domain != null && ctx.destination?.domain != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{source.domain}}" + if: ctx.source?.domain != null && ctx.source?.domain != '' + allow_duplicates: false on_failure: # Copy any fields under _temp_.cisco to its final destination. Those can help # with diagnosing the failure. diff --git a/x-pack/filebeat/module/citrix/netscaler/config/input.yml b/x-pack/filebeat/module/citrix/netscaler/config/input.yml index 1226056cf17..42bba0c0995 100644 --- a/x-pack/filebeat/module/citrix/netscaler/config/input.yml +++ b/x-pack/filebeat/module/citrix/netscaler/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml b/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml index 51c9ebaf329..a2f7da6f2a0 100644 --- a/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml +++ b/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{server.domain}}' + allow_duplicates: false + if: ctx?.server?.domain != null && ctx.server?.domain != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json b/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json index 861edae9b88..cb772d91268 100644 --- a/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json +++ b/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json @@ -144,8 +144,8 @@ "rsa.db.index": "undeo", "rsa.internal.messageid": "APPFW_COOKIE", "rsa.misc.action": [ - "cancel", - "iumto" + "iumto", + "cancel" ], "rsa.misc.policy_name": "isqu", "rsa.misc.rule": "uaera", @@ -186,8 +186,8 @@ "related.ip": [ "10.96.119.12", "10.21.92.218", - "10.109.68.21", "10.83.234.60", + "10.109.68.21", "10.156.210.168" ], "related.user": [ @@ -570,6 +570,9 @@ "observer.product": "Netscaler", "observer.type": "Firewall", "observer.vendor": "Citrix", + "related.hosts": [ + "tor4410.api.localhost" + ], "related.ip": [ "10.206.87.219" ], @@ -808,8 +811,8 @@ "rsa.db.index": "uidol", "rsa.internal.messageid": "APPFW_COOKIE", "rsa.misc.action": [ - "cancel", - "tincu" + "tincu", + "cancel" ], "rsa.misc.policy_name": "aec", "rsa.misc.rule": "rQu", @@ -989,8 +992,8 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.248.165.185", - "10.32.39.220" + "10.32.39.220", + "10.248.165.185" ], "related.user": [ "exeaco" @@ -1025,9 +1028,9 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.197.6.245", "10.81.45.174", - "10.82.28.220" + "10.82.28.220", + "10.197.6.245" ], "related.user": [ "agnaaliq" @@ -1454,8 +1457,8 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.101.172.233", - "10.211.163.7" + "10.211.163.7", + "10.101.172.233" ], "related.user": [ "est" @@ -1884,8 +1887,8 @@ "rsa.db.index": "orem", "rsa.internal.messageid": "APPFW_FIELDCONSISTENCY", "rsa.misc.action": [ - "tesse", - "allow" + "allow", + "tesse" ], "rsa.misc.policy_name": "rsi", "rsa.misc.rule": "ntutlab", @@ -2081,9 +2084,9 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.80.5.101", + "10.225.146.5", "10.41.65.89", - "10.225.146.5" + "10.80.5.101" ], "related.user": [ "picia" @@ -2475,8 +2478,8 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.187.86.64", - "10.197.128.162" + "10.197.128.162", + "10.187.86.64" ], "rsa.internal.messageid": "ICA_SESSION_UPDATE", "rsa.misc.msgIdPart1": "ICA", @@ -2544,8 +2547,8 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.204.20.8", - "10.43.239.97" + "10.43.239.97", + "10.204.20.8" ], "rsa.internal.messageid": "ICA_SESSION_UPDATE", "rsa.misc.msgIdPart1": "ICA", @@ -2581,11 +2584,11 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.8.82.22", + "10.148.244.55", "10.133.153.174", - "10.76.129.136", + "10.8.82.22", "10.113.135.78", - "10.148.244.55" + "10.76.129.136" ], "related.user": [ "asiar" @@ -2697,8 +2700,8 @@ "rsa.db.index": "iat", "rsa.internal.messageid": "AF_MALFORMED_REQ_ERR", "rsa.misc.action": [ - "ati", - "block" + "block", + "ati" ], "rsa.misc.policy_name": "llu", "rsa.misc.rule": "etd", @@ -2730,9 +2733,9 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.213.112.186", "10.215.229.78", - "10.67.233.159" + "10.67.233.159", + "10.213.112.186" ], "related.user": [ "emquiav" @@ -2842,8 +2845,8 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.96.104.212", - "10.73.45.19" + "10.73.45.19", + "10.96.104.212" ], "rsa.internal.messageid": "ICA_SESSION_UPDATE", "rsa.misc.msgIdPart1": "ICA", @@ -3032,6 +3035,9 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "observer.version": "1.897", + "related.hosts": [ + "hend1170.www5.lan" + ], "related.ip": [ "10.111.22.134" ], diff --git a/x-pack/filebeat/module/cyberark/corepas/config/input.yml b/x-pack/filebeat/module/cyberark/corepas/config/input.yml index 4a0d6359c63..4b34d80711b 100644 --- a/x-pack/filebeat/module/cyberark/corepas/config/input.yml +++ b/x-pack/filebeat/module/cyberark/corepas/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml b/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml index dafb265af35..ffe90e79f85 100644 --- a/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.hostname server.domain}}' + allow_duplicates: false + if: ctx?.host?.hostname != null && ctx.host?.hostname != '' + - append: + field: related.hosts + value: '{{server.domain}}' + allow_duplicates: false + if: ctx?.server?.domain != null && ctx.server?.domain != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json index 2df25e0b1fe..2bf31b06a52 100644 --- a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json @@ -20,8 +20,8 @@ "10.208.15.216" ], "related.user": [ - "itv", "quasiarc", + "itv", "utl" ], "rsa.db.index": "nes", @@ -63,9 +63,12 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.259", + "related.hosts": [ + "iatnu3810.mail.localdomain" + ], "related.ip": [ - "10.175.75.18", - "10.92.136.230" + "10.92.136.230", + "10.175.75.18" ], "related.user": [ "nnumqu", @@ -123,13 +126,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.7269", + "related.hosts": [ + "anti4454.api.example" + ], "related.ip": [ "10.51.132.10", "10.46.185.46" ], "related.user": [ - "nse", "incid", + "nse", "serror" ], "rsa.db.database": "byC", @@ -183,14 +189,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.6713", + "related.hosts": [ + "uam6303.api.lan" + ], "related.ip": [ "10.155.236.240", "10.53.192.140" ], "related.user": [ - "atcup", "psumquia", - "ptass" + "ptass", + "atcup" ], "rsa.db.database": "aperi", "rsa.db.index": "llumd", @@ -244,9 +253,9 @@ "10.81.199.122" ], "related.user": [ - "eos", "oremips", - "giatq" + "giatq", + "eos" ], "rsa.db.index": "tempo", "rsa.internal.event_desc": "uian", @@ -287,6 +296,9 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3491", + "related.hosts": [ + "temq1198.internal.example" + ], "related.ip": [ "10.139.186.201", "10.172.14.142" @@ -347,9 +359,12 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.6875", + "related.hosts": [ + "tenbyCic5882.api.home" + ], "related.ip": [ - "10.47.76.251", - "10.104.111.129" + "10.104.111.129", + "10.47.76.251" ], "related.user": [ "ele", @@ -409,8 +424,8 @@ ], "related.user": [ "umdo", - "quiratio", - "animi" + "animi", + "quiratio" ], "rsa.db.index": "oll", "rsa.internal.event_desc": "rumet", @@ -451,14 +466,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.5529", + "related.hosts": [ + "isqu7224.localdomain" + ], "related.ip": [ "10.57.40.29", "10.62.54.220" ], "related.user": [ - "rnatura", "taevi", - "psum" + "psum", + "rnatura" ], "rsa.db.database": "emeumfug", "rsa.db.index": "omn", @@ -512,9 +530,9 @@ "10.74.237.180" ], "related.user": [ + "tnon", "ema", - "cup", - "tnon" + "cup" ], "rsa.db.index": "remeumf", "rsa.internal.event_desc": "lup", @@ -556,9 +574,9 @@ "10.18.165.35" ], "related.user": [ - "lor", "modocons", - "remeum" + "remeum", + "lor" ], "rsa.db.index": "etM", "rsa.internal.event_desc": "etc", @@ -600,9 +618,9 @@ "10.74.253.127" ], "related.user": [ + "icab", "tema", - "onproide", - "icab" + "onproide" ], "rsa.db.index": "mqui", "rsa.internal.event_desc": "eomnisis", @@ -642,9 +660,12 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.1697", + "related.hosts": [ + "tlabo6088.www.localdomain" + ], "related.ip": [ - "10.189.109.245", - "10.92.8.15" + "10.92.8.15", + "10.189.109.245" ], "related.user": [ "inima", @@ -701,8 +722,8 @@ "10.21.78.128" ], "related.user": [ - "taut", "upt", + "taut", "giatquov" ], "rsa.db.index": "iadese", @@ -746,8 +767,8 @@ ], "related.user": [ "pida", - "tatn", - "hil" + "hil", + "tatn" ], "rsa.db.index": "quip", "rsa.internal.event_desc": "ecillu", @@ -788,13 +809,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3727", + "related.hosts": [ + "iavolu5352.localhost" + ], "related.ip": [ "10.63.37.192", "10.225.115.13" ], "related.user": [ - "reetd", "iunt", + "reetd", "equep" ], "rsa.db.database": "aliqu", @@ -848,9 +872,12 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3219", + "related.hosts": [ + "estiae3750.api.corp" + ], "related.ip": [ - "10.95.64.124", - "10.47.202.102" + "10.47.202.102", + "10.95.64.124" ], "related.user": [ "run", @@ -907,13 +934,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.6371", + "related.hosts": [ + "aquaeabi7735.internal.lan" + ], "related.ip": [ "10.244.114.61", "10.106.239.55" ], "related.user": [ - "serunt", - "itquiin" + "itquiin", + "serunt" ], "rsa.db.database": "itame", "rsa.db.index": "oluptas", @@ -965,13 +995,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.821", + "related.hosts": [ + "etMalor4236.www5.host" + ], "related.ip": [ - "10.125.160.129", - "10.53.168.235" + "10.53.168.235", + "10.125.160.129" ], "related.user": [ - "one", "abi", + "one", "ione" ], "rsa.db.database": "sperna", @@ -1025,14 +1058,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.1123", + "related.hosts": [ + "quioffi1359.internal.lan" + ], "related.ip": [ - "10.227.177.121", - "10.33.245.220" + "10.33.245.220", + "10.227.177.121" ], "related.user": [ + "iduntu", "liqui", - "tasuntex", - "iduntu" + "tasuntex" ], "rsa.db.database": "rvel", "rsa.db.index": "onsecte", @@ -1088,13 +1124,17 @@ "observer.version": "1.5071", "process.name": "laboree.exe", "process.pid": 6501, + "related.hosts": [ + "", + "nsecte3304.mail.corp" + ], "related.ip": [ - "10.167.85.181", - "10.98.182.220" + "10.98.182.220", + "10.167.85.181" ], "related.user": [ - "econs", - "fde" + "fde", + "econs" ], "rsa.db.database": "equat", "rsa.internal.event_desc": "orpor", @@ -1149,9 +1189,9 @@ "10.89.208.95" ], "related.user": [ - "iciadese", "icabo", - "sintoc" + "sintoc", + "iciadese" ], "rsa.db.index": "eni", "rsa.internal.event_desc": "rcitati", @@ -1192,6 +1232,9 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.509", + "related.hosts": [ + "nevo4284.internal.local" + ], "related.ip": [ "10.72.148.32", "10.214.191.180" @@ -1252,9 +1295,12 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3599", + "related.hosts": [ + "itas981.mail.domain" + ], "related.ip": [ - "10.136.190.236", - "10.252.124.150" + "10.252.124.150", + "10.136.190.236" ], "related.user": [ "ipsumd", @@ -1312,14 +1358,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.5649", + "related.hosts": [ + "tnonpro7635.localdomain" + ], "related.ip": [ - "10.213.144.249", - "10.192.34.76" + "10.192.34.76", + "10.213.144.249" ], "related.user": [ - "iquipe", + "lore", "temqu", - "lore" + "iquipe" ], "rsa.db.database": "gnamal", "rsa.db.index": "ntexplic", @@ -1371,9 +1420,12 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.2217", + "related.hosts": [ + "rQuisau5300.www5.example" + ], "related.ip": [ - "10.216.84.30", - "10.154.4.197" + "10.154.4.197", + "10.216.84.30" ], "related.user": [ "untu", @@ -1431,8 +1483,8 @@ ], "related.user": [ "tqu", - "niamqui", - "quid" + "quid", + "niamqui" ], "rsa.db.index": "inci", "rsa.internal.event_desc": "eroinBCS", @@ -1473,14 +1525,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.5632", + "related.hosts": [ + "uamei2389.internal.example" + ], "related.ip": [ - "10.193.83.81", - "10.65.175.9" + "10.65.175.9", + "10.193.83.81" ], "related.user": [ + "umqu", "ritatise", - "essequam", - "umqu" + "essequam" ], "rsa.db.database": "ender", "rsa.db.index": "entorev", @@ -1534,8 +1589,8 @@ "10.205.72.243" ], "related.user": [ - "isiuta", "umdolo", + "isiuta", "tatn" ], "rsa.db.index": "proide", @@ -1578,9 +1633,9 @@ "10.107.9.163" ], "related.user": [ - "mac", + "mquisno", "sit", - "mquisno" + "mac" ], "rsa.db.index": "sit", "rsa.internal.event_desc": "tdol", @@ -1623,8 +1678,8 @@ ], "related.user": [ "asiarc", - "umSe", - "quidexea" + "quidexea", + "umSe" ], "rsa.db.index": "veli", "rsa.internal.event_desc": "quatu", @@ -1665,14 +1720,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.267", + "related.hosts": [ + "miurerep1152.internal.domain" + ], "related.ip": [ - "10.39.10.155", - "10.235.136.109" + "10.235.136.109", + "10.39.10.155" ], "related.user": [ + "aboreetd", "urExcept", - "ptass", - "aboreetd" + "ptass" ], "rsa.db.database": "teirured", "rsa.db.index": "dolorem", @@ -1771,8 +1829,8 @@ ], "related.user": [ "reseo", - "moenimi", - "aec" + "aec", + "moenimi" ], "rsa.db.index": "mac", "rsa.internal.event_desc": "quamest", @@ -1813,6 +1871,9 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3804", + "related.hosts": [ + "rum5798.home" + ], "related.ip": [ "10.226.101.180", "10.226.20.199" @@ -1874,14 +1935,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.1493", + "related.hosts": [ + "nisiut3624.api.example" + ], "related.ip": [ - "10.134.65.15", - "10.86.22.67" + "10.86.22.67", + "10.134.65.15" ], "related.user": [ - "utaliqu", "quaUten", - "cab" + "cab", + "utaliqu" ], "rsa.db.database": "isciv", "rsa.db.index": "nofd", @@ -1981,14 +2045,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.6255", + "related.hosts": [ + "tesse1089.www.host" + ], "related.ip": [ - "10.24.111.229", - "10.178.242.100" + "10.178.242.100", + "10.24.111.229" ], "related.user": [ + "loi", "dqu", - "idid", - "loi" + "idid" ], "rsa.db.database": "tenatuse", "rsa.db.index": "ullamcor", @@ -2129,14 +2196,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.1844", + "related.hosts": [ + "dictasun3878.internal.localhost" + ], "related.ip": [ "10.212.214.4", "10.6.79.159" ], "related.user": [ + "midestl", "quid", - "amvo", - "midestl" + "amvo" ], "rsa.db.database": "urExce", "rsa.db.index": "ectiono", @@ -2189,9 +2259,12 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3546", + "related.hosts": [ + "aecatcup2241.www5.test" + ], "related.ip": [ - "10.70.147.46", - "10.237.170.202" + "10.237.170.202", + "10.70.147.46" ], "related.user": [ "liquide", @@ -2249,13 +2322,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.4282", + "related.hosts": [ + "mad5185.www5.localhost" + ], "related.ip": [ - "10.179.50.138", - "10.228.118.81" + "10.228.118.81", + "10.179.50.138" ], "related.user": [ - "itasper", "emoe", + "itasper", "tatemU" ], "rsa.db.database": "toditaut", @@ -2309,14 +2385,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3806", + "related.hosts": [ + "esseq7889.www.invalid" + ], "related.ip": [ "10.49.71.118", "10.234.165.130" ], "related.user": [ "emip", - "henderit", - "iuntNequ" + "iuntNequ", + "henderit" ], "rsa.db.database": "veniamqu", "rsa.db.index": "atquo", @@ -2457,14 +2536,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.7083", + "related.hosts": [ + "tem6815.home" + ], "related.ip": [ "10.174.185.109", "10.120.167.217" ], "related.user": [ "animid", - "rsp", - "dolorem" + "dolorem", + "rsp" ], "rsa.db.database": "tsuntinc", "rsa.db.index": "quovo", @@ -2517,14 +2599,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.1432", + "related.hosts": [ + "mporainc2064.home" + ], "related.ip": [ "10.117.137.159", "10.141.213.219" ], "related.user": [ - "atev", "accusa", - "ate" + "ate", + "atev" ], "rsa.db.database": "nibus", "rsa.db.index": "ser", @@ -2577,13 +2662,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.4043", + "related.hosts": [ + "caboNem1043.internal.home" + ], "related.ip": [ "10.166.90.130", "10.94.224.229" ], "related.user": [ - "rem", "eavol", + "rem", "etconsec" ], "rsa.db.database": "oditempo", @@ -2639,14 +2727,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.2456", + "related.hosts": [ + "tatio6513.www.invalid" + ], "related.ip": [ - "10.38.28.151", - "10.201.81.46" + "10.201.81.46", + "10.38.28.151" ], "related.user": [ + "tiumto", "incidid", - "mipsumqu", - "tiumto" + "mipsumqu" ], "rsa.db.database": "abor", "rsa.db.index": "adol", @@ -2701,14 +2792,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.2721", + "related.hosts": [ + "dolori6232.api.invalid" + ], "related.ip": [ "10.255.28.56", "10.214.245.95" ], "related.user": [ - "rerepre", + "umdolors", "uptatem", - "umdolors" + "rerepre" ], "rsa.db.database": "odt", "rsa.db.index": "riosa", @@ -2763,8 +2857,8 @@ ], "related.user": [ "mip", - "qui", - "Utenima" + "Utenima", + "qui" ], "rsa.db.index": "boree", "rsa.internal.event_desc": "uteir", @@ -2807,8 +2901,8 @@ ], "related.user": [ "enim", - "ess", - "iame" + "iame", + "ess" ], "rsa.db.index": "nofdeFi", "rsa.internal.event_desc": "isnostru", @@ -2893,14 +2987,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3147", + "related.hosts": [ + "mestq2106.api.host" + ], "related.ip": [ - "10.39.143.155", - "10.41.89.217" + "10.41.89.217", + "10.39.143.155" ], "related.user": [ + "tem", "tperspic", - "sedquiac", - "tem" + "sedquiac" ], "rsa.db.database": "radipis", "rsa.db.index": "nse", @@ -2953,14 +3050,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.6382", + "related.hosts": [ + "lors7553.api.local" + ], "related.ip": [ "10.153.123.20", "10.5.5.1" ], "related.user": [ + "minim", "unt", - "CSe", - "minim" + "CSe" ], "rsa.db.database": "atu", "rsa.db.index": "roi", @@ -3013,13 +3113,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3193", + "related.hosts": [ + "olu5333.www.domain" + ], "related.ip": [ - "10.210.61.109", - "10.168.132.175" + "10.168.132.175", + "10.210.61.109" ], "related.user": [ - "iamea", "giatquov", + "iamea", "eursinto" ], "rsa.db.database": "ici", @@ -3074,9 +3177,9 @@ "10.123.154.17" ], "related.user": [ - "quiac", + "dolorsi", "lmo", - "dolorsi" + "quiac" ], "rsa.db.index": "idunt", "rsa.internal.event_desc": "usantiu", @@ -3168,8 +3271,8 @@ ], "related.user": [ "rsitvol", - "Nemoenim", - "iati" + "iati", + "Nemoenim" ], "rsa.db.index": "eFini", "rsa.internal.event_desc": "acom", @@ -3210,13 +3313,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3184", + "related.hosts": [ + "fic5107.home" + ], "related.ip": [ "10.169.101.161", "10.164.66.154" ], "related.user": [ - "eufug", "orissu", + "eufug", "ine" ], "rsa.db.database": "stquidol", @@ -3314,14 +3420,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.4887", + "related.hosts": [ + "onpr47.api.home" + ], "related.ip": [ "10.207.97.192", "10.134.55.11" ], "related.user": [ - "madminim", "tanimid", - "mmod" + "mmod", + "madminim" ], "rsa.db.database": "tetura", "rsa.db.index": "uptasnul", @@ -3374,14 +3483,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3601", + "related.hosts": [ + "rehen4859.api.host" + ], "related.ip": [ "10.31.187.19", "10.52.150.104" ], "related.user": [ + "texplica", "eritq", - "oinBCSed", - "texplica" + "oinBCSed" ], "rsa.db.database": "lit", "rsa.db.index": "ritati", @@ -3434,13 +3546,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3175", + "related.hosts": [ + "eufugia4481.corp" + ], "related.ip": [ - "10.61.175.217", - "10.41.232.147" + "10.41.232.147", + "10.61.175.217" ], "related.user": [ - "tat", "ntexpl", + "tat", "runtm" ], "rsa.db.database": "rere", @@ -3495,9 +3610,9 @@ "10.150.30.95" ], "related.user": [ - "mini", + "atnonpr", "uisnos", - "atnonpr" + "mini" ], "rsa.db.index": "smod", "rsa.internal.event_desc": "isn", @@ -3627,9 +3742,9 @@ "10.197.203.167" ], "related.user": [ - "eserun", + "uta", "iumdo", - "uta" + "eserun" ], "rsa.db.index": "smo", "rsa.internal.event_desc": "olesti", @@ -3672,8 +3787,8 @@ ], "related.user": [ "sectetu", - "ibusBo", - "enima" + "enima", + "ibusBo" ], "rsa.db.index": "uido", "rsa.internal.event_desc": "lab", @@ -3714,9 +3829,12 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3824", + "related.hosts": [ + "involu1450.www.localhost" + ], "related.ip": [ - "10.123.62.215", - "10.250.248.215" + "10.250.248.215", + "10.123.62.215" ], "related.user": [ "aevitaed", @@ -3773,6 +3891,9 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3759", + "related.hosts": [ + "osa3211.www5.example" + ], "related.ip": [ "10.147.154.118", "10.146.57.23" @@ -3833,8 +3954,8 @@ ], "related.user": [ "niamqui", - "ptatemU", - "uamestqu" + "uamestqu", + "ptatemU" ], "rsa.db.index": "doeiu", "rsa.internal.event_desc": "uasiarc", @@ -3877,8 +3998,8 @@ ], "related.user": [ "nesci", - "onnumqua", - "tetura" + "tetura", + "onnumqua" ], "rsa.db.index": "oinBCSed", "rsa.internal.event_desc": "ntor", @@ -3920,9 +4041,9 @@ "10.47.63.70" ], "related.user": [ - "midestl", + "expl", "tpers", - "expl" + "midestl" ], "rsa.db.index": "olu", "rsa.internal.event_desc": "odocons", @@ -4007,14 +4128,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.6648", + "related.hosts": [ + "tatemac5192.www5.test" + ], "related.ip": [ - "10.89.154.115", - "10.85.13.237" + "10.85.13.237", + "10.89.154.115" ], "related.user": [ "emeu", - "luptat", - "Nem" + "Nem", + "luptat" ], "rsa.db.database": "nturmag", "rsa.db.index": "maliqua", @@ -4067,13 +4191,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3387", + "related.hosts": [ + "nimve2787.mail.test" + ], "related.ip": [ - "10.65.207.234", - "10.222.32.183" + "10.222.32.183", + "10.65.207.234" ], "related.user": [ - "eruntmo", "itame", + "eruntmo", "eve" ], "rsa.db.database": "udexerc", @@ -4128,8 +4255,8 @@ "10.16.181.60" ], "related.user": [ - "gnama", "oinven", + "gnama", "olore" ], "rsa.db.index": "uatu", @@ -4173,8 +4300,8 @@ ], "related.user": [ "illoin", - "uianon", - "amnis" + "amnis", + "uianon" ], "rsa.db.index": "ons", "rsa.internal.event_desc": "temaccus", @@ -4216,9 +4343,9 @@ "10.204.214.98" ], "related.user": [ + "tdolo", "eprehe", - "porissus", - "tdolo" + "porissus" ], "rsa.db.index": "abo", "rsa.internal.event_desc": "ecte", @@ -4260,9 +4387,9 @@ "10.223.178.192" ], "related.user": [ + "etc", "moenimip", - "evel", - "etc" + "evel" ], "rsa.db.index": "iarchit", "rsa.internal.event_desc": "apari", @@ -4303,13 +4430,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.801", + "related.hosts": [ + "ama6820.mail.example" + ], "related.ip": [ - "10.26.137.126", - "10.26.33.181" + "10.26.33.181", + "10.26.137.126" ], "related.user": [ - "ati", "audant", + "ati", "taevit" ], "rsa.db.database": "com", @@ -4363,14 +4493,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.10", + "related.hosts": [ + "olupt966.www5.corp" + ], "related.ip": [ - "10.148.195.208", - "10.142.161.116" + "10.142.161.116", + "10.148.195.208" ], "related.user": [ - "quaerat", + "mpori", "isi", - "mpori" + "quaerat" ], "rsa.db.database": "squamest", "rsa.db.index": "pteu", @@ -4423,14 +4556,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.1026", + "related.hosts": [ + "lit4112.www.localhost" + ], "related.ip": [ "10.10.174.253", "10.107.24.54" ], "related.user": [ "hend", - "itinvo", - "uptasn" + "uptasn", + "itinvo" ], "rsa.db.database": "lup", "rsa.db.index": "isau", @@ -4485,9 +4621,9 @@ "10.87.92.17" ], "related.user": [ + "tamr", "luptate", - "eeufug", - "tamr" + "eeufug" ], "rsa.db.index": "oreeufug", "rsa.internal.event_desc": "ura", @@ -4532,13 +4668,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.5649", + "related.hosts": [ + "dictasun3408.internal.invalid" + ], "related.ip": [ "10.161.51.135", "10.231.51.136" ], "related.user": [ - "asper", "Finibus", + "asper", "accus" ], "rsa.db.database": "litani", @@ -4593,9 +4732,9 @@ "10.51.17.32" ], "related.user": [ - "itten", "mquido", - "llum" + "llum", + "itten" ], "rsa.db.index": "uscipit", "rsa.internal.event_desc": "llitani", @@ -4637,8 +4776,8 @@ "10.108.123.148" ], "related.user": [ - "mmodicon", "cusa", + "mmodicon", "ollita" ], "rsa.db.index": "ercitati", @@ -4681,13 +4820,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.425", + "related.hosts": [ + "uidol6868.mail.localdomain" + ], "related.ip": [ - "10.198.187.144", - "10.114.0.148" + "10.114.0.148", + "10.198.187.144" ], "related.user": [ - "equatD", "rsitamet", + "equatD", "ons" ], "rsa.db.database": "periam", @@ -4746,8 +4888,8 @@ "10.61.140.120" ], "related.user": [ - "loru", "naaliq", + "loru", "equa" ], "rsa.db.index": "umfugiat", @@ -4789,14 +4931,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.6988", + "related.hosts": [ + "ptat4878.lan" + ], "related.ip": [ - "10.93.24.151", - "10.149.238.108" + "10.149.238.108", + "10.93.24.151" ], "related.user": [ - "nven", + "sequamn", "ite", - "sequamn" + "nven" ], "rsa.db.database": "fugi", "rsa.db.index": "nesciu", @@ -4895,8 +5040,8 @@ "10.2.204.161" ], "related.user": [ - "ore", "quela", + "ore", "eumfugia" ], "rsa.db.index": "olup", @@ -4944,8 +5089,8 @@ ], "related.user": [ "ptatemse", - "enimad", - "aliqu" + "aliqu", + "enimad" ], "rsa.db.index": "Except", "rsa.internal.event_desc": "cons", @@ -4986,14 +5131,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3175", + "related.hosts": [ + "isno4595.local" + ], "related.ip": [ - "10.94.152.238", - "10.151.110.250" + "10.151.110.250", + "10.94.152.238" ], "related.user": [ + "tla", "neavol", - "pidatatn", - "tla" + "pidatatn" ], "rsa.db.database": "itaedict", "rsa.db.index": "onemull", @@ -5046,13 +5194,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.4965", + "related.hosts": [ + "tatemse5403.home" + ], "related.ip": [ - "10.77.9.17", - "10.146.61.5" + "10.146.61.5", + "10.77.9.17" ], "related.user": [ - "umS", "tevel", + "umS", "alorumwr" ], "rsa.db.database": "amremap", @@ -5107,8 +5258,8 @@ "10.128.102.130" ], "related.user": [ - "ore", "que", + "ore", "sequatu" ], "rsa.db.index": "exerci", @@ -5150,13 +5301,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.7701", + "related.hosts": [ + "reprehe650.www.corp" + ], "related.ip": [ - "10.31.86.83", - "10.200.162.248" + "10.200.162.248", + "10.31.86.83" ], "related.user": [ - "reseo", "onnu", + "reseo", "doloremi" ], "rsa.db.database": "billo", @@ -5211,9 +5365,9 @@ "10.103.215.159" ], "related.user": [ + "volup", "apa", - "atatn", - "volup" + "atatn" ], "rsa.db.index": "atcupi", "rsa.internal.event_desc": "did", diff --git a/x-pack/filebeat/module/cylance/protect/config/input.yml b/x-pack/filebeat/module/cylance/protect/config/input.yml index fc90f92344c..28123fafd35 100644 --- a/x-pack/filebeat/module/cylance/protect/config/input.yml +++ b/x-pack/filebeat/module/cylance/protect/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml b/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml index 4df5148c770..72aa57c217a 100644 --- a/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json index aeb8dfcbd46..4f73edba010 100644 --- a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json @@ -12,6 +12,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "nostrud4819.mail.test" + ], "rsa.identity.firstname": "uii", "rsa.identity.lastname": "umexe", "rsa.internal.messageid": "CylancePROTECT", @@ -44,6 +47,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "volup208.invalid" + ], "rsa.identity.firstname": "luptat", "rsa.identity.lastname": "isiutal", "rsa.internal.messageid": "CylancePROTECT", @@ -75,6 +81,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "eius6159.www5.localhost" + ], "rsa.db.index": "temvel", "rsa.identity.firstname": "lupt", "rsa.identity.lastname": "tia", @@ -106,6 +115,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ratvolup497.www.corp" + ], "rsa.db.index": "ommodic", "rsa.identity.firstname": "mipsu", "rsa.identity.lastname": "consec", @@ -137,6 +149,9 @@ "observer.product": "taliqu", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "tatno5625.api.local" + ], "rsa.identity.firstname": "tur", "rsa.identity.lastname": "aperi", "rsa.internal.messageid": "CylancePROTECT", @@ -170,6 +185,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "maveniam1399.mail.lan" + ], "related.ip": [ "10.124.61.119" ], @@ -211,6 +229,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "nimadmin6499.local" + ], "rsa.db.index": "lorem", "rsa.identity.firstname": "urerep", "rsa.identity.lastname": "aquaeab", @@ -242,6 +263,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "suntinc4934.www5.test" + ], "rsa.identity.firstname": "dmi", "rsa.identity.lastname": "olab", "rsa.internal.messageid": "CylancePROTECT", @@ -277,6 +301,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.2344", + "related.hosts": [ + "reetdolo2451.www.example" + ], "related.user": [ "usan" ], @@ -310,6 +337,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "uis7612.www5.domain" + ], "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", @@ -337,6 +367,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "admi3749.api.lan" + ], "rsa.db.index": "nimadmin", "rsa.identity.firstname": "iqui", "rsa.identity.lastname": "etc", @@ -371,6 +404,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.5383", + "related.hosts": [ + "rudexerc703.internal.host" + ], "related.user": [ "isaute" ], @@ -444,6 +480,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "estqu1709.internal.example" + ], "related.ip": [ "10.64.70.5" ], @@ -484,6 +523,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "xeac7155.www.localdomain" + ], "related.ip": [ "10.143.239.210" ], @@ -527,6 +569,9 @@ "observer.vendor": "Cylance", "process.name": "aliqu.exe", "process.pid": 2289, + "related.hosts": [ + "maccusa5126.api.domain" + ], "related.ip": [ "10.32.143.134" ], @@ -570,6 +615,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "llu4718.localhost" + ], "rsa.db.index": "psaquae", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -629,6 +677,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "eaq908.api.home" + ], "rsa.db.index": "equat", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -661,6 +712,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.4129", + "related.hosts": [ + "mcolab379.internal.home" + ], "related.user": [ "fdeFi" ], @@ -733,6 +787,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "sciun4694.api.lan" + ], "rsa.db.index": "enderit", "rsa.identity.firstname": "idata", "rsa.identity.lastname": "rumwritt", @@ -764,6 +821,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "mni7200.mail.localdomain" + ], "rsa.db.index": "uisau", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -821,6 +881,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.3212", + "related.hosts": [ + "ntoccae1705.internal.invalid" + ], "related.user": [ "aperiame" ], @@ -854,6 +917,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "etconsec6708.internal.invalid" + ], "rsa.db.index": "mquame", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1502030000, @@ -884,6 +950,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "Sedutp7428.internal.home" + ], "rsa.db.index": "iquipe", "rsa.identity.firstname": "upida", "rsa.identity.lastname": "tvolupt", @@ -916,6 +985,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ati4639.www5.home" + ], "rsa.identity.firstname": "con", "rsa.identity.lastname": "nisist", "rsa.internal.messageid": "CylancePROTECT", @@ -947,6 +1019,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "torever662.www5.home" + ], "rsa.db.index": "The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240", "rsa.identity.firstname": "amcol", "rsa.identity.lastname": "adeser", @@ -978,6 +1053,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "emeumfug4387.internal.lan" + ], "rsa.identity.firstname": "ccaeca", "rsa.identity.lastname": "niamq", "rsa.internal.messageid": "CylancePROTECT", @@ -1010,6 +1088,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "rumwrit764.www5.local" + ], "rsa.db.index": "miu", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1804020000, @@ -1072,6 +1153,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "oremi1485.api.localhost" + ], "rsa.identity.firstname": "atisund", "rsa.identity.lastname": "xea", "rsa.internal.messageid": "CylancePROTECT", @@ -1104,6 +1188,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "periam126.api.host" + ], "rsa.crypto.sig_type": "rExc", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -1135,6 +1222,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "tate6578.api.localdomain" + ], "related.ip": [ "10.252.165.146" ], @@ -1175,6 +1265,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "midestl1919.host" + ], "related.ip": [ "10.124.88.222" ], @@ -1215,6 +1308,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "eiusmod3517.internal.invalid" + ], "rsa.identity.firstname": "dol", "rsa.identity.lastname": "sciun", "rsa.internal.messageid": "CylancePROTECT", @@ -1248,6 +1344,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ntexpl3889.www.home" + ], "related.ip": [ "10.156.34.19" ], @@ -1290,6 +1389,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ntium4450.www5.localdomain" + ], "related.ip": [ "10.22.94.10" ], @@ -1330,6 +1432,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "erspi5757.local" + ], "rsa.db.index": "undeomni", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1401060000, @@ -1424,6 +1529,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "magnid3343.home" + ], "rsa.db.index": "obea", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -1454,6 +1562,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "asperna7623.www.home" + ], "rsa.identity.firstname": "onproide", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -1486,6 +1597,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.3421", + "related.hosts": [ + "undeom845.www5.example" + ], "related.user": [ "tassita" ], @@ -1548,6 +1662,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ons5050.mail.test" + ], "related.ip": [ "10.48.209.115" ], @@ -1588,6 +1705,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "oloreeu7597.mail.home" + ], "related.ip": [ "10.7.99.47" ], @@ -1628,6 +1748,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ueip5847.api.test" + ], "rsa.crypto.sig_type": "Nemoenim", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1804010000, @@ -1660,6 +1783,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.989", + "related.hosts": [ + "uid3520.www.home" + ], "related.user": [ "ici" ], @@ -1745,6 +1871,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "teir7585.www5.localdomain" + ], "rsa.identity.firstname": "scip", "rsa.identity.lastname": "Finibus", "rsa.internal.messageid": "CylancePROTECT", @@ -1831,6 +1960,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "serrorsi1096.www5.localdomain" + ], "rsa.db.index": "The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -1860,6 +1992,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "prehen4807.mail.invalid" + ], "rsa.db.index": "meum", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1600000000, @@ -1890,6 +2025,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "sit1400.www.lan" + ], "rsa.db.index": "ntsunti", "rsa.identity.firstname": "uid", "rsa.identity.lastname": "idatat", @@ -1922,6 +2060,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "sectetu7182.localdomain" + ], "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1804010000, "rsa.investigations.event_cat_name": "Network.Devices.Additions", @@ -1949,6 +2090,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "officiad4982.www5.domain" + ], "rsa.identity.firstname": "etdolore", "rsa.identity.lastname": "magnaa", "rsa.internal.messageid": "CylancePROTECT", @@ -1980,6 +2124,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "consequa1486.internal.localdomain" + ], "rsa.crypto.sig_type": "quaeratv", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -2010,6 +2157,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "its6443.mail.example" + ], "related.ip": [ "10.139.80.71" ], @@ -2053,6 +2203,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "tconsec7604.corp" + ], "related.ip": [ "10.223.246.244" ], @@ -2092,6 +2245,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "tuser2694.internal.invalid" + ], "rsa.identity.firstname": "natus", "rsa.identity.lastname": "boreet", "rsa.internal.messageid": "CylancePROTECT", @@ -2124,6 +2280,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "gnaaliq5240.api.test" + ], "rsa.crypto.sig_type": "ratvo", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -2153,6 +2312,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "illum2625.test" + ], "rsa.crypto.sig_type": "iaeconse", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1401060000, @@ -2182,6 +2344,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "nulamc5617.mail.host" + ], "related.ip": [ "10.134.137.205" ], @@ -2221,6 +2386,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "tatem4713.internal.host" + ], "rsa.db.index": "usci", "rsa.identity.firstname": "lupta", "rsa.identity.lastname": "ura", @@ -2254,6 +2422,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ugits5961.www5.local" + ], "related.ip": [ "10.91.2.225" ], @@ -2297,6 +2468,9 @@ "observer.vendor": "Cylance", "process.name": "nimadmi.exe", "process.pid": 601, + "related.hosts": [ + "prehende5460.mail.localdomain" + ], "related.ip": [ "10.191.99.14" ], @@ -2340,6 +2514,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "velites1745.api.corp" + ], "rsa.db.index": "lor", "rsa.identity.firstname": "naaliq", "rsa.identity.lastname": "plica", @@ -2373,6 +2550,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "Duis583.api.local" + ], "rsa.crypto.sig_type": "dminim", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1401060000, @@ -2404,6 +2584,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.2478", + "related.hosts": [ + "velitess2401.www.lan" + ], "rsa.db.index": "dolo", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -2434,6 +2617,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "sequines3991.mail.local" + ], "rsa.identity.firstname": "sequines", "rsa.identity.lastname": "minimve", "rsa.internal.messageid": "CylancePROTECT", @@ -2470,6 +2656,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "iatquo2815.mail.host" + ], "related.ip": [ "10.181.215.164" ], @@ -2537,6 +2726,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "issusci7005.mail.host" + ], "rsa.db.index": "tiumtot", "rsa.identity.firstname": "ecillumd", "rsa.identity.lastname": "iumto", @@ -2571,6 +2763,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "umq7428.invalid" + ], "related.ip": [ "10.164.59.219" ], @@ -2639,6 +2834,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "epteurs5503.www5.home" + ], "related.ip": [ "10.1.193.187" ], @@ -2707,6 +2905,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "omnisis5339.www5.local" + ], "rsa.db.index": "deom, Device Id: tiumdo, Policy Name: rautod", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -2737,6 +2938,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ction491.www5.local" + ], "rsa.identity.firstname": "imveniam", "rsa.identity.lastname": "sunte", "rsa.internal.messageid": "CylancePROTECT", @@ -2769,6 +2973,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "undeom7847.api.corp" + ], "related.ip": [ "10.146.228.234" ], @@ -2810,6 +3017,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "dolo6230.mail.invalid" + ], "related.ip": [ "10.59.232.97" ], @@ -2845,6 +3055,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "nvolup6280.api.home" + ], "rsa.identity.firstname": "dantium", "rsa.identity.lastname": "ors", "rsa.internal.messageid": "CylancePROTECT", @@ -2877,6 +3090,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "urautodi3892.www5.example" + ], "rsa.db.index": "nibu", "rsa.identity.firstname": "mdolo", "rsa.identity.lastname": "nof", @@ -2952,6 +3168,9 @@ "observer.vendor": "Cylance", "process.name": "oluptat.exe", "process.pid": 4608, + "related.hosts": [ + "uraut3756.www5.test" + ], "related.ip": [ "10.127.30.119" ], @@ -2995,6 +3214,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "squ2213.www.test" + ], "rsa.db.index": "rExce", "rsa.identity.firstname": "rinc", "rsa.identity.lastname": "tno", @@ -3056,6 +3278,9 @@ "observer.vendor": "Cylance", "process.name": "ngelitse.exe", "process.pid": 4190, + "related.hosts": [ + "umet5891.api.localdomain" + ], "related.ip": [ "10.8.150.213" ], @@ -3099,6 +3324,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "umquam5574.internal.test" + ], "related.ip": [ "10.108.59.10" ], @@ -3134,6 +3362,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "volupt6822.api.invalid" + ], "rsa.identity.firstname": "qui", "rsa.identity.lastname": "epteurs", "rsa.internal.messageid": "CylancePROTECT", @@ -3224,6 +3455,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.3237", + "related.hosts": [ + "amvol4075.mail.localhost" + ], "related.user": [ "pta" ], @@ -3257,6 +3491,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "asi4651.api.test" + ], "rsa.db.index": "ssecill", "rsa.identity.firstname": "officiad", "rsa.identity.lastname": "veniam", @@ -3288,6 +3525,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "perna6751.internal.home" + ], "related.ip": [ "10.138.85.233" ], @@ -3323,6 +3563,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "evolupta7790.internal.local" + ], "rsa.db.index": "rehe", "rsa.identity.firstname": "tam", "rsa.identity.lastname": "deser", diff --git a/x-pack/filebeat/module/f5/bigipafm/config/input.yml b/x-pack/filebeat/module/f5/bigipafm/config/input.yml index e17540ff041..e4c79ac07c5 100644 --- a/x-pack/filebeat/module/f5/bigipafm/config/input.yml +++ b/x-pack/filebeat/module/f5/bigipafm/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml b/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml index 5df41d6ec6f..39579462593 100644 --- a/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml +++ b/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json index a366e228e25..d1729062282 100644 --- a/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json @@ -20,11 +20,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2262", + "related.hosts": [ + "tatemac3541.api.corp" + ], "related.ip": [ - "10.11.196.142", - "10.208.121.85", "10.165.201.71", - "10.228.193.207" + "10.228.193.207", + "10.11.196.142", + "10.208.121.85" ], "related.user": [ "billoi" @@ -85,11 +88,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.445", + "related.hosts": [ + "enatus2114.mail.home" + ], "related.ip": [ - "10.92.202.200", - "10.162.9.235", "10.51.132.10", - "10.94.67.230" + "10.162.9.235", + "10.94.67.230", + "10.92.202.200" ], "related.user": [ "byC" @@ -150,6 +156,9 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.4726", + "related.hosts": [ + "gelit6728.api.invalid" + ], "related.ip": [ "10.122.116.161", "10.209.155.149", @@ -214,11 +223,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2696", + "related.hosts": [ + "uid545.www5.localhost" + ], "related.ip": [ "10.12.44.169", + "10.202.66.28", "10.50.112.141", - "10.131.233.27", - "10.202.66.28" + "10.131.233.27" ], "related.user": [ "elits" @@ -279,11 +291,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3341", + "related.hosts": [ + "emquiavo452.internal.localhost" + ], "related.ip": [ + "10.159.182.171", "10.151.111.38", - "10.206.197.113", "10.96.35.212", - "10.159.182.171" + "10.206.197.113" ], "related.user": [ "mol" @@ -344,11 +359,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6179", + "related.hosts": [ + "sun1403.www.invalid" + ], "related.ip": [ - "10.169.144.147", - "10.89.163.114", + "10.126.177.162", "10.213.113.28", - "10.126.177.162" + "10.169.144.147", + "10.89.163.114" ], "related.user": [ "ist" @@ -408,11 +426,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6316", + "related.hosts": [ + "ittenbyC7838.api.localdomain" + ], "related.ip": [ "10.101.223.43", - "10.146.88.52", + "10.18.124.28", "10.103.107.47", - "10.18.124.28" + "10.146.88.52" ], "related.user": [ "rudexerc" @@ -473,9 +494,12 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3768", + "related.hosts": [ + "ume465.corp" + ], "related.ip": [ - "10.189.109.245", "10.150.220.75", + "10.189.109.245", "10.69.57.206", "10.110.99.17" ], @@ -537,11 +561,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2299", + "related.hosts": [ + "iciatisu1463.www5.localdomain" + ], "related.ip": [ - "10.19.194.101", - "10.153.136.222", "10.199.34.241", - "10.121.219.204" + "10.121.219.204", + "10.153.136.222", + "10.19.194.101" ], "related.user": [ "temveleu" @@ -601,10 +628,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.4138", + "related.hosts": [ + "aliqu6801.api.localdomain" + ], "related.ip": [ + "10.57.103.192", "10.64.141.105", "10.46.27.57", - "10.57.103.192", "10.182.199.231" ], "related.user": [ @@ -665,11 +695,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7410", + "related.hosts": [ + "itame189.domain" + ], "related.ip": [ "10.32.67.231", - "10.164.6.207", "10.3.134.237", - "10.160.210.31" + "10.160.210.31", + "10.164.6.207" ], "related.user": [ "pic" @@ -730,11 +763,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3545", + "related.hosts": [ + "tsedqu2456.www5.invalid" + ], "related.ip": [ "10.42.138.192", + "10.201.6.10", "10.235.101.253", - "10.182.178.217", - "10.201.6.10" + "10.182.178.217" ], "related.user": [ "giatnu" @@ -795,11 +831,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3795", + "related.hosts": [ + "stlabo1228.mail.host" + ], "related.ip": [ - "10.151.161.70", "10.86.101.235", - "10.22.102.198", - "10.194.247.171" + "10.194.247.171", + "10.151.161.70", + "10.22.102.198" ], "related.user": [ "nse" @@ -860,11 +899,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.4901", + "related.hosts": [ + "ecte4762.local" + ], "related.ip": [ - "10.167.172.155", "10.174.252.105", + "10.204.35.15", "10.107.168.60", - "10.204.35.15" + "10.167.172.155" ], "related.user": [ "mnisi" @@ -924,11 +966,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3427", + "related.hosts": [ + "smo7167.www.test" + ], "related.ip": [ + "10.99.249.210", "10.182.191.174", - "10.214.249.164", "10.81.26.208", - "10.99.249.210" + "10.214.249.164" ], "related.user": [ "upta" @@ -988,11 +1033,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.1766", + "related.hosts": [ + "sauteiru4554.api.domain" + ], "related.ip": [ - "10.101.226.128", "10.88.101.53", "10.201.238.90", - "10.220.5.143" + "10.220.5.143", + "10.101.226.128" ], "related.user": [ "porro" @@ -1052,11 +1100,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7491", + "related.hosts": [ + "untut4046.internal.domain" + ], "related.ip": [ - "10.30.133.66", - "10.157.18.252", "10.243.218.215", - "10.217.150.196" + "10.217.150.196", + "10.157.18.252", + "10.30.133.66" ], "related.user": [ "evit" @@ -1116,10 +1167,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.752", + "related.hosts": [ + "quid3147.mail.home" + ], "related.ip": [ + "10.167.227.44", "10.181.133.187", "10.148.161.250", - "10.167.227.44", "10.66.181.6" ], "related.user": [ @@ -1181,9 +1235,12 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5663", + "related.hosts": [ + "umdolo1029.mail.localhost" + ], "related.ip": [ - "10.54.17.32", "10.74.11.43", + "10.54.17.32", "10.84.163.178", "10.107.9.163" ], @@ -1245,11 +1302,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5726", + "related.hosts": [ + "lorsita2019.internal.home" + ], "related.ip": [ "10.230.129.252", - "10.112.32.213", "10.184.73.211", - "10.192.229.221" + "10.192.229.221", + "10.112.32.213" ], "related.user": [ "odi" @@ -1310,11 +1370,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.1721", + "related.hosts": [ + "paquioff624.mail.invalid" + ], "related.ip": [ "10.161.148.64", - "10.198.213.189", + "10.199.216.143", "10.7.200.140", - "10.199.216.143" + "10.198.213.189" ], "related.user": [ "ccaeca" @@ -1374,11 +1437,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.1000", + "related.hosts": [ + "mex2054.mail.corp" + ], "related.ip": [ - "10.128.157.27", - "10.65.232.27", "10.206.96.56", - "10.22.187.69" + "10.22.187.69", + "10.128.157.27", + "10.65.232.27" ], "related.user": [ "uaeab" @@ -1438,11 +1504,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3104", + "related.hosts": [ + "avolupt7576.api.corp" + ], "related.ip": [ - "10.71.114.14", "10.194.210.62", "10.68.253.120", - "10.183.130.225" + "10.183.130.225", + "10.71.114.14" ], "related.user": [ "admin" @@ -1503,11 +1572,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.341", + "related.hosts": [ + "loi7596.www5.home" + ], "related.ip": [ - "10.107.45.175", + "10.47.255.237", "10.45.253.103", - "10.31.177.226", - "10.47.255.237" + "10.107.45.175", + "10.31.177.226" ], "related.user": [ "remagn" @@ -1568,11 +1640,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.1607", + "related.hosts": [ + "nsequat1971.internal.invalid" + ], "related.ip": [ - "10.225.212.189", "10.44.58.106", "10.55.105.113", - "10.213.94.135" + "10.213.94.135", + "10.225.212.189" ], "related.user": [ "dquia" @@ -1632,11 +1707,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.51", + "related.hosts": [ + "ectiono2241.lan" + ], "related.ip": [ - "10.163.209.70", - "10.2.114.9", "10.255.74.136", - "10.69.161.78" + "10.69.161.78", + "10.163.209.70", + "10.2.114.9" ], "related.user": [ "olabor" @@ -1696,9 +1774,12 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.380", + "related.hosts": [ + "umetMal1664.mail.lan" + ], "related.ip": [ - "10.252.102.110", "10.46.115.216", + "10.252.102.110", "10.12.129.137", "10.184.59.148" ], @@ -1761,11 +1842,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.1729", + "related.hosts": [ + "derit5270.mail.local" + ], "related.ip": [ - "10.105.52.140", - "10.199.194.79", "10.81.184.7", - "10.155.204.243" + "10.199.194.79", + "10.155.204.243", + "10.105.52.140" ], "related.user": [ "eetd" @@ -1826,11 +1910,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.1453", + "related.hosts": [ + "orisni5238.mail.lan" + ], "related.ip": [ - "10.177.238.45", "10.251.231.142", - "10.110.2.166", - "10.18.226.72" + "10.177.238.45", + "10.18.226.72", + "10.110.2.166" ], "related.user": [ "taliqui" @@ -1891,6 +1978,9 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6332", + "related.hosts": [ + "iutali7297.www.domain" + ], "related.ip": [ "10.99.202.229", "10.100.199.226", @@ -1956,11 +2046,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6463", + "related.hosts": [ + "orumw5960.www5.home" + ], "related.ip": [ "10.248.111.207", - "10.172.154.97", + "10.162.97.197", "10.37.193.70", - "10.162.97.197" + "10.172.154.97" ], "related.user": [ "culpaq" @@ -2020,11 +2113,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3912", + "related.hosts": [ + "oinv5493.internal.domain" + ], "related.ip": [ "10.171.221.230", "10.222.165.250", - "10.36.63.31", - "10.45.35.180" + "10.45.35.180", + "10.36.63.31" ], "related.user": [ "otamr" @@ -2084,11 +2180,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.4329", + "related.hosts": [ + "tnonproi195.api.home" + ], "related.ip": [ - "10.238.4.219", - "10.83.238.145", + "10.1.171.61", "10.199.127.211", - "10.1.171.61" + "10.83.238.145", + "10.238.4.219" ], "related.user": [ "reetdolo" @@ -2148,11 +2247,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3789", + "related.hosts": [ + "edictasu5362.internal.localhost" + ], "related.ip": [ "10.170.252.219", + "10.65.141.244", "10.74.213.42", - "10.44.226.104", - "10.65.141.244" + "10.44.226.104" ], "related.user": [ "Nequepo" @@ -2212,11 +2314,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2965", + "related.hosts": [ + "uido492.www5.home" + ], "related.ip": [ "10.180.48.221", - "10.225.141.172", + "10.225.255.211", "10.183.223.149", - "10.225.255.211" + "10.225.141.172" ], "related.user": [ "nihil" @@ -2276,11 +2381,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7612", + "related.hosts": [ + "redo6311.api.invalid" + ], "related.ip": [ "10.176.64.28", "10.97.138.181", - "10.169.123.103", - "10.205.174.181" + "10.205.174.181", + "10.169.123.103" ], "related.user": [ "eseruntm" @@ -2341,11 +2449,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.4226", + "related.hosts": [ + "dolorem1698.www.domain" + ], "related.ip": [ "10.75.120.11", + "10.169.101.161", "10.53.101.131", - "10.204.4.40", - "10.169.101.161" + "10.204.4.40" ], "related.user": [ "tquo" @@ -2406,11 +2517,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2990", + "related.hosts": [ + "evitae7333.www.lan" + ], "related.ip": [ "10.156.117.169", + "10.28.51.219", "10.6.222.112", - "10.87.120.87", - "10.28.51.219" + "10.87.120.87" ], "related.user": [ "onsequu" @@ -2470,11 +2584,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.388", + "related.hosts": [ + "arc2412.mail.lan" + ], "related.ip": [ - "10.4.126.103", - "10.253.167.17", "10.247.44.59", - "10.57.89.155" + "10.57.89.155", + "10.253.167.17", + "10.4.126.103" ], "related.user": [ "ntorever" @@ -2534,11 +2651,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6451", + "related.hosts": [ + "olorsi2746.internal.localhost" + ], "related.ip": [ - "10.15.240.220", "10.36.69.125", - "10.143.183.208", - "10.248.206.210" + "10.15.240.220", + "10.248.206.210", + "10.143.183.208" ], "related.user": [ "met" @@ -2599,11 +2719,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.4386", + "related.hosts": [ + "edqu2208.www.localhost" + ], "related.ip": [ "10.69.170.107", "10.6.32.7", - "10.142.186.43", - "10.34.133.2" + "10.34.133.2", + "10.142.186.43" ], "related.user": [ "ipitlabo" @@ -2664,11 +2787,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2026", + "related.hosts": [ + "ender5647.www5.example" + ], "related.ip": [ "10.59.103.10", - "10.142.22.24", + "10.170.165.164", "10.121.153.197", - "10.170.165.164" + "10.142.22.24" ], "related.user": [ "borumSec" @@ -2729,6 +2855,9 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.1576", + "related.hosts": [ + "sis3986.internal.lan" + ], "related.ip": [ "10.19.99.129", "10.247.114.30", @@ -2794,11 +2923,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3824", + "related.hosts": [ + "uatu2894.api.lan" + ], "related.ip": [ - "10.64.139.17", "10.70.7.23", + "10.40.177.138", "10.8.29.219", - "10.40.177.138" + "10.64.139.17" ], "related.user": [ "rep" @@ -2858,10 +2990,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6066", + "related.hosts": [ + "rmagnido5483.local" + ], "related.ip": [ "10.2.189.20", - "10.67.173.228", "10.67.221.220", + "10.67.173.228", "10.180.62.222" ], "related.user": [ @@ -2923,6 +3058,9 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5040", + "related.hosts": [ + "uian521.www.example" + ], "related.ip": [ "10.147.127.181", "10.209.52.47", @@ -2987,10 +3125,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7604", + "related.hosts": [ + "taliq5213.api.corp" + ], "related.ip": [ - "10.231.18.90", - "10.248.140.59", "10.226.24.84", + "10.248.140.59", + "10.231.18.90", "10.85.13.237" ], "related.user": [ @@ -3052,11 +3193,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5407", + "related.hosts": [ + "ntsunt4894.mail.domain" + ], "related.ip": [ - "10.203.46.215", + "10.59.215.207", "10.207.183.204", "10.8.224.72", - "10.59.215.207" + "10.203.46.215" ], "related.user": [ "eruntmo" @@ -3117,11 +3261,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6814", + "related.hosts": [ + "mexer3864.api.corp" + ], "related.ip": [ + "10.98.154.146", "10.73.84.95", "10.230.38.148", - "10.255.145.22", - "10.98.154.146" + "10.255.145.22" ], "related.user": [ "sitam" @@ -3181,11 +3328,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7160", + "related.hosts": [ + "oluptat6960.www5.test" + ], "related.ip": [ - "10.105.120.162", "10.166.142.198", - "10.211.29.187", - "10.175.181.138" + "10.105.120.162", + "10.175.181.138", + "10.211.29.187" ], "related.user": [ "tium" @@ -3246,11 +3396,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6057", + "related.hosts": [ + "fugiatnu2498.www.localhost" + ], "related.ip": [ - "10.220.202.102", "10.182.213.195", "10.195.139.25", - "10.122.133.162" + "10.122.133.162", + "10.220.202.102" ], "related.user": [ "aquae" @@ -3311,11 +3464,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3297", + "related.hosts": [ + "ptat3230.domain" + ], "related.ip": [ - "10.156.208.5", - "10.53.72.161", + "10.33.143.163", "10.247.144.9", - "10.33.143.163" + "10.156.208.5", + "10.53.72.161" ], "related.user": [ "scip" @@ -3375,11 +3531,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2476", + "related.hosts": [ + "exer447.internal.localhost" + ], "related.ip": [ + "10.241.143.145", "10.35.190.164", "10.21.58.162", - "10.113.65.192", - "10.241.143.145" + "10.113.65.192" ], "related.user": [ "porin" @@ -3440,11 +3599,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.768", + "related.hosts": [ + "itanimi1934.home" + ], "related.ip": [ - "10.19.154.103", - "10.53.27.253", + "10.129.16.166", "10.75.113.240", - "10.129.16.166" + "10.19.154.103", + "10.53.27.253" ], "related.user": [ "luptat" @@ -3505,6 +3667,9 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5812", + "related.hosts": [ + "pteurs1031.mail.corp" + ], "related.ip": [ "10.150.153.61", "10.22.213.196", @@ -3570,10 +3735,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7232", + "related.hosts": [ + "edquiaco6562.api.lan" + ], "related.ip": [ "10.85.52.249", - "10.238.171.184", "10.229.155.171", + "10.238.171.184", "10.113.2.13" ], "related.user": [ @@ -3635,11 +3803,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.536", + "related.hosts": [ + "tatis7315.mail.home" + ], "related.ip": [ "10.249.174.35", - "10.198.150.185", "10.51.245.225", - "10.220.1.249" + "10.220.1.249", + "10.198.150.185" ], "related.user": [ "quela" @@ -3700,10 +3871,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.219", + "related.hosts": [ + "eosqui3723.api.localdomain" + ], "related.ip": [ - "10.190.96.181", "10.38.185.31", "10.251.82.195", + "10.190.96.181", "10.152.157.32" ], "related.user": [ @@ -3764,11 +3938,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6526", + "related.hosts": [ + "itaedict199.mail.corp" + ], "related.ip": [ - "10.190.247.194", "10.103.102.242", - "10.211.198.50", - "10.230.112.179" + "10.190.247.194", + "10.230.112.179", + "10.211.198.50" ], "related.user": [ "tDuisaut" @@ -3828,11 +4005,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7750", + "related.hosts": [ + "xeaco7887.www.localdomain" + ], "related.ip": [ "10.219.83.199", "10.47.223.155", - "10.251.101.61", - "10.101.13.122" + "10.101.13.122", + "10.251.101.61" ], "related.user": [ "ectetur" @@ -3893,11 +4073,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5568", + "related.hosts": [ + "saute7421.www.invalid" + ], "related.ip": [ + "10.31.86.83", "10.21.30.43", - "10.83.136.233", "10.21.80.157", - "10.31.86.83" + "10.83.136.233" ], "related.user": [ "litsed" @@ -3958,11 +4141,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5445", + "related.hosts": [ + "oluptas1637.home" + ], "related.ip": [ - "10.195.90.73", + "10.27.181.27", "10.45.152.205", "10.194.197.107", - "10.27.181.27" + "10.195.90.73" ], "related.user": [ "datatn" @@ -4023,11 +4209,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.508", + "related.hosts": [ + "ididu5505.api.localdomain" + ], "related.ip": [ "10.222.2.132", + "10.183.90.25", "10.43.239.97", - "10.129.161.18", - "10.183.90.25" + "10.129.161.18" ], "related.user": [ "aedicta" @@ -4087,11 +4276,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.4479", + "related.hosts": [ + "mqui1099.api.corp" + ], "related.ip": [ + "10.67.129.100", "10.231.167.171", - "10.248.156.138", "10.189.162.131", - "10.67.129.100" + "10.248.156.138" ], "related.user": [ "sedquia" @@ -4152,11 +4344,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2927", + "related.hosts": [ + "siuta2155.lan" + ], "related.ip": [ - "10.63.103.30", - "10.142.106.66", "10.6.146.184", - "10.185.107.27" + "10.185.107.27", + "10.63.103.30", + "10.142.106.66" ], "related.user": [ "sequu" @@ -4216,11 +4411,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.4023", + "related.hosts": [ + "tatiset4191.localdomain" + ], "related.ip": [ "10.93.39.237", "10.119.179.182", - "10.214.93.200", - "10.0.202.9" + "10.0.202.9", + "10.214.93.200" ], "related.user": [ "tionofd" @@ -4281,9 +4479,12 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5939", + "related.hosts": [ + "aute2433.mail.lan" + ], "related.ip": [ - "10.252.204.162", "10.28.145.163", + "10.252.204.162", "10.123.154.140", "10.30.189.166" ], @@ -4345,10 +4546,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6564", + "related.hosts": [ + "idolo6535.internal.example" + ], "related.ip": [ + "10.145.128.250", "10.79.49.3", "10.46.162.198", - "10.145.128.250", "10.29.122.183" ], "related.user": [ @@ -4410,10 +4614,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3341", + "related.hosts": [ + "one7728.api.localdomain" + ], "related.ip": [ + "10.166.169.167", "10.65.174.196", "10.177.232.136", - "10.166.169.167", "10.142.235.217" ], "related.user": [ @@ -4475,10 +4682,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.325", + "related.hosts": [ + "uptatem4446.internal.localhost" + ], "related.ip": [ "10.29.217.44", - "10.191.78.86", "10.215.184.154", + "10.191.78.86", "10.53.188.140" ], "related.user": [ @@ -4540,11 +4750,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3567", + "related.hosts": [ + "emq2514.api.localhost" + ], "related.ip": [ "10.135.77.156", - "10.74.74.129", + "10.46.222.149", "10.76.148.147", - "10.46.222.149" + "10.74.74.129" ], "related.user": [ "urve" @@ -4604,11 +4817,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.1186", + "related.hosts": [ + "agna5654.www.corp" + ], "related.ip": [ - "10.130.203.37", "10.145.49.29", + "10.96.200.223", "10.11.146.253", - "10.96.200.223" + "10.130.203.37" ], "related.user": [ "mvele" @@ -4668,10 +4884,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6845", + "related.hosts": [ + "ipi4827.mail.lan" + ], "related.ip": [ - "10.48.75.140", - "10.162.78.48", "10.24.23.209", + "10.162.78.48", + "10.48.75.140", "10.162.2.180" ], "related.user": [ @@ -4732,9 +4951,12 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.419", + "related.hosts": [ + "sequatD163.internal.example" + ], "related.ip": [ - "10.66.92.83", "10.151.206.38", + "10.66.92.83", "10.119.12.186", "10.97.105.115" ], @@ -4796,11 +5018,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7551", + "related.hosts": [ + "itamet1303.invalid" + ], "related.ip": [ - "10.12.148.73", - "10.201.132.114", + "10.64.76.142", "10.169.139.250", - "10.64.76.142" + "10.12.148.73", + "10.201.132.114" ], "related.user": [ "borisnis" @@ -4861,10 +5086,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5292", + "related.hosts": [ + "epr3512.internal.domain" + ], "related.ip": [ - "10.35.38.185", - "10.9.236.18", "10.111.128.11", + "10.9.236.18", + "10.35.38.185", "10.200.116.191" ], "related.user": [ @@ -4925,11 +5153,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5991", + "related.hosts": [ + "uredol2174.home" + ], "related.ip": [ - "10.236.67.227", "10.134.238.8", - "10.240.62.238", - "10.191.27.182" + "10.191.27.182", + "10.236.67.227", + "10.240.62.238" ], "related.user": [ "tlabo" @@ -4989,11 +5220,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6837", + "related.hosts": [ + "ididunt7607.mail.localhost" + ], "related.ip": [ "10.109.14.142", + "10.22.231.91", "10.65.35.64", - "10.165.66.92", - "10.22.231.91" + "10.165.66.92" ], "related.user": [ "perna" @@ -5053,11 +5287,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.99", + "related.hosts": [ + "inimav5557.www5.test" + ], "related.ip": [ - "10.29.230.203", - "10.89.221.90", + "10.64.161.215", "10.71.112.86", - "10.64.161.215" + "10.89.221.90", + "10.29.230.203" ], "related.user": [ "rnatur" @@ -5117,11 +5354,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5232", + "related.hosts": [ + "nonn1650.www.test" + ], "related.ip": [ - "10.140.118.182", - "10.88.226.76", "10.221.199.137", - "10.79.208.135" + "10.88.226.76", + "10.79.208.135", + "10.140.118.182" ], "related.user": [ "erspic" @@ -5182,11 +5422,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2492", + "related.hosts": [ + "acons3940.api.lan" + ], "related.ip": [ - "10.133.48.55", - "10.126.61.230", "10.35.73.208", - "10.189.244.22" + "10.126.61.230", + "10.189.244.22", + "10.133.48.55" ], "related.user": [ "tia" @@ -5246,10 +5489,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.4044", + "related.hosts": [ + "suscipit587.www.localhost" + ], "related.ip": [ - "10.81.154.115", "10.240.94.109", "10.239.194.105", + "10.81.154.115", "10.35.65.72" ], "related.user": [ @@ -5311,11 +5557,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2307", + "related.hosts": [ + "mnisiut6146.internal.local" + ], "related.ip": [ "10.150.56.227", - "10.38.253.213", + "10.52.70.192", "10.248.72.104", - "10.52.70.192" + "10.38.253.213" ], "related.user": [ "ionem" @@ -5376,10 +5625,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2031", + "related.hosts": [ + "borios1067.www5.home" + ], "related.ip": [ - "10.73.172.186", "10.218.15.164", "10.62.218.239", + "10.73.172.186", "10.203.193.134" ], "related.user": [ @@ -5440,11 +5692,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2555", + "related.hosts": [ + "msequ323.www.example" + ], "related.ip": [ - "10.60.20.76", "10.10.46.43", - "10.136.211.234", - "10.131.127.113" + "10.131.127.113", + "10.60.20.76", + "10.136.211.234" ], "related.user": [ "nev" @@ -5505,11 +5760,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3291", + "related.hosts": [ + "tdolorem813.internal.host" + ], "related.ip": [ - "10.233.181.250", "10.248.0.74", - "10.50.177.151", - "10.187.237.220" + "10.233.181.250", + "10.187.237.220", + "10.50.177.151" ], "related.user": [ "ugiatq" @@ -5570,11 +5828,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2859", + "related.hosts": [ + "volupt4626.internal.test" + ], "related.ip": [ - "10.248.248.120", "10.96.223.46", + "10.80.129.81", "10.189.43.11", - "10.80.129.81" + "10.248.248.120" ], "related.user": [ "iatn" @@ -5635,10 +5896,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.1910", + "related.hosts": [ + "ntium5103.www5.localhost" + ], "related.ip": [ - "10.173.114.63", - "10.102.109.199", "10.91.115.139", + "10.102.109.199", + "10.173.114.63", "10.66.106.186" ], "related.user": [ @@ -5700,10 +5964,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3690", + "related.hosts": [ + "orpori3334.www.local" + ], "related.ip": [ - "10.159.155.88", "10.0.175.17", "10.198.157.122", + "10.159.155.88", "10.221.223.127" ], "related.user": [ @@ -5764,6 +6031,9 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6302", + "related.hosts": [ + "equu7361.www5.localdomain" + ], "related.ip": [ "10.252.136.130", "10.189.70.237", @@ -5829,11 +6099,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2037", + "related.hosts": [ + "tse2979.internal.localhost" + ], "related.ip": [ - "10.102.109.194", "10.60.224.93", "10.242.121.165", - "10.83.105.69" + "10.83.105.69", + "10.102.109.194" ], "related.user": [ "mni" @@ -5894,10 +6167,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7314", + "related.hosts": [ + "uisnostr2390.mail.domain" + ], "related.ip": [ - "10.251.167.219", "10.219.174.45", "10.181.134.69", + "10.251.167.219", "10.17.20.93" ], "related.user": [ @@ -5959,11 +6235,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.596", + "related.hosts": [ + "luptate4811.mail.example" + ], "related.ip": [ - "10.30.117.82", "10.28.233.253", - "10.223.99.90", - "10.37.14.20" + "10.37.14.20", + "10.30.117.82", + "10.223.99.90" ], "related.user": [ "numqua" @@ -6024,11 +6303,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.95", + "related.hosts": [ + "lites1614.www.corp" + ], "related.ip": [ - "10.50.61.114", - "10.125.20.22", "10.57.85.113", - "10.8.32.17" + "10.8.32.17", + "10.50.61.114", + "10.125.20.22" ], "related.user": [ "qua" @@ -6089,10 +6371,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3064", + "related.hosts": [ + "lorinrep7686.mail.corp" + ], "related.ip": [ - "10.113.78.101", "10.200.28.55", "10.215.224.27", + "10.113.78.101", "10.181.63.82" ], "related.user": [ @@ -6154,10 +6439,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.4522", + "related.hosts": [ + "nderit6272.mail.example" + ], "related.ip": [ - "10.139.20.223", - "10.177.14.106", "10.243.43.168", + "10.177.14.106", + "10.139.20.223", "10.169.95.128" ], "related.user": [ @@ -6219,11 +6507,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7456", + "related.hosts": [ + "ntu1279.mail.lan" + ], "related.ip": [ "10.92.168.198", "10.90.93.4", - "10.18.176.44", - "10.39.100.88" + "10.39.100.88", + "10.18.176.44" ], "related.user": [ "adminima" @@ -6284,10 +6575,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2909", + "related.hosts": [ + "essequam1161.domain" + ], "related.ip": [ - "10.49.68.8", "10.163.203.191", "10.193.43.135", + "10.49.68.8", "10.173.13.179" ], "related.user": [ @@ -6348,11 +6642,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7726", + "related.hosts": [ + "cipitl2184.localdomain" + ], "related.ip": [ - "10.31.147.51", - "10.84.64.28", "10.240.47.113", - "10.209.226.7" + "10.209.226.7", + "10.31.147.51", + "10.84.64.28" ], "related.user": [ "ull" @@ -6413,11 +6710,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.292", + "related.hosts": [ + "item3647.home" + ], "related.ip": [ - "10.32.20.4", + "10.225.189.229", "10.86.1.244", "10.52.13.192", - "10.225.189.229" + "10.32.20.4" ], "related.user": [ "odtemp" diff --git a/x-pack/filebeat/module/f5/bigipapm/config/input.yml b/x-pack/filebeat/module/f5/bigipapm/config/input.yml index 2cfda9d24b5..72e7af4e030 100644 --- a/x-pack/filebeat/module/f5/bigipapm/config/input.yml +++ b/x-pack/filebeat/module/f5/bigipapm/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml b/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml index e8059307928..8dbd2e2e6cb 100644 --- a/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml +++ b/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{rsa.web.fqdn}}' + allow_duplicates: false + if: ctx?.rsa?.web?.fqdn != null && ctx.rsa?.web?.fqdn != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json index b3f74874b99..fe5ce75e182 100644 --- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json @@ -42,6 +42,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 6153, + "related.hosts": [ + "sist1803.mail.local" + ], "rsa.internal.messageid": "01490504", "rsa.misc.log_session_id": "deF", "rsa.misc.severity": "medium", @@ -809,6 +812,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 7589, + "related.hosts": [ + "dolores2519.mail.host" + ], "related.user": [ "tob" ], @@ -839,6 +845,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 5899, + "related.hosts": [ + "luptat2979.internal.local" + ], "related.user": [ "iqua" ], @@ -974,8 +983,8 @@ "observer.vendor": "F5", "process.pid": 4318, "related.ip": [ - "10.122.204.151", - "10.169.101.161" + "10.169.101.161", + "10.122.204.151" ], "rsa.internal.messageid": "01490500", "rsa.misc.log_session_id": "snulap", @@ -1556,8 +1565,8 @@ "observer.vendor": "F5", "process.pid": 1973, "related.ip": [ - "10.187.64.126", - "10.47.99.72" + "10.47.99.72", + "10.187.64.126" ], "rsa.internal.messageid": "01490500", "rsa.misc.category": "oremipsu", diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml b/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml index 2792f46aafd..40b42e4e527 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml +++ b/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml index 36997bc4379..28bbbd0e58e 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml +++ b/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' + - append: + field: related.hosts + value: '{{server.domain}}' + allow_duplicates: false + if: ctx?.server?.domain != null && ctx.server?.domain != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json index 3b9dc0716ec..69eab97fe35 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -20,6 +20,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7880, + "related.hosts": [ + "boNemoe4402.www.invalid", + "litesse6379.api.domain" + ], "related.ip": [ "10.150.92.220", "10.102.123.34" @@ -75,9 +79,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4539, + "related.hosts": [ + "olupt4880.api.home", + "gnaali6189.internal.localhost" + ], "related.ip": [ - "10.149.203.46", - "10.33.212.159" + "10.33.212.159", + "10.149.203.46" ], "related.user": [ "mipsumq" @@ -130,6 +138,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 445, + "related.hosts": [ + "aqu1628.internal.domain", + "quis1130.internal.corp" + ], "related.ip": [ "10.118.175.9", "10.173.116.41" @@ -185,9 +197,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5712, + "related.hosts": [ + "tinculp2940.internal.local", + "reprehe189.internal.home" + ], "related.ip": [ - "10.202.204.154", - "10.134.137.177" + "10.134.137.177", + "10.202.204.154" ], "related.user": [ "orsitame" @@ -240,9 +256,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6557, + "related.hosts": [ + "rad2103.api.domain", + "enimad2283.internal.domain" + ], "related.ip": [ - "10.70.0.60", - "10.245.142.250" + "10.245.142.250", + "10.70.0.60" ], "related.user": [ "eos" @@ -295,9 +315,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2061, + "related.hosts": [ + "enim5316.www5.local", + "doloreeu3553.www5.home" + ], "related.ip": [ - "10.202.72.124", - "10.200.188.142" + "10.200.188.142", + "10.202.72.124" ], "related.user": [ "iusmodt" @@ -350,9 +374,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5722, + "related.hosts": [ + "reetdolo2770.www5.local", + "iutal13.api.localdomain" + ], "related.ip": [ - "10.214.225.125", - "10.12.44.169" + "10.12.44.169", + "10.214.225.125" ], "related.user": [ "erep" @@ -405,6 +433,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5037, + "related.hosts": [ + "isiu1114.internal.corp", + "uovol492.www.localhost" + ], "related.ip": [ "10.198.136.50", "10.66.108.11" @@ -460,6 +492,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 776, + "related.hosts": [ + "usmodte1296.www.corp", + "osquir6997.corp" + ], "related.ip": [ "10.69.20.77", "10.178.244.31" @@ -515,6 +551,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6096, + "related.hosts": [ + "tatno4987.www5.localhost", + "eniam7007.api.invalid" + ], "related.ip": [ "10.54.231.100", "10.203.5.162" @@ -570,9 +610,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7307, + "related.hosts": [ + "tatno6787.internal.localhost", + "snulapar3794.api.domain" + ], "related.ip": [ - "10.136.252.240", - "10.65.83.160" + "10.65.83.160", + "10.136.252.240" ], "related.user": [ "ender" @@ -625,6 +669,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2703, + "related.hosts": [ + "essecill2595.mail.local", + "liq5883.localdomain" + ], "related.ip": [ "10.210.213.18", "10.57.40.29" @@ -680,6 +728,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5166, + "related.hosts": [ + "ali6446.localhost", + "rsint7026.test" + ], "related.ip": [ "10.144.82.69", "10.200.156.102" @@ -735,6 +787,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7668, + "related.hosts": [ + "torev7118.internal.domain", + "qua2945.www.local" + ], "related.ip": [ "10.109.232.112", "10.72.58.135" @@ -790,9 +846,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1044, + "related.hosts": [ + "dolore6103.www5.example", + "luptat6494.www.example" + ], "related.ip": [ - "10.38.22.45", - "10.72.29.73" + "10.72.29.73", + "10.38.22.45" ], "related.user": [ "onproide" @@ -845,6 +905,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7183, + "related.hosts": [ + "errorsi6996.www.domain", + "moenimi6317.internal.invalid" + ], "related.ip": [ "10.70.95.74", "10.76.72.111" @@ -900,6 +964,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6907, + "related.hosts": [ + "lumquido5839.api.corp", + "tion1761.home" + ], "related.ip": [ "10.73.69.75", "10.19.201.13" @@ -955,6 +1023,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 499, + "related.hosts": [ + "aperia4409.www5.invalid", + "santium4235.api.local" + ], "related.ip": [ "10.84.105.75", "10.78.151.178" @@ -1010,6 +1082,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1531, + "related.hosts": [ + "tem2496.api.lan", + "CSed2857.www5.example" + ], "related.ip": [ "10.25.192.202", "10.135.233.146" @@ -1065,9 +1141,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6051, + "related.hosts": [ + "eme6710.mail.invalid", + "equep5085.mail.domain" + ], "related.ip": [ - "10.121.219.204", - "10.104.134.200" + "10.104.134.200", + "10.121.219.204" ], "related.user": [ "uptat" @@ -1120,9 +1200,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6994, + "related.hosts": [ + "ihilm1669.mail.invalid", + "conseq557.mail.lan" + ], "related.ip": [ - "10.191.105.82", - "10.225.160.182" + "10.225.160.182", + "10.191.105.82" ], "related.user": [ "eirure" @@ -1175,6 +1259,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5200, + "related.hosts": [ + "umexerci1284.internal.localdomain", + "ite2026.www.invalid" + ], "related.ip": [ "10.141.44.153", "10.161.57.8" @@ -1230,6 +1318,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3365, + "related.hosts": [ + "adol485.example", + "lit5929.test" + ], "related.ip": [ "10.153.111.103", "10.6.167.7" @@ -1285,6 +1377,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1835, + "related.hosts": [ + "evita5008.www.localdomain", + "oru6938.invalid" + ], "related.ip": [ "10.248.204.182", "10.134.148.219" @@ -1340,6 +1436,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2019, + "related.hosts": [ + "tsedqu2456.www5.invalid", + "etdol5473.local" + ], "related.ip": [ "10.163.5.243", "10.178.77.231" @@ -1395,9 +1495,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2493, + "related.hosts": [ + "ris3314.mail.invalid", + "nimid893.mail.corp" + ], "related.ip": [ - "10.177.194.18", - "10.221.89.228" + "10.221.89.228", + "10.177.194.18" ], "related.user": [ "aliquam" @@ -1450,6 +1554,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3022, + "related.hosts": [ + "reme622.mail.example", + "rumwritt6003.host" + ], "related.ip": [ "10.32.239.1", "10.241.65.49" @@ -1505,9 +1613,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2328, + "related.hosts": [ + "non3341.mail.invalid", + "xeacomm6855.api.corp" + ], "related.ip": [ - "10.101.57.120", - "10.168.90.81" + "10.168.90.81", + "10.101.57.120" ], "related.user": [ "eporr" @@ -1560,6 +1672,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1156, + "related.hosts": [ + "ris727.api.local", + "icabo4125.mail.domain" + ], "related.ip": [ "10.130.14.60", "10.14.211.43" @@ -1615,9 +1731,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6003, + "related.hosts": [ + "stquido5705.api.host", + "ionofdeF5643.www.localhost" + ], "related.ip": [ - "10.248.101.25", - "10.60.129.15" + "10.60.129.15", + "10.248.101.25" ], "related.user": [ "evolup" @@ -1670,9 +1790,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5651, + "related.hosts": [ + "etcons7378.api.lan", + "orem6702.invalid" + ], "related.ip": [ - "10.72.93.28", - "10.111.187.12" + "10.111.187.12", + "10.72.93.28" ], "related.user": [ "niamqui" @@ -1725,6 +1849,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3470, + "related.hosts": [ + "vita2681.www5.local", + "oin6780.mail.domain" + ], "related.ip": [ "10.27.14.168", "10.66.2.232" @@ -1780,6 +1908,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6932, + "related.hosts": [ + "tnulapa7592.www.local", + "eprehen3224.www5.localdomain" + ], "related.ip": [ "10.195.2.130", "10.75.99.127" @@ -1835,6 +1967,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6945, + "related.hosts": [ + "lup2134.www.localhost", + "ptasn6599.www.localhost" + ], "related.ip": [ "10.201.238.90", "10.245.104.182" @@ -1890,9 +2026,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 853, + "related.hosts": [ + "tanimid3337.mail.corp", + "nisist2752.home" + ], "related.ip": [ - "10.105.91.31", - "10.217.150.196" + "10.217.150.196", + "10.105.91.31" ], "related.user": [ "con" @@ -1945,9 +2085,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4153, + "related.hosts": [ + "eumiu765.api.lan", + "gitsedqu2649.mail.lan" + ], "related.ip": [ - "10.4.157.1", - "10.184.18.202" + "10.184.18.202", + "10.4.157.1" ], "related.user": [ "oditem" @@ -2000,9 +2144,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1693, + "related.hosts": [ + "mquelau5326.mail.lan", + "entsunt3962.www.example" + ], "related.ip": [ - "10.255.39.252", - "10.113.95.59" + "10.113.95.59", + "10.255.39.252" ], "related.user": [ "persp" @@ -2055,9 +2203,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 337, + "related.hosts": [ + "idestlab2631.www.lan", + "tut2703.www.host" + ], "related.ip": [ - "10.83.177.2", - "10.27.16.118" + "10.27.16.118", + "10.83.177.2" ], "related.user": [ "borios" @@ -2110,6 +2262,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7041, + "related.hosts": [ + "inesci6789.test", + "entorev160.test" + ], "related.ip": [ "10.167.227.44", "10.38.54.72" @@ -2165,6 +2321,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3854, + "related.hosts": [ + "ccaeca7077.internal.corp", + "proide3714.mail.localdomain" + ], "related.ip": [ "10.215.205.216", "10.216.54.184" @@ -2220,6 +2380,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 55, + "related.hosts": [ + "ima2031.api.corp", + "tot5313.mail.invalid" + ], "related.ip": [ "10.9.18.237", "10.9.12.248" @@ -2275,9 +2439,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 228, + "related.hosts": [ + "ian867.internal.corp", + "rumet3801.internal.domain" + ], "related.ip": [ - "10.83.130.226", - "10.41.123.102" + "10.41.123.102", + "10.83.130.226" ], "related.user": [ "tenim" @@ -2330,9 +2498,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4253, + "related.hosts": [ + "lorin4249.corp", + "liqua2834.www5.lan" + ], "related.ip": [ - "10.80.152.108", - "10.175.112.197" + "10.175.112.197", + "10.80.152.108" ], "related.user": [ "tametcon" @@ -2385,6 +2557,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2200, + "related.hosts": [ + "gnaaliqu3935.api.test", + "sequat7273.api.host" + ], "related.ip": [ "10.134.18.114", "10.142.25.100" @@ -2440,6 +2616,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5717, + "related.hosts": [ + "nsequat1859.internal.localhost", + "uidol4575.localhost" + ], "related.ip": [ "10.28.118.160", "10.223.119.218" @@ -2495,6 +2675,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4469, + "related.hosts": [ + "ritin2495.api.corp", + "oremq2000.api.corp" + ], "related.ip": [ "10.47.28.48", "10.110.114.175" @@ -2550,6 +2734,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5524, + "related.hosts": [ + "tetur2694.mail.local", + "oremi1485.api.localhost" + ], "related.ip": [ "10.40.251.202", "10.90.33.138" @@ -2605,9 +2793,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3624, + "related.hosts": [ + "rem7043.localhost", + "sequatD5469.www5.lan" + ], "related.ip": [ - "10.227.173.252", - "10.65.2.106" + "10.65.2.106", + "10.227.173.252" ], "related.user": [ "itation" @@ -2660,6 +2852,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1609, + "related.hosts": [ + "emqu2846.internal.home", + "item2738.test" + ], "related.ip": [ "10.28.84.106", "10.193.233.229" @@ -2715,9 +2911,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6248, + "related.hosts": [ + "dqu6144.api.localhost", + "iosamnis1047.internal.localdomain" + ], "related.ip": [ - "10.150.245.88", - "10.210.89.183" + "10.210.89.183", + "10.150.245.88" ], "related.user": [ "sequa" @@ -2770,6 +2970,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7224, + "related.hosts": [ + "giatquov1918.internal.example", + "orroq6677.internal.example" + ], "related.ip": [ "10.85.185.13", "10.180.195.43" @@ -2825,6 +3029,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 430, + "related.hosts": [ + "estl5804.internal.local", + "onevo4326.internal.local" + ], "related.ip": [ "10.210.28.247", "10.207.211.230" @@ -2880,9 +3088,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3589, + "related.hosts": [ + "Sedut1775.www.domain", + "itaedict7233.mail.localdomain" + ], "related.ip": [ - "10.248.165.185", - "10.86.11.48" + "10.86.11.48", + "10.248.165.185" ], "related.user": [ "dquiac" @@ -2935,9 +3147,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4814, + "related.hosts": [ + "mac7484.www5.test", + "numquam5869.internal.example" + ], "related.ip": [ - "10.47.125.38", - "10.118.6.177" + "10.118.6.177", + "10.47.125.38" ], "related.user": [ "quunt" @@ -2990,6 +3206,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 276, + "related.hosts": [ + "oin1140.mail.localhost", + "onu6137.api.home" + ], "related.ip": [ "10.60.142.127", "10.50.233.155" @@ -3045,6 +3265,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2452, + "related.hosts": [ + "naaliq3710.api.local", + "aecatcup2241.www5.test" + ], "related.ip": [ "10.28.82.189", "10.120.10.211" @@ -3100,6 +3324,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3453, + "related.hosts": [ + "volupta3552.internal.localhost", + "labor6360.mail.local" + ], "related.ip": [ "10.31.237.225", "10.6.38.163" @@ -3155,9 +3383,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2302, + "related.hosts": [ + "onse380.internal.localdomain", + "mveleum4322.www5.host" + ], "related.ip": [ - "10.125.165.144", - "10.226.5.189" + "10.226.5.189", + "10.125.165.144" ], "related.user": [ "mvolu" @@ -3210,6 +3442,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7079, + "related.hosts": [ + "queips4947.mail.example", + "archite1843.mail.home" + ], "related.ip": [ "10.46.56.204", "10.97.149.97" @@ -3265,9 +3501,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5773, + "related.hosts": [ + "oloreseo5039.test", + "itanim4024.api.example" + ], "related.ip": [ - "10.218.0.197", - "10.28.105.124" + "10.28.105.124", + "10.218.0.197" ], "related.user": [ "ntNe" @@ -3320,6 +3560,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1586, + "related.hosts": [ + "minim459.mail.local", + "nreprehe715.api.home" + ], "related.ip": [ "10.17.87.79", "10.123.199.198" @@ -3375,9 +3619,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5137, + "related.hosts": [ + "eratv211.api.host", + "unte893.internal.host" + ], "related.ip": [ - "10.115.68.40", - "10.38.86.177" + "10.38.86.177", + "10.115.68.40" ], "related.user": [ "mpo" @@ -3430,9 +3678,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5704, + "related.hosts": [ + "aparia1179.www.localdomain", + "aspe951.mail.domain" + ], "related.ip": [ - "10.193.118.163", - "10.115.174.107" + "10.115.174.107", + "10.193.118.163" ], "related.user": [ "exeacomm" @@ -3485,6 +3737,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2310, + "related.hosts": [ + "iatqu6203.mail.corp", + "dipiscin4957.www.home" + ], "related.ip": [ "10.77.77.208", "10.37.128.49" @@ -3540,6 +3796,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5398, + "related.hosts": [ + "ptasnula6576.api.invalid", + "econs2687.internal.localdomain" + ], "related.ip": [ "10.54.73.158", "10.1.96.93" @@ -3595,6 +3855,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2465, + "related.hosts": [ + "mag1506.internal.domain", + "tiumto5834.api.lan" + ], "related.ip": [ "10.182.152.242", "10.131.126.109" @@ -3650,6 +3914,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6064, + "related.hosts": [ + "fugits1163.host", + "iutal6032.www.test" + ], "related.ip": [ "10.181.247.224", "10.77.229.168" @@ -3705,9 +3973,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2861, + "related.hosts": [ + "gitse2463.www5.invalid", + "inculp2078.host" + ], "related.ip": [ - "10.72.162.6", - "10.235.116.121" + "10.235.116.121", + "10.72.162.6" ], "related.user": [ "oinv" @@ -3760,9 +4032,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3559, + "related.hosts": [ + "temse6953.www.example", + "mexerc2757.internal.home" + ], "related.ip": [ - "10.149.193.117", - "10.28.124.236" + "10.28.124.236", + "10.149.193.117" ], "related.user": [ "mullam" @@ -3815,6 +4091,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1710, + "related.hosts": [ + "deriti6952.mail.domain", + "squira4455.api.domain" + ], "related.ip": [ "10.196.96.162", "10.34.131.224" @@ -3870,6 +4150,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4984, + "related.hosts": [ + "abor1370.www.domain", + "emveleum3661.localhost" + ], "related.ip": [ "10.97.236.123", "10.77.78.180" @@ -3925,9 +4209,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3421, + "related.hosts": [ + "emullamc5418.mail.test", + "sedquiac6517.internal.localhost" + ], "related.ip": [ - "10.45.54.107", - "10.82.133.66" + "10.82.133.66", + "10.45.54.107" ], "related.user": [ "olorem" @@ -3980,6 +4268,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4020, + "related.hosts": [ + "squirati7050.www5.lan", + "veniam3148.www5.home" + ], "related.ip": [ "10.170.252.219", "10.180.180.230" @@ -4035,9 +4327,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 617, + "related.hosts": [ + "venia2079.mail.example", + "unt3559.www.home" + ], "related.ip": [ - "10.65.144.51", - "10.5.11.205" + "10.5.11.205", + "10.65.144.51" ], "related.user": [ "uptat" @@ -4090,6 +4386,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 487, + "related.hosts": [ + "snostrum3450.www5.localhost", + "rere5274.mail.domain" + ], "related.ip": [ "10.76.122.196", "10.195.223.82" @@ -4145,6 +4445,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2442, + "related.hosts": [ + "gelitsed3249.corp", + "uaeabi3728.www5.invalid" + ], "related.ip": [ "10.225.255.211", "10.138.210.116" @@ -4200,6 +4504,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6311, + "related.hosts": [ + "dolor7082.internal.localhost", + "uamqu2804.test" + ], "related.ip": [ "10.250.81.189", "10.219.1.151" @@ -4255,6 +4563,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7128, + "related.hosts": [ + "totam6886.api.localhost", + "olor5201.host" + ], "related.ip": [ "10.54.23.133", "10.76.125.70" @@ -4310,9 +4622,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2780, + "related.hosts": [ + "laborum5749.www.example", + "eufug3348.www.lan" + ], "related.ip": [ - "10.36.110.69", - "10.189.42.62" + "10.189.42.62", + "10.36.110.69" ], "related.user": [ "eque" @@ -4365,6 +4681,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3284, + "related.hosts": [ + "lup3313.api.home", + "stquidol239.www5.invalid" + ], "related.ip": [ "10.47.179.68", "10.183.202.82" @@ -4420,6 +4740,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2314, + "related.hosts": [ + "edq5397.www.test", + "gia6531.mail.invalid" + ], "related.ip": [ "10.73.28.165", "10.221.206.74" @@ -4475,9 +4799,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5284, + "related.hosts": [ + "udan6536.www5.test", + "lamcola4879.www5.localdomain" + ], "related.ip": [ - "10.85.104.146", - "10.14.204.36" + "10.14.204.36", + "10.85.104.146" ], "related.user": [ "emp" @@ -4530,6 +4858,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3990, + "related.hosts": [ + "rumet6923.www5.lan", + "edquian330.mail.local" + ], "related.ip": [ "10.208.18.210", "10.30.246.132" @@ -4585,6 +4917,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4337, + "related.hosts": [ + "itse522.internal.localdomain", + "santi837.api.domain" + ], "related.ip": [ "10.19.119.17", "10.106.249.91" @@ -4640,9 +4976,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5275, + "related.hosts": [ + "amc3059.local", + "lpaquiof804.internal.invalid" + ], "related.ip": [ - "10.181.41.154", - "10.29.109.126" + "10.29.109.126", + "10.181.41.154" ], "related.user": [ "labo" @@ -4695,6 +5035,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2286, + "related.hosts": [ + "enbyCi3813.api.domain", + "nonn4478.host" + ], "related.ip": [ "10.164.207.42", "10.164.120.197" @@ -4750,6 +5094,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2990, + "related.hosts": [ + "liquipex1155.mail.corp", + "amquaer3985.www5.example" + ], "related.ip": [ "10.183.189.133", "10.154.191.225" @@ -4805,9 +5153,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 226, + "related.hosts": [ + "isn3991.local", + "orem6317.local" + ], "related.ip": [ - "10.29.120.226", - "10.103.189.199" + "10.103.189.199", + "10.29.120.226" ], "related.user": [ "emu" @@ -4860,9 +5212,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4691, + "related.hosts": [ + "iumtotam1010.www5.corp", + "velill3230.www.corp" + ], "related.ip": [ - "10.210.153.7", - "10.133.254.23" + "10.133.254.23", + "10.210.153.7" ], "related.user": [ "voluptas" @@ -4915,9 +5271,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5647, + "related.hosts": [ + "onsecte91.www5.localdomain", + "orumS757.www5.corp" + ], "related.ip": [ - "10.126.245.73", - "10.91.2.135" + "10.91.2.135", + "10.126.245.73" ], "related.user": [ "olore" @@ -4970,6 +5330,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2313, + "related.hosts": [ + "abori7686.internal.host", + "emi4534.www.localdomain" + ], "related.ip": [ "10.137.85.123", "10.183.243.246" @@ -5025,6 +5389,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1585, + "related.hosts": [ + "reprehen3513.test", + "inimav1576.mail.example" + ], "related.ip": [ "10.61.225.196", "10.10.86.55" @@ -5080,6 +5448,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3141, + "related.hosts": [ + "orroquis284.api.domain", + "aturQu7083.mail.host" + ], "related.ip": [ "10.79.73.195", "10.125.143.153" @@ -5135,6 +5507,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6331, + "related.hosts": [ + "tionula2060.www5.localhost", + "lumqui7769.mail.local" + ], "related.ip": [ "10.64.139.17", "10.240.216.85" @@ -5190,9 +5566,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4474, + "related.hosts": [ + "rumSecti111.www5.domain", + "siarc6339.internal.corp" + ], "related.ip": [ - "10.87.90.49", - "10.222.245.80" + "10.222.245.80", + "10.87.90.49" ], "related.user": [ "ptatemse" @@ -5245,6 +5625,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4855, + "related.hosts": [ + "olores7881.local", + "ptatev6552.www.test" + ], "related.ip": [ "10.87.144.208", "10.143.53.214" @@ -5300,6 +5684,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1729, + "related.hosts": [ + "tDuis3281.www5.localdomain", + "byC5766.internal.home" + ], "related.ip": [ "10.105.97.134", "10.204.178.19" @@ -5355,9 +5743,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4493, + "related.hosts": [ + "uptasnul2751.www5.corp", + "hender6628.local" + ], "related.ip": [ - "10.161.64.168", - "10.194.67.223" + "10.194.67.223", + "10.161.64.168" ], "related.user": [ "tion" @@ -5410,9 +5802,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6094, + "related.hosts": [ + "upt6017.api.localdomain", + "xercit7649.www5.home" + ], "related.ip": [ - "10.100.154.220", - "10.120.148.241" + "10.120.148.241", + "10.100.154.220" ], "related.user": [ "rsitam" @@ -5465,6 +5861,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5012, + "related.hosts": [ + "tpers2217.internal.lan", + "porissu1470.domain" + ], "related.ip": [ "10.180.90.112", "10.116.153.19" diff --git a/x-pack/filebeat/module/fortinet/fortimail/config/input.yml b/x-pack/filebeat/module/fortinet/fortimail/config/input.yml index a994af47a3b..ccee80408a8 100644 --- a/x-pack/filebeat/module/fortinet/fortimail/config/input.yml +++ b/x-pack/filebeat/module/fortinet/fortimail/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml index ef17c6f4130..f142da3fcfb 100644 --- a/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml +++ b/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{server.domain}}' + allow_duplicates: false + if: ctx?.server?.domain != null && ctx.server?.domain != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json index a6b2f00ef54..e3803f80ef3 100644 --- a/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json @@ -586,6 +586,9 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "lamcolab3252.www.invalid" + ], "related.ip": [ "10.179.124.125", "10.177.36.38" @@ -991,8 +994,8 @@ "observer.type": "Firewall", "observer.vendor": "Fortinet", "related.ip": [ - "10.140.7.83", - "10.68.246.187" + "10.68.246.187", + "10.140.7.83" ], "rsa.email.email_dst": "gna", "rsa.email.email_src": "icabo", @@ -1241,6 +1244,9 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "atise3421.www5.localdomain" + ], "related.ip": [ "10.179.210.218", "10.73.207.70" @@ -2640,9 +2646,12 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "mveni5084.internal.local" + ], "related.ip": [ - "10.62.61.1", - "10.144.111.42" + "10.144.111.42", + "10.62.61.1" ], "rsa.email.email_dst": "com", "rsa.email.email_src": "lam", @@ -3081,6 +3090,9 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "taevitae6868.www.corp" + ], "related.ip": [ "10.60.164.100", "10.161.1.146" @@ -3178,9 +3190,12 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "tetura7106.www5.corp" + ], "related.ip": [ - "10.44.35.57", - "10.93.239.216" + "10.93.239.216", + "10.44.35.57" ], "rsa.email.email_dst": "ciun", "rsa.email.email_src": "vento", @@ -3779,8 +3794,8 @@ "observer.type": "Firewall", "observer.vendor": "Fortinet", "related.ip": [ - "10.201.105.58", - "10.251.183.113" + "10.251.183.113", + "10.201.105.58" ], "rsa.email.email_dst": "ionemu", "rsa.email.email_src": "ent", diff --git a/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml b/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml index 5d399e10da5..735db765ff8 100644 --- a/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml +++ b/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml index 8452bb6c2bf..79b9a885628 100644 --- a/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml +++ b/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json index 58b8f8f4689..78030aa2c53 100644 --- a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json @@ -90,9 +90,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.410", + "related.hosts": [ + "aer445.host" + ], "related.ip": [ - "10.62.4.246", - "10.171.204.166" + "10.171.204.166", + "10.62.4.246" ], "related.user": [ "oluptas" @@ -102,8 +105,8 @@ "rsa.investigations.event_vcat": "eius", "rsa.misc.OS": "anonnu", "rsa.misc.action": [ - "mol", - "accept" + "accept", + "mol" ], "rsa.misc.category": "exe", "rsa.misc.client": "radip", @@ -177,9 +180,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.200.188.142", "10.94.103.117", - "10.15.159.80" + "10.15.159.80", + "10.200.188.142" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -241,9 +244,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.50.112.141", "10.131.233.27", - "10.27.88.95" + "10.27.88.95", + "10.50.112.141" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -307,6 +310,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.5670", + "related.hosts": [ + "olo7148.mail.home" + ], "related.ip": [ "10.87.212.179", "10.157.213.15" @@ -319,8 +325,8 @@ "rsa.investigations.event_vcat": "aveniam", "rsa.misc.OS": "oll", "rsa.misc.action": [ - "allow", - "ali" + "ali", + "allow" ], "rsa.misc.category": "emeumfug", "rsa.misc.client": "caecatc", @@ -395,6 +401,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.152", + "related.hosts": [ + "agna7678.internal.host" + ], "related.ip": [ "10.76.73.140", "10.114.150.67" @@ -407,8 +416,8 @@ "rsa.investigations.event_vcat": "mwr", "rsa.misc.OS": "imaven", "rsa.misc.action": [ - "accept", - "uines" + "uines", + "accept" ], "rsa.misc.category": "uidolo", "rsa.misc.client": "emips", @@ -483,9 +492,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4059", + "related.hosts": [ + "equep5085.mail.domain" + ], "related.ip": [ - "10.195.36.51", - "10.95.64.124" + "10.95.64.124", + "10.195.36.51" ], "related.user": [ "nnum" @@ -495,8 +507,8 @@ "rsa.investigations.event_vcat": "quae", "rsa.misc.OS": "qui", "rsa.misc.action": [ - "iadese", - "accept" + "accept", + "iadese" ], "rsa.misc.category": "aturve", "rsa.misc.client": "utei", @@ -570,8 +582,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.176.216.90", "10.114.16.155", + "10.176.216.90", "10.186.85.3" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -635,6 +647,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.3917", + "related.hosts": [ + "eturadi6608.mail.host" + ], "related.ip": [ "10.61.163.4", "10.23.62.94" @@ -647,8 +662,8 @@ "rsa.investigations.event_vcat": "oide", "rsa.misc.OS": "gel", "rsa.misc.action": [ - "cancel", - "luptatem" + "luptatem", + "cancel" ], "rsa.misc.category": "uir", "rsa.misc.client": "ratvolu", @@ -723,9 +738,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.2580", + "related.hosts": [ + "ipsumdol4488.api.localdomain" + ], "related.ip": [ - "10.28.76.42", - "10.106.31.86" + "10.106.31.86", + "10.28.76.42" ], "related.user": [ "cons" @@ -811,8 +829,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.238.164.74", - "10.58.214.16", - "10.106.162.153" + "10.106.162.153", + "10.58.214.16" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -874,8 +892,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.217.150.196", "10.110.31.190", + "10.217.150.196", "10.225.141.20" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -939,9 +957,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.3319", + "related.hosts": [ + "cusant4946.www.domain" + ], "related.ip": [ - "10.137.56.173", - "10.69.103.176" + "10.69.103.176", + "10.137.56.173" ], "related.user": [ "proide" @@ -1026,9 +1047,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.30.47.165", "10.5.235.217", - "10.25.212.118" + "10.25.212.118", + "10.30.47.165" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -1091,9 +1112,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.225", + "related.hosts": [ + "ccaeca5504.internal.example" + ], "related.ip": [ - "10.40.152.253", - "10.149.13.76" + "10.149.13.76", + "10.40.152.253" ], "related.user": [ "tetur" @@ -1307,6 +1331,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.1847", + "related.hosts": [ + "tore7088.www.invalid" + ], "related.ip": [ "10.199.47.220", "10.212.214.4" @@ -1395,9 +1422,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.760", + "related.hosts": [ + "mve1890.internal.home" + ], "related.ip": [ - "10.234.165.130", - "10.46.56.204" + "10.46.56.204", + "10.234.165.130" ], "related.user": [ "orese" @@ -1483,9 +1513,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4450", + "related.hosts": [ + "eturad6143.www.home" + ], "related.ip": [ - "10.95.117.134", - "10.128.46.70" + "10.128.46.70", + "10.95.117.134" ], "related.user": [ "enim" @@ -1495,8 +1528,8 @@ "rsa.investigations.event_vcat": "boNem", "rsa.misc.OS": "ntium", "rsa.misc.action": [ - "acommodi", - "block" + "block", + "acommodi" ], "rsa.misc.category": "inrepreh", "rsa.misc.client": "moles", @@ -1571,9 +1604,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.7544", + "related.hosts": [ + "orinrep5386.www.corp" + ], "related.ip": [ - "10.208.21.135", - "10.253.228.140" + "10.253.228.140", + "10.208.21.135" ], "related.user": [ "inculp" @@ -1583,8 +1619,8 @@ "rsa.investigations.event_vcat": "emagn", "rsa.misc.OS": "oditempo", "rsa.misc.action": [ - "cancel", - "ugitse" + "ugitse", + "cancel" ], "rsa.misc.category": "magnid", "rsa.misc.client": "sci", @@ -1659,9 +1695,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.1710", + "related.hosts": [ + "henderi724.www5.home" + ], "related.ip": [ - "10.243.226.122", - "10.3.23.172" + "10.3.23.172", + "10.243.226.122" ], "related.user": [ "olorem" @@ -1671,8 +1710,8 @@ "rsa.investigations.event_vcat": "ess", "rsa.misc.OS": "equatDu", "rsa.misc.action": [ - "emullamc", - "cancel" + "cancel", + "emullamc" ], "rsa.misc.category": "niamquis", "rsa.misc.client": "tutlabo", @@ -1747,9 +1786,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.5380", + "related.hosts": [ + "reseosqu1629.mail.lan" + ], "related.ip": [ - "10.94.242.80", - "10.106.85.174" + "10.106.85.174", + "10.94.242.80" ], "related.user": [ "lmo" @@ -1835,9 +1877,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.168.20.20", "10.117.63.181", - "10.247.53.179" + "10.247.53.179", + "10.168.20.20" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -1901,6 +1943,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.2208", + "related.hosts": [ + "tasnul4179.internal.host" + ], "related.ip": [ "10.141.156.217", "10.53.168.187" @@ -1913,8 +1958,8 @@ "rsa.investigations.event_vcat": "illumq", "rsa.misc.OS": "idata", "rsa.misc.action": [ - "block", - "emacc" + "emacc", + "block" ], "rsa.misc.category": "ueporro", "rsa.misc.client": "veli", @@ -1990,6 +2035,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.3402", + "related.hosts": [ + "bore5546.www.local" + ], "related.ip": [ "10.44.198.184", "10.189.82.19" @@ -2002,8 +2050,8 @@ "rsa.investigations.event_vcat": "eturadip", "rsa.misc.OS": "turadip", "rsa.misc.action": [ - "odoc", - "accept" + "accept", + "odoc" ], "rsa.misc.category": "volup", "rsa.misc.client": "tur", @@ -2078,6 +2126,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.91", + "related.hosts": [ + "Utenima260.mail.invalid" + ], "related.ip": [ "10.151.170.207", "10.181.183.104" @@ -2090,8 +2141,8 @@ "rsa.investigations.event_vcat": "eturadip", "rsa.misc.OS": "onsecte", "rsa.misc.action": [ - "amni", - "cancel" + "cancel", + "amni" ], "rsa.misc.category": "umdolore", "rsa.misc.client": "modoc", @@ -2166,6 +2217,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.7278", + "related.hosts": [ + "uido2046.mail.lan" + ], "related.ip": [ "10.70.7.23", "10.130.240.11" @@ -2178,8 +2232,8 @@ "rsa.investigations.event_vcat": "uatu", "rsa.misc.OS": "tnulapar", "rsa.misc.action": [ - "odic", - "deny" + "deny", + "odic" ], "rsa.misc.category": "deri", "rsa.misc.client": "scivelit", @@ -2318,8 +2372,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.170.196.181", - "10.153.166.133", - "10.158.175.98" + "10.158.175.98", + "10.153.166.133" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2382,9 +2436,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.5978", + "related.hosts": [ + "con6049.internal.lan" + ], "related.ip": [ - "10.63.171.91", - "10.48.25.200" + "10.48.25.200", + "10.63.171.91" ], "related.user": [ "usanti" @@ -2533,9 +2590,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.225.37.73", + "10.166.142.198", "10.36.99.207", - "10.166.142.198" + "10.225.37.73" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2598,8 +2655,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.214.156.161", - "10.66.90.225", - "10.145.194.12" + "10.145.194.12", + "10.66.90.225" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2661,8 +2718,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.163.36.101", "10.156.208.5", + "10.163.36.101", "10.6.242.108" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -2726,6 +2783,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4713", + "related.hosts": [ + "remeum2641.www5.corp" + ], "related.ip": [ "10.68.233.163", "10.220.148.127" @@ -2814,9 +2874,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4481", + "related.hosts": [ + "itaspe3216.localdomain" + ], "related.ip": [ - "10.94.177.125", - "10.116.82.108" + "10.116.82.108", + "10.94.177.125" ], "related.user": [ "ecatc" @@ -2826,8 +2889,8 @@ "rsa.investigations.event_vcat": "ihi", "rsa.misc.OS": "amquaera", "rsa.misc.action": [ - "nimides", - "allow" + "allow", + "nimides" ], "rsa.misc.category": "mve", "rsa.misc.client": "plica", @@ -2903,9 +2966,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4442", + "related.hosts": [ + "mea6298.api.example" + ], "related.ip": [ - "10.115.121.243", - "10.113.152.241" + "10.113.152.241", + "10.115.121.243" ], "related.user": [ "norumetM" @@ -2915,8 +2981,8 @@ "rsa.investigations.event_vcat": "teirured", "rsa.misc.OS": "oloremi", "rsa.misc.action": [ - "ali", - "cancel" + "cancel", + "ali" ], "rsa.misc.category": "idolor", "rsa.misc.client": "imveni", @@ -2991,6 +3057,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.3804", + "related.hosts": [ + "iqu7510.internal.corp" + ], "related.ip": [ "10.49.82.45", "10.179.153.97" @@ -3079,8 +3148,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.205.83.138", - "10.99.55.115", - "10.98.52.184" + "10.98.52.184", + "10.99.55.115" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -3142,9 +3211,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.197.128.162", "10.228.11.50", - "10.90.189.248", - "10.197.128.162" + "10.90.189.248" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -3247,9 +3316,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.7318", + "related.hosts": [ + "deFinibu3940.internal.lan" + ], "related.ip": [ - "10.124.71.88", - "10.22.248.52" + "10.22.248.52", + "10.124.71.88" ], "related.user": [ "tcons" @@ -3335,9 +3407,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4895", + "related.hosts": [ + "tatiset4191.localdomain" + ], "related.ip": [ - "10.185.37.176", - "10.26.58.20" + "10.26.58.20", + "10.185.37.176" ], "related.user": [ "eumiure" @@ -3423,8 +3498,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.14.145.107", - "10.250.231.196", - "10.200.12.126" + "10.200.12.126", + "10.250.231.196" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -3550,9 +3625,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.140.59.161", + "10.5.67.140", "10.118.111.183", - "10.5.67.140" + "10.140.59.161" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -3615,6 +3690,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4493", + "related.hosts": [ + "nimadmi4084.api.home" + ], "related.ip": [ "10.7.70.169", "10.28.212.191" @@ -3627,8 +3705,8 @@ "rsa.investigations.event_vcat": "Loremips", "rsa.misc.OS": "eritquii", "rsa.misc.action": [ - "nostru", - "accept" + "accept", + "nostru" ], "rsa.misc.category": "amnisiu", "rsa.misc.client": "rcita", @@ -3703,6 +3781,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.6506", + "related.hosts": [ + "reprehe3525.www5.example" + ], "related.ip": [ "10.143.144.52", "10.148.197.60" @@ -3715,8 +3796,8 @@ "rsa.investigations.event_vcat": "uep", "rsa.misc.OS": "iatisund", "rsa.misc.action": [ - "nvo", - "block" + "block", + "nvo" ], "rsa.misc.category": "tenima", "rsa.misc.client": "iuntNe", @@ -3790,8 +3871,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.22.149.132", "10.217.145.137", + "10.22.149.132", "10.251.183.113" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -3854,8 +3935,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.203.66.175", "10.51.60.203", + "10.203.66.175", "10.183.16.252" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -3919,6 +4000,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.409", + "related.hosts": [ + "ursint411.www.lan" + ], "related.ip": [ "10.61.200.105", "10.157.14.165" @@ -4007,9 +4091,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.5475", + "related.hosts": [ + "ididunt7607.mail.localhost" + ], "related.ip": [ - "10.242.178.15", - "10.217.111.77" + "10.217.111.77", + "10.242.178.15" ], "related.user": [ "nimadmin" @@ -4095,6 +4182,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.142", + "related.hosts": [ + "mco2906.domain" + ], "related.ip": [ "10.199.119.251", "10.86.152.227" @@ -4183,6 +4273,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.1789", + "related.hosts": [ + "ntex5135.corp" + ], "related.ip": [ "10.239.194.105", "10.234.171.117" @@ -4195,8 +4288,8 @@ "rsa.investigations.event_vcat": "uia", "rsa.misc.OS": "mquae", "rsa.misc.action": [ - "tenatus", - "deny" + "deny", + "tenatus" ], "rsa.misc.category": "abo", "rsa.misc.client": "umtota", @@ -4271,9 +4364,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.249.16.201", "10.107.168.208", - "10.34.41.75" + "10.34.41.75", + "10.249.16.201" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -4336,6 +4429,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.6905", + "related.hosts": [ + "tat1845.internal.invalid" + ], "related.ip": [ "10.109.106.194", "10.96.168.24" @@ -4348,8 +4444,8 @@ "rsa.investigations.event_vcat": "agnaaliq", "rsa.misc.OS": "itte", "rsa.misc.action": [ - "allow", - "Sedut" + "Sedut", + "allow" ], "rsa.misc.category": "aqueip", "rsa.misc.client": "serr", @@ -4424,6 +4520,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.1353", + "related.hosts": [ + "ulamc767.internal.lan" + ], "related.ip": [ "10.47.191.95", "10.112.155.228" @@ -4512,8 +4611,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.103.169.94", - "10.140.137.17", - "10.62.241.218" + "10.62.241.218", + "10.140.137.17" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -4575,9 +4674,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.90.229.92", "10.251.212.166", - "10.77.105.160" + "10.77.105.160", + "10.90.229.92" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -4640,9 +4739,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4261", + "related.hosts": [ + "spici5547.internal.test" + ], "related.ip": [ - "10.216.49.112", - "10.112.242.68" + "10.112.242.68", + "10.216.49.112" ], "related.user": [ "urmag" @@ -4728,9 +4830,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.491", + "related.hosts": [ + "istenatu3686.invalid" + ], "related.ip": [ - "10.96.100.84", - "10.182.58.108" + "10.182.58.108", + "10.96.100.84" ], "related.user": [ "lpaquiof" @@ -4740,8 +4845,8 @@ "rsa.investigations.event_vcat": "uatDuisa", "rsa.misc.OS": "citation", "rsa.misc.action": [ - "accept", - "utlabore" + "utlabore", + "accept" ], "rsa.misc.category": "reeu", "rsa.misc.client": "ntut", @@ -4816,8 +4921,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.246.41.77", - "10.157.22.21", - "10.228.61.5" + "10.228.61.5", + "10.157.22.21" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -4879,9 +4984,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.188.131.18", + "10.242.119.111", "10.239.231.168", - "10.242.119.111" + "10.188.131.18" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -4944,9 +5049,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.979", + "related.hosts": [ + "tru3812.mail.lan" + ], "related.ip": [ - "10.106.101.87", - "10.247.124.74" + "10.247.124.74", + "10.106.101.87" ], "related.user": [ "ainci" @@ -4956,8 +5064,8 @@ "rsa.investigations.event_vcat": "amnihil", "rsa.misc.OS": "tten", "rsa.misc.action": [ - "accept", - "inea" + "inea", + "accept" ], "rsa.misc.category": "quam", "rsa.misc.client": "oreseo", @@ -5072,9 +5180,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4342", + "related.hosts": [ + "riaturE1644.www5.example" + ], "related.ip": [ - "10.162.114.52", - "10.215.144.167" + "10.215.144.167", + "10.162.114.52" ], "related.user": [ "erspici" @@ -5160,6 +5271,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.6452", + "related.hosts": [ + "mdolo7008.api.corp" + ], "related.ip": [ "10.162.128.87", "10.78.75.82" @@ -5247,9 +5361,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.75.198.93", "10.137.36.151", - "10.51.106.43", - "10.75.198.93" + "10.51.106.43" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -5376,9 +5490,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.5718", + "related.hosts": [ + "itse5466.api.example" + ], "related.ip": [ - "10.26.4.3", - "10.217.209.221" + "10.217.209.221", + "10.26.4.3" ], "related.user": [ "ciduntut" @@ -5388,8 +5505,8 @@ "rsa.investigations.event_vcat": "santiumd", "rsa.misc.OS": "oris", "rsa.misc.action": [ - "rsitame", - "deny" + "deny", + "rsitame" ], "rsa.misc.category": "agnaal", "rsa.misc.client": "urmagn", @@ -5464,6 +5581,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.6603", + "related.hosts": [ + "dquiac6194.api.lan" + ], "related.ip": [ "10.241.140.241", "10.180.162.174" @@ -5476,8 +5596,8 @@ "rsa.investigations.event_vcat": "luptatev", "rsa.misc.OS": "emipsu", "rsa.misc.action": [ - "accept", - "ido" + "ido", + "accept" ], "rsa.misc.category": "litse", "rsa.misc.client": "evita", @@ -5552,9 +5672,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.2052", + "related.hosts": [ + "amco1592.mail.host" + ], "related.ip": [ - "10.62.140.108", - "10.110.99.222" + "10.110.99.222", + "10.62.140.108" ], "related.user": [ "moenimi" @@ -5564,8 +5687,8 @@ "rsa.investigations.event_vcat": "atvolupt", "rsa.misc.OS": "riosam", "rsa.misc.action": [ - "deny", - "ssitasp" + "ssitasp", + "deny" ], "rsa.misc.category": "enimadmi", "rsa.misc.client": "uatDui", @@ -5640,9 +5763,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.2691", + "related.hosts": [ + "dicta7226.mail.example" + ], "related.ip": [ - "10.4.244.115", - "10.53.50.77" + "10.53.50.77", + "10.4.244.115" ], "related.user": [ "idolo" @@ -5652,8 +5778,8 @@ "rsa.investigations.event_vcat": "cupidata", "rsa.misc.OS": "ficiade", "rsa.misc.action": [ - "accept", - "lorem" + "lorem", + "accept" ], "rsa.misc.category": "iac", "rsa.misc.client": "tlabo", @@ -5728,8 +5854,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.236.211.111", - "10.221.100.157", - "10.120.212.78" + "10.120.212.78", + "10.221.100.157" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -5792,9 +5918,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.3052", + "related.hosts": [ + "pidatatn2627.www.localdomain" + ], "related.ip": [ - "10.208.231.15", - "10.210.82.202" + "10.210.82.202", + "10.208.231.15" ], "related.user": [ "riatur" @@ -5879,8 +6008,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.226.255.3", "10.123.59.69", + "10.226.255.3", "10.53.251.202" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -6008,9 +6137,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.95", + "related.hosts": [ + "emveleu4029.api.local" + ], "related.ip": [ - "10.236.175.163", - "10.126.11.186" + "10.126.11.186", + "10.236.175.163" ], "related.user": [ "udantiu" @@ -6020,8 +6152,8 @@ "rsa.investigations.event_vcat": "ill", "rsa.misc.OS": "eabill", "rsa.misc.action": [ - "cancel", - "atemqui" + "atemqui", + "cancel" ], "rsa.misc.category": "idatatno", "rsa.misc.client": "res", @@ -6095,9 +6227,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.83.98.220", + "10.11.150.136", "10.171.60.173", - "10.11.150.136" + "10.83.98.220" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6159,9 +6291,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.74.88.209", "10.92.3.166", - "10.238.49.73" + "10.238.49.73", + "10.74.88.209" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6224,8 +6356,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.119.248.36", - "10.84.200.121", - "10.187.107.47" + "10.187.107.47", + "10.84.200.121" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6287,9 +6419,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.135.213.17", "10.167.128.229", - "10.30.239.222", - "10.135.213.17" + "10.30.239.222" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6352,6 +6484,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.1028", + "related.hosts": [ + "rspic5637.api.local" + ], "related.ip": [ "10.169.133.219", "10.115.166.48" @@ -6364,8 +6499,8 @@ "rsa.investigations.event_vcat": "iumdol", "rsa.misc.OS": "min", "rsa.misc.action": [ - "block", - "eleumiur" + "eleumiur", + "block" ], "rsa.misc.category": "ero", "rsa.misc.client": "gia", @@ -6440,6 +6575,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4195", + "related.hosts": [ + "rror3870.www5.local" + ], "related.ip": [ "10.146.255.40", "10.226.39.82" @@ -6591,9 +6729,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.66.149.234", "10.186.253.240", - "10.233.128.7", - "10.66.149.234" + "10.233.128.7" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6655,9 +6793,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.173.140.201", "10.227.133.134", - "10.46.11.114" + "10.46.11.114", + "10.173.140.201" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6719,9 +6857,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.205.18.11", "10.69.130.207", - "10.170.236.123" + "10.170.236.123", + "10.205.18.11" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6784,6 +6922,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.2682", + "related.hosts": [ + "velill3821.mail.invalid" + ], "related.ip": [ "10.97.254.192", "10.124.34.251" @@ -6796,8 +6937,8 @@ "rsa.investigations.event_vcat": "lica", "rsa.misc.OS": "taedi", "rsa.misc.action": [ - "imide", - "deny" + "deny", + "imide" ], "rsa.misc.category": "iurere", "rsa.misc.client": "ollitan", @@ -6871,9 +7012,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.9.41.221", "10.81.58.91", - "10.204.98.238", - "10.9.41.221" + "10.204.98.238" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6975,8 +7116,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.212.208.70", "10.35.84.125", + "10.212.208.70", "10.37.120.29" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -7039,8 +7180,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.207.207.106", "10.199.201.26", + "10.207.207.106", "10.143.65.84" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -7104,8 +7245,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.41.61.88", - "10.163.236.253", - "10.204.27.48" + "10.204.27.48", + "10.163.236.253" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7233,6 +7374,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.802", + "related.hosts": [ + "cupida6106.www5.local" + ], "related.ip": [ "10.146.77.206", "10.109.172.90" @@ -7245,8 +7389,8 @@ "rsa.investigations.event_vcat": "lupt", "rsa.misc.OS": "etdolo", "rsa.misc.action": [ - "allow", - "amnihilm" + "amnihilm", + "allow" ], "rsa.misc.category": "ntin", "rsa.misc.client": "xcep", @@ -7321,9 +7465,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.2314", + "related.hosts": [ + "unt2122.internal.local" + ], "related.ip": [ - "10.38.18.72", - "10.202.250.141" + "10.202.250.141", + "10.38.18.72" ], "related.user": [ "maperia" @@ -7333,8 +7480,8 @@ "rsa.investigations.event_vcat": "rure", "rsa.misc.OS": "iquidexe", "rsa.misc.action": [ - "allow", - "volu" + "volu", + "allow" ], "rsa.misc.category": "ium", "rsa.misc.client": "liquip", @@ -7409,9 +7556,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4674", + "related.hosts": [ + "luptat2613.internal.localhost" + ], "related.ip": [ - "10.139.144.75", - "10.182.124.88" + "10.182.124.88", + "10.139.144.75" ], "related.user": [ "modo" @@ -7421,8 +7571,8 @@ "rsa.investigations.event_vcat": "tfug", "rsa.misc.OS": "imipsam", "rsa.misc.action": [ - "block", - "utodi" + "utodi", + "block" ], "rsa.misc.category": "cid", "rsa.misc.client": "mquaerat", @@ -7497,6 +7647,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.1386", + "related.hosts": [ + "neavo4796.internal.domain" + ], "related.ip": [ "10.188.124.185", "10.35.10.19" diff --git a/x-pack/filebeat/module/imperva/securesphere/config/input.yml b/x-pack/filebeat/module/imperva/securesphere/config/input.yml index 68b88a27df5..e9d408c7b22 100644 --- a/x-pack/filebeat/module/imperva/securesphere/config/input.yml +++ b/x-pack/filebeat/module/imperva/securesphere/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml b/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml index 3ff3b353c28..a51475c0588 100644 --- a/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml +++ b/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.hostname}}' + allow_duplicates: false + if: ctx?.host?.hostname != null && ctx.host?.hostname != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json index 555b06cb1da..7894d6ff317 100644 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -19,9 +19,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "radipis5408.mail.local" + ], "related.ip": [ - "10.70.155.35", - "10.81.122.126" + "10.81.122.126", + "10.70.155.35" ], "related.user": [ "magn", @@ -105,14 +108,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ccusan7572.api.home" + ], "related.ip": [ - "10.159.182.171", - "10.58.116.231" + "10.58.116.231", + "10.159.182.171" ], "related.user": [ - "qua", + "temUten", "uradi", - "temUten" + "qua" ], "rsa.counters.dclass_c1": 3626, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -160,13 +166,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "elaudant5931.internal.invalid" + ], "related.ip": [ - "10.18.124.28", - "10.232.27.250" + "10.232.27.250", + "10.18.124.28" ], "related.user": [ - "lapariat", "modocons", + "lapariat", "mquidol" ], "rsa.counters.dclass_c1": 6564, @@ -221,14 +230,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "amest4147.mail.host" + ], "related.ip": [ - "10.197.250.10", - "10.6.137.200" + "10.6.137.200", + "10.197.250.10" ], "related.user": [ "oluptas", - "intoc", - "occae" + "occae", + "intoc" ], "rsa.counters.event_counter": 7243, "rsa.db.database": "tNequepo", @@ -287,14 +299,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "eratv6205.internal.lan" + ], "related.ip": [ "10.179.124.125", "10.36.194.106" ], "related.user": [ - "acommod", + "ncidid", "reme", - "ncidid" + "acommod" ], "rsa.counters.event_counter": 2462, "rsa.db.database": "uaUteni", @@ -351,14 +366,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "didunt1355.corp" + ], "related.ip": [ - "10.211.105.204", - "10.129.149.43" + "10.129.149.43", + "10.211.105.204" ], "related.user": [ - "orema", + "eveli", "labor", - "eveli" + "orema" ], "rsa.counters.dclass_c1": 6855, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -410,13 +428,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "pora6854.www5.home" + ], "related.ip": [ "10.214.191.180", "10.112.250.193" ], "related.user": [ - "ide", "Exc", + "ide", "ipsumdol" ], "rsa.counters.dclass_c1": 6852, @@ -468,14 +489,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ptasn6599.www.localhost" + ], "related.ip": [ - "10.251.20.13", - "10.192.34.76" + "10.192.34.76", + "10.251.20.13" ], "related.user": [ - "ovol", + "iquipe", "tnonpro", - "iquipe" + "ovol" ], "rsa.counters.dclass_c1": 3645, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -523,14 +547,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ptasnu6684.mail.lan" + ], "related.ip": [ "10.74.105.218", "10.59.138.212" ], "related.user": [ - "boree", "idunt", - "archite" + "archite", + "boree" ], "rsa.counters.dclass_c1": 248, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -582,6 +609,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "rinre2977.api.corp" + ], "related.ip": [ "10.230.173.4", "10.168.159.13" @@ -641,14 +671,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "atevelit2450.local" + ], "related.ip": [ "10.41.21.204", "10.49.167.57" ], "related.user": [ - "tali", + "ccaeca", "sau", - "ccaeca" + "tali" ], "rsa.counters.dclass_c1": 6818, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -702,22 +735,25 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "itla658.api.localhost" + ], "related.ip": [ "10.62.147.186", "10.216.125.252" ], "related.user": [ - "lorsita", "dolore", - "llamco" + "llamco", + "lorsita" ], "rsa.counters.event_counter": 4603, "rsa.db.database": "uptate", "rsa.internal.event_desc": "aquae", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "quasia", - "accept" + "accept", + "quasia" ], "rsa.misc.category": "boreetdo", "rsa.misc.disposition": "aturve", @@ -769,22 +805,25 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "umdolor4389.api.home" + ], "related.ip": [ "10.52.125.9", "10.204.128.215" ], "related.user": [ "nci", - "rum", - "paquioff" + "paquioff", + "rum" ], "rsa.counters.event_counter": 332, "rsa.db.database": "isau", "rsa.internal.event_desc": "rumet", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "deny", - "texpli" + "texpli", + "deny" ], "rsa.misc.category": "verita", "rsa.misc.disposition": "sectet", @@ -832,14 +871,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "rationev6444.localhost" + ], "related.ip": [ "10.34.148.166", "10.200.68.129" ], "related.user": [ "icabo", - "untutlab", - "miu" + "miu", + "untutlab" ], "rsa.counters.dclass_c1": 5427, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -887,14 +929,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ipi7727.www5.domain" + ], "related.ip": [ "10.134.5.40", "10.226.101.180" ], "related.user": [ "siu", - "licabo", - "conse" + "conse", + "licabo" ], "rsa.counters.dclass_c1": 6356, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -946,14 +991,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "spernatu5539.domain" + ], "related.ip": [ - "10.126.26.131", - "10.30.98.10" + "10.30.98.10", + "10.126.26.131" ], "related.user": [ "dipisci", - "velite", - "olori" + "olori", + "velite" ], "rsa.counters.dclass_c1": 7717, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1005,9 +1053,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "nimid372.api.corp" + ], "related.ip": [ - "10.190.10.219", - "10.233.120.207" + "10.233.120.207", + "10.190.10.219" ], "related.user": [ "item", @@ -1092,14 +1143,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "maliquam2147.internal.home" + ], "related.ip": [ "10.100.98.56", "10.248.184.200" ], "related.user": [ - "boru", "ritati", - "proident" + "proident", + "boru" ], "rsa.counters.dclass_c1": 5923, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1151,14 +1205,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "olabor2983.internal.localhost" + ], "related.ip": [ - "10.82.28.220", - "10.197.6.245" + "10.197.6.245", + "10.82.28.220" ], "related.user": [ - "aecatcup", + "oluptat", "dtempo", - "oluptat" + "aecatcup" ], "rsa.counters.dclass_c1": 3071, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1210,9 +1267,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "hitec2111.mail.corp" + ], "related.ip": [ - "10.6.27.103", - "10.167.252.183" + "10.167.252.183", + "10.6.27.103" ], "related.user": [ "redol", @@ -1271,22 +1331,25 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "adminim2559.www5.invalid" + ], "related.ip": [ "10.81.184.7", "10.88.45.111" ], "related.user": [ - "undeomni", + "lmole", "iameaque", - "lmole" + "undeomni" ], "rsa.counters.event_counter": 6344, "rsa.db.database": "nderi", "rsa.internal.event_desc": "iae", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "deny", - "illu" + "illu", + "deny" ], "rsa.misc.category": "quido", "rsa.misc.disposition": "emip", @@ -1336,14 +1399,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "dolorem6882.api.local" + ], "related.ip": [ - "10.214.3.140", - "10.29.119.245" + "10.29.119.245", + "10.214.3.140" ], "related.user": [ - "taliqui", "edolorin", - "scipitl" + "scipitl", + "taliqui" ], "rsa.counters.dclass_c1": 5140, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1397,14 +1463,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "temaccu5302.test" + ], "related.ip": [ - "10.218.123.234", - "10.110.133.7" + "10.110.133.7", + "10.218.123.234" ], "related.user": [ - "etconsec", + "caboNem", "pta", - "caboNem" + "etconsec" ], "rsa.counters.event_counter": 5347, "rsa.db.database": "urExcept", @@ -1462,14 +1531,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "nder347.www.corp" + ], "related.ip": [ - "10.182.152.242", - "10.105.190.170" + "10.105.190.170", + "10.182.152.242" ], "related.user": [ + "litan", "mquisn", - "doeiu", - "litan" + "doeiu" ], "rsa.counters.dclass_c1": 3474, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1523,14 +1595,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "idunt4633.internal.host" + ], "related.ip": [ "10.59.188.188", "10.123.166.197" ], "related.user": [ "emUte", - "min", - "liquam" + "liquam", + "min" ], "rsa.counters.event_counter": 7102, "rsa.db.database": "oluptat", @@ -1587,13 +1662,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ectob4634.mail.localhost" + ], "related.ip": [ "10.72.75.207", "10.201.168.116" ], "related.user": [ - "eufug", "eFini", + "eufug", "urau" ], "rsa.counters.dclass_c1": 3348, @@ -1646,14 +1724,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "snu6436.www.local" + ], "related.ip": [ "10.9.46.123", "10.58.133.175" ], "related.user": [ + "oco", "mfu", - "nde", - "oco" + "nde" ], "rsa.counters.dclass_c1": 3795, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1705,13 +1786,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "lore7099.www.host" + ], "related.ip": [ "10.169.50.59", "10.70.29.203" ], "related.user": [ - "veniamq", "mquisnos", + "veniamq", "pta" ], "rsa.counters.dclass_c1": 2358, @@ -1764,14 +1848,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "lesti6939.api.local" + ], "related.ip": [ - "10.165.182.111", - "10.137.85.123" + "10.137.85.123", + "10.165.182.111" ], "related.user": [ + "ames", "Bonorum", - "sis", - "ames" + "sis" ], "rsa.counters.dclass_c1": 6401, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1853,14 +1940,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "upt6017.api.localdomain" + ], "related.ip": [ "10.64.184.196", "10.173.178.109" ], "related.user": [ - "uian", + "tam", "nesci", - "tam" + "uian" ], "rsa.counters.event_counter": 4493, "rsa.db.database": "sin", @@ -1918,13 +2008,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "turQuis4046.api.test" + ], "related.ip": [ - "10.168.225.209", - "10.90.50.149" + "10.90.50.149", + "10.168.225.209" ], "related.user": [ - "olupta", "aUtenima", + "olupta", "olu" ], "rsa.counters.dclass_c1": 1127, @@ -1977,13 +2070,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "con6049.internal.lan" + ], "related.ip": [ "10.59.182.36", "10.18.150.82" ], "related.user": [ - "luptat", "mtota", + "luptat", "qua" ], "rsa.counters.dclass_c1": 6112, @@ -2063,13 +2159,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "tatnonp1371.www.invalid" + ], "related.ip": [ - "10.228.229.144", - "10.151.240.35" + "10.151.240.35", + "10.228.229.144" ], "related.user": [ - "ama", "ametcons", + "ama", "lam" ], "rsa.counters.dclass_c1": 4325, @@ -2118,14 +2217,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "tium3542.internal.invalid" + ], "related.ip": [ "10.242.48.203", "10.147.142.242" ], "related.user": [ + "ese", "quisn", - "quasi", - "ese" + "quasi" ], "rsa.counters.dclass_c1": 3970, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2179,13 +2281,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "radipis3991.mail.invalid" + ], "related.ip": [ - "10.254.10.98", - "10.213.165.165" + "10.213.165.165", + "10.254.10.98" ], "related.user": [ - "eufugia", "civeli", + "eufugia", "ttenb" ], "rsa.counters.event_counter": 7365, @@ -2193,8 +2298,8 @@ "rsa.internal.event_desc": "culpaq", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "uptasn", - "cancel" + "cancel", + "uptasn" ], "rsa.misc.category": "quamq", "rsa.misc.disposition": "usan", @@ -2274,14 +2379,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ihi7294.www5.localhost" + ], "related.ip": [ - "10.116.1.130", - "10.169.28.157" + "10.169.28.157", + "10.116.1.130" ], "related.user": [ "reseo", - "eturadip", - "amco" + "amco", + "eturadip" ], "rsa.counters.event_counter": 1295, "rsa.db.database": "ons", @@ -2339,14 +2447,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "caecat4920.api.host" + ], "related.ip": [ "10.29.138.31", "10.45.69.152" ], "related.user": [ "volupta", - "tsunt", - "umq" + "umq", + "tsunt" ], "rsa.counters.dclass_c1": 744, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2398,13 +2509,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "setquas6188.internal.local" + ], "related.ip": [ "10.100.113.11", "10.152.213.228" ], "related.user": [ - "itationu", "ptatev", + "itationu", "velillum" ], "rsa.counters.dclass_c1": 7245, @@ -2485,9 +2599,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "nibusBo3674.www5.localhost" + ], "related.ip": [ - "10.248.102.129", - "10.208.33.55" + "10.208.33.55", + "10.248.102.129" ], "related.user": [ "mremaper", @@ -2544,14 +2661,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "totamr7676.www5.home" + ], "related.ip": [ - "10.109.230.216", - "10.203.164.132" + "10.203.164.132", + "10.109.230.216" ], "related.user": [ - "ibus", "mporin", - "ectobea" + "ectobea", + "ibus" ], "rsa.counters.dclass_c1": 547, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2603,14 +2723,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "idents7231.mail.home" + ], "related.ip": [ "10.151.203.60", "10.117.81.75" ], "related.user": [ "iconsequ", - "dol", - "exeac" + "exeac", + "dol" ], "rsa.counters.dclass_c1": 484, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2662,14 +2785,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "tat50.mail.host" + ], "related.ip": [ - "10.45.152.205", - "10.224.217.153" + "10.224.217.153", + "10.45.152.205" ], "related.user": [ "eriti", - "imav", - "utlabo" + "utlabo", + "imav" ], "rsa.counters.dclass_c1": 922, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2722,6 +2848,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "mips3283.corp" + ], "related.ip": [ "10.1.193.187", "10.60.164.100" @@ -2786,14 +2915,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "aliquip7229.mail.domain" + ], "related.ip": [ - "10.146.228.234", - "10.248.244.203" + "10.248.244.203", + "10.146.228.234" ], "related.user": [ - "sum", "mquamei", - "eiusm" + "eiusm", + "sum" ], "rsa.counters.dclass_c1": 3058, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2841,6 +2973,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "fde7756.mail.corp" + ], "related.ip": [ "10.122.127.237", "10.86.121.152" @@ -2900,14 +3035,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "agnama5013.internal.example" + ], "related.ip": [ "10.201.223.119", "10.204.223.184" ], "related.user": [ + "rcit", "teni", - "tuserror", - "rcit" + "tuserror" ], "rsa.counters.dclass_c1": 4113, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2959,14 +3097,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "edictas4693.home" + ], "related.ip": [ "10.223.56.33", "10.200.12.126" ], "related.user": [ - "elitsedd", + "magnido", "Nequepo", - "magnido" + "elitsedd" ], "rsa.counters.dclass_c1": 3243, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3020,22 +3161,25 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "nibu2565.api.local" + ], "related.ip": [ - "10.65.225.101", - "10.94.89.177" + "10.94.89.177", + "10.65.225.101" ], "related.user": [ + "tuserror", "citation", - "emquel", - "tuserror" + "emquel" ], "rsa.counters.event_counter": 2513, "rsa.db.database": "rspiciat", "rsa.internal.event_desc": "atuse", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "eruntmol" + "eruntmol", + "cancel" ], "rsa.misc.category": "imad", "rsa.misc.disposition": "tura", @@ -3084,14 +3228,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "tsun7120.home" + ], "related.ip": [ "10.65.174.196", "10.191.184.105" ], "related.user": [ + "iin", "tione", - "uta", - "iin" + "uta" ], "rsa.counters.dclass_c1": 5836, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3141,22 +3288,25 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "lumquid6940.mail.localdomain" + ], "related.ip": [ - "10.224.148.48", - "10.41.181.179" + "10.41.181.179", + "10.224.148.48" ], "related.user": [ - "iosamn", "equepor", - "niam" + "niam", + "iosamn" ], "rsa.counters.event_counter": 7468, "rsa.db.database": "erspicia", "rsa.internal.event_desc": "ibusB", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "deny", - "rumwr" + "rumwr", + "deny" ], "rsa.misc.category": "rporis", "rsa.misc.disposition": "etco", @@ -3206,14 +3356,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "amcorp7299.api.example" + ], "related.ip": [ - "10.21.61.134", - "10.21.208.103" + "10.21.208.103", + "10.21.61.134" ], "related.user": [ + "ostr", "imidest", - "mipsa", - "ostr" + "mipsa" ], "rsa.counters.dclass_c1": 7766, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3265,14 +3418,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "magnama868.api.local" + ], "related.ip": [ - "10.221.192.116", - "10.23.6.216" + "10.23.6.216", + "10.221.192.116" ], "related.user": [ - "tevelite", + "iarchit", "iamquisn", - "iarchit" + "tevelite" ], "rsa.counters.dclass_c1": 639, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3326,22 +3482,25 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "tionevol3157.mail.invalid" + ], "related.ip": [ - "10.240.62.238", - "10.191.142.143" + "10.191.142.143", + "10.240.62.238" ], "related.user": [ + "nofde", "modtempo", - "animide", - "nofde" + "animide" ], "rsa.counters.event_counter": 7580, "rsa.db.database": "Lore", "rsa.internal.event_desc": "nto", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "ali" + "ali", + "cancel" ], "rsa.misc.category": "sciv", "rsa.misc.disposition": "tlabo", @@ -3392,14 +3551,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "mquis319.api.local" + ], "related.ip": [ - "10.111.22.134", - "10.178.79.217" + "10.178.79.217", + "10.111.22.134" ], "related.user": [ + "ccusan", "inibusBo", - "tqui", - "ccusan" + "tqui" ], "rsa.counters.event_counter": 3538, "rsa.db.database": "sequun", @@ -3456,14 +3618,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "urad5712.api.host" + ], "related.ip": [ "10.161.225.172", "10.77.86.215" ], "related.user": [ - "rcit", + "xerc", "meaqu", - "xerc" + "rcit" ], "rsa.counters.dclass_c1": 7286, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3514,9 +3679,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "enbyCic4659.www5.example" + ], "related.ip": [ - "10.211.161.187", - "10.186.133.184" + "10.186.133.184", + "10.211.161.187" ], "related.user": [ "boriosa", @@ -3568,14 +3736,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "inBCSed5308.api.corp" + ], "related.ip": [ - "10.160.147.230", - "10.254.198.47" + "10.254.198.47", + "10.160.147.230" ], "related.user": [ - "illoin", "nimvenia", - "ndeomnis" + "ndeomnis", + "illoin" ], "rsa.counters.dclass_c1": 5988, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3623,14 +3794,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "reseo2067.api.localdomain" + ], "related.ip": [ - "10.40.24.93", - "10.182.197.243" + "10.182.197.243", + "10.40.24.93" ], "related.user": [ - "orisnis", "exerci", - "mSecti" + "mSecti", + "orisnis" ], "rsa.counters.dclass_c1": 4129, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3682,14 +3856,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "itte6905.mail.invalid" + ], "related.ip": [ - "10.108.130.106", - "10.249.13.159" + "10.249.13.159", + "10.108.130.106" ], "related.user": [ "uisautei", - "colab", - "exeacomm" + "exeacomm", + "colab" ], "rsa.counters.dclass_c1": 1044, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3743,13 +3920,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "caboNemo274.www.host" + ], "related.ip": [ - "10.64.94.174", - "10.39.244.49" + "10.39.244.49", + "10.64.94.174" ], "related.user": [ - "Sedut", "iunt", + "Sedut", "estiae" ], "rsa.counters.event_counter": 7128, @@ -3863,14 +4043,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "qui5978.api.test" + ], "related.ip": [ - "10.134.135.22", - "10.115.203.143" + "10.115.203.143", + "10.134.135.22" ], "related.user": [ + "involu", "orpori", - "utoditau", - "involu" + "utoditau" ], "rsa.counters.dclass_c1": 7868, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3922,9 +4105,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "iamq2577.internal.corp" + ], "related.ip": [ - "10.251.212.166", - "10.43.244.252" + "10.43.244.252", + "10.251.212.166" ], "related.user": [ "uptat", @@ -4009,14 +4195,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "usB4127.localhost" + ], "related.ip": [ "10.88.189.164", "10.20.231.188" ], "related.user": [ - "mqu", "tesseq", - "uatDuisa" + "uatDuisa", + "mqu" ], "rsa.counters.dclass_c1": 1623, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4096,14 +4285,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "abor3266.mail.home" + ], "related.ip": [ - "10.231.77.26", - "10.225.11.197" + "10.225.11.197", + "10.231.77.26" ], "related.user": [ + "ineavol", "volu", - "rehe", - "ineavol" + "rehe" ], "rsa.counters.dclass_c1": 3064, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4153,14 +4345,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "eprehe2455.www.home" + ], "related.ip": [ - "10.106.166.105", - "10.148.3.197" + "10.148.3.197", + "10.106.166.105" ], "related.user": [ - "avolup", "olupt", - "usa" + "usa", + "avolup" ], "rsa.counters.dclass_c1": 2658, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4208,14 +4403,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "destla2110.www5.localdomain" + ], "related.ip": [ - "10.172.121.239", - "10.57.169.205" + "10.57.169.205", + "10.172.121.239" ], "related.user": [ - "ctas", + "ipsu", "iuta", - "ipsu" + "ctas" ], "rsa.counters.dclass_c1": 392, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4267,14 +4465,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "exerc3694.api.home" + ], "related.ip": [ - "10.42.218.103", - "10.129.234.200" + "10.129.234.200", + "10.42.218.103" ], "related.user": [ - "dquia", "tevelit", - "tisundeo" + "tisundeo", + "dquia" ], "rsa.counters.dclass_c1": 6709, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4326,14 +4527,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ididu5928.www5.local" + ], "related.ip": [ - "10.111.132.221", - "10.76.121.224" + "10.76.121.224", + "10.111.132.221" ], "related.user": [ + "oloremi", "scive", - "ali", - "oloremi" + "ali" ], "rsa.counters.dclass_c1": 6155, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4385,9 +4589,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "boriosa7066.www.corp" + ], "related.ip": [ - "10.17.214.21", - "10.195.8.141" + "10.195.8.141", + "10.17.214.21" ], "related.user": [ "dolo", @@ -4444,14 +4651,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ssusc1892.internal.host" + ], "related.ip": [ - "10.173.13.179", - "10.179.60.167" + "10.179.60.167", + "10.173.13.179" ], "related.user": [ - "isn", + "apar", "ptasn", - "apar" + "isn" ], "rsa.counters.dclass_c1": 758, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4503,9 +4713,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "iatisund424.mail.localdomain" + ], "related.ip": [ - "10.42.135.34", - "10.178.190.123" + "10.178.190.123", + "10.42.135.34" ], "related.user": [ "tiset", @@ -4590,14 +4803,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "uidolo7626.local" + ], "related.ip": [ - "10.8.147.176", - "10.207.198.239" + "10.207.198.239", + "10.8.147.176" ], "related.user": [ - "aUteni", "incididu", - "Loremips" + "Loremips", + "aUteni" ], "rsa.counters.dclass_c1": 3043, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4648,14 +4864,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "dmini3435.internal.domain" + ], "related.ip": [ - "10.206.221.180", - "10.116.26.185" + "10.116.26.185", + "10.206.221.180" ], "related.user": [ "oNe", - "nseq", - "litesseq" + "litesseq", + "nseq" ], "rsa.counters.dclass_c1": 3218, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4703,14 +4922,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "nibusBo1864.domain" + ], "related.ip": [ "10.253.127.130", "10.86.180.150" ], "related.user": [ "mnisis", - "etconsec", - "itasper" + "itasper", + "etconsec" ], "rsa.counters.dclass_c1": 4564, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4764,13 +4986,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "inv6528.www5.example" + ], "related.ip": [ - "10.158.161.5", - "10.220.175.201" + "10.220.175.201", + "10.158.161.5" ], "related.user": [ - "dolo", - "rrors" + "rrors", + "dolo" ], "rsa.counters.event_counter": 4098, "rsa.db.database": "tsed", @@ -4855,14 +5080,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "nisiutal4437.www.example" + ], "related.ip": [ "10.150.27.144", "10.248.16.82" ], "related.user": [ + "res", "ditautf", - "tuserror", - "res" + "tuserror" ], "rsa.counters.dclass_c1": 4367, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4914,13 +5142,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "tqui5172.www.local" + ], "related.ip": [ - "10.173.19.140", - "10.146.131.76" + "10.146.131.76", + "10.173.19.140" ], "related.user": [ - "olo", "orsi", + "olo", "Except" ], "rsa.counters.dclass_c1": 5844, @@ -4972,9 +5203,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "intocca6708.mail.corp" + ], "related.ip": [ - "10.69.5.227", - "10.171.175.165" + "10.171.175.165", + "10.69.5.227" ], "related.user": [ "rumw", @@ -5027,13 +5261,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "isetqu2843.www.invalid" + ], "related.ip": [ "10.213.214.118", "10.253.175.129" ], "related.user": [ - "ate", "nrep", + "ate", "epteurs" ], "rsa.counters.dclass_c1": 6260, @@ -5088,22 +5325,25 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "commodo6041.mail.localhost" + ], "related.ip": [ "10.149.91.130", "10.89.26.170" ], "related.user": [ + "atus", "aboris", - "orumetMa", - "atus" + "orumetMa" ], "rsa.counters.event_counter": 5863, "rsa.db.database": "inventor", "rsa.internal.event_desc": "loi", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "atcupi", - "block" + "block", + "atcupi" ], "rsa.misc.category": "tation", "rsa.misc.disposition": "seddoe", @@ -5154,14 +5394,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "gitse6744.api.local" + ], "related.ip": [ - "10.52.106.68", - "10.81.108.232" + "10.81.108.232", + "10.52.106.68" ], "related.user": [ + "uaturve", "neavolup", - "aco", - "uaturve" + "aco" ], "rsa.counters.event_counter": 5098, "rsa.db.database": "lapa", @@ -5221,14 +5464,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "par3605.internal.localdomain" + ], "related.ip": [ "10.230.48.97", "10.223.10.28" ], "related.user": [ - "usmodte", + "erit", "untex", - "erit" + "usmodte" ], "rsa.counters.event_counter": 4029, "rsa.db.database": "ommodi", @@ -5286,6 +5532,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "isau4356.www.home" + ], "related.ip": [ "10.115.42.231", "10.161.212.150" @@ -5347,13 +5596,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "labo3477.www5.domain" + ], "related.ip": [ "10.226.75.20", "10.247.108.144" ], "related.user": [ - "tema", "maccusan", + "tema", "fugia" ], "rsa.counters.event_counter": 3711, @@ -5411,14 +5663,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "itseddo2209.mail.domain" + ], "related.ip": [ "10.97.22.61", "10.192.15.65" ], "related.user": [ - "nimides", + "illumd", "rExcep", - "illumd" + "nimides" ], "rsa.counters.dclass_c1": 4173, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5468,13 +5723,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "duntutl3396.api.host" + ], "related.ip": [ "10.197.254.133", "10.116.76.161" ], "related.user": [ - "ide", "trudex", + "ide", "idu" ], "rsa.counters.event_counter": 2608, @@ -5482,8 +5740,8 @@ "rsa.internal.event_desc": "ritat", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "quid" + "quid", + "cancel" ], "rsa.misc.category": "dipi", "rsa.misc.disposition": "asnulapa", @@ -5532,14 +5790,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "colabo6686.internal.invalid" + ], "related.ip": [ "10.144.14.15", "10.28.77.79" ], "related.user": [ + "rspic", "upta", - "utlab", - "rspic" + "utlab" ], "rsa.counters.dclass_c1": 4810, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5590,14 +5851,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "tsunti1164.www.example" + ], "related.ip": [ - "10.248.177.182", - "10.18.15.43" + "10.18.15.43", + "10.248.177.182" ], "related.user": [ - "quaturve", "quei", - "caecat" + "caecat", + "quaturve" ], "rsa.counters.dclass_c1": 983, "rsa.counters.dclass_c1_str": "Affected Rows", diff --git a/x-pack/filebeat/module/infoblox/nios/config/input.yml b/x-pack/filebeat/module/infoblox/nios/config/input.yml index 35ad775a3aa..b464486074b 100644 --- a/x-pack/filebeat/module/infoblox/nios/config/input.yml +++ b/x-pack/filebeat/module/infoblox/nios/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml b/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml index 3b42b82526b..dd46c730477 100644 --- a/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml +++ b/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' + - append: + field: related.hosts + value: '{{rsa.misc.event_source}}' + allow_duplicates: false + if: ctx?.rsa?.misc?.event_source != null && ctx.rsa?.misc?.event_source != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json index 9552bff05b5..9d1e178db5a 100644 --- a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json +++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json @@ -12,6 +12,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.5191", + "related.hosts": [ + "volup208.invalid" + ], "rsa.db.index": "mwritten", "rsa.internal.messageid": "openvpn-master", "rsa.misc.event_source": "volup208.invalid", @@ -38,6 +41,10 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "atio5608.www5.localhost", + "com1060.api.example" + ], "related.ip": [ "10.202.204.154" ], @@ -73,6 +80,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ptass3168.www5.example" + ], "related.ip": [ "10.13.70.213" ], @@ -100,6 +110,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "mcolabor1656.www5.corp" + ], "rsa.internal.data": "veleumi", "rsa.internal.event_desc": "tia", "rsa.internal.messageid": "acpid", @@ -124,6 +137,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "Cice513.api.local" + ], "rsa.db.index": "occ", "rsa.internal.event_desc": "ect", "rsa.internal.messageid": "openvpn-member", @@ -148,6 +164,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "obeataev7086.mail.invalid" + ], "rsa.internal.event_desc": "natura", "rsa.internal.messageid": "speedstep_control", "rsa.misc.event_source": "obeataev7086.mail.invalid", @@ -170,6 +189,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "nibusBon7400.localhost" + ], "rsa.internal.messageid": "ErrorMsg", "rsa.misc.event_source": "nibusBon7400.localhost", "rsa.misc.result": "success", @@ -192,6 +214,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "iat1852.api.localdomain" + ], "rsa.internal.event_desc": "ntpd exiting", "rsa.internal.messageid": "ntpd_initres", "rsa.misc.event_source": "iat1852.api.localdomain", @@ -214,6 +239,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "mquisnos5771.example" + ], "related.ip": [ "10.104.111.129" ], @@ -244,6 +272,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.3162", + "related.hosts": [ + "ite996.host" + ], "rsa.email.email_src": "umdolore", "rsa.internal.data": "umdo", "rsa.internal.messageid": "kernel", @@ -268,6 +299,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "enim2780.www.lan" + ], "rsa.internal.data": "eriame", "rsa.internal.event_desc": "lorema", "rsa.internal.messageid": "rc6", @@ -292,6 +326,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "emporinc5075.internal.host" + ], "rsa.internal.data": "atcu", "rsa.internal.messageid": "watchdog", "rsa.misc.event_source": "emporinc5075.internal.host", @@ -315,6 +352,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "strude910.internal.local" + ], "rsa.internal.event_desc": "shutting down for system reboot", "rsa.internal.messageid": "shutdown", "rsa.misc.event_source": "strude910.internal.local", @@ -357,6 +397,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "itaut7095.invalid" + ], "rsa.internal.messageid": "rc", "rsa.misc.client": "ritatis", "rsa.misc.event_source": "itaut7095.invalid", @@ -379,6 +422,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "colabor1552.www5.local" + ], "rsa.internal.event_desc": "lorumw", "rsa.internal.messageid": "phonehome", "rsa.misc.event_source": "colabor1552.www5.local", @@ -401,6 +447,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "inima5444.www5.lan" + ], "rsa.internal.data": "nihi", "rsa.internal.event_desc": "Lor", "rsa.internal.messageid": "validate_dhcpd", @@ -424,6 +473,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "erc3217.internal.lan" + ], "rsa.internal.data": "olupt", "rsa.internal.event_desc": "modoco", "rsa.internal.messageid": "debug_mount", @@ -449,6 +501,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "uames499.internal.host" + ], "related.ip": [ "10.45.25.68" ], @@ -482,6 +537,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.2299", + "related.hosts": [ + "iineavo951.internal.test" + ], "rsa.internal.data": "intoccae", "rsa.internal.messageid": "rcsysinit", "rsa.misc.event_source": "iineavo951.internal.test", @@ -505,6 +563,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "Loremip6417.mail.test" + ], "rsa.db.index": "emoeni", "rsa.internal.event_desc": "oenimips", "rsa.internal.messageid": "syslog", @@ -528,6 +589,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "mnisist2347.mail.host" + ], "rsa.internal.data": "temveleu", "rsa.internal.event_desc": "Sent mail for colabo (eme)", "rsa.internal.messageid": "sSMTP", @@ -552,6 +616,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.2807", + "related.hosts": [ + "datatn5076.internal.example" + ], "rsa.internal.event_desc": "ihilm", "rsa.internal.messageid": "snmptrapd", "rsa.misc.event_source": "datatn5076.internal.example", @@ -575,6 +642,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ercit2385.internal.home" + ], "rsa.internal.data": "run", "rsa.internal.event_desc": "building file list", "rsa.internal.messageid": "rsyncd", @@ -598,6 +668,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "quisnos4590.mail.domain" + ], "rsa.internal.event_desc": "eritqu", "rsa.internal.messageid": "httpd", "rsa.misc.event_source": "quisnos4590.mail.domain", @@ -620,6 +693,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "wri2784.api.domain" + ], "rsa.db.index": "hitect", "rsa.internal.event_desc": "dol", "rsa.internal.messageid": "restarting", @@ -643,6 +719,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "asun1250.api.localdomain" + ], "rsa.internal.data": "oluptate", "rsa.internal.event_desc": "onseq", "rsa.internal.messageid": "rc3", @@ -667,6 +746,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "intoc2428.domain" + ], "rsa.internal.data": "dantiumt", "rsa.internal.messageid": "scheduled_backups", "rsa.misc.device_name": "luptasn", @@ -690,6 +772,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ento4488.www5.localhost" + ], "rsa.internal.event_desc": "amre", "rsa.internal.messageid": "rc6", "rsa.misc.event_source": "ento4488.www5.localhost", @@ -712,6 +797,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "boris5916.www5.example" + ], "rsa.internal.data": "uioffi", "rsa.internal.event_desc": "Distribution Complete", "rsa.internal.messageid": "controld", @@ -735,6 +823,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "temqu3331.api.host" + ], "rsa.internal.event_desc": "reseos", "rsa.internal.messageid": "phonehome", "rsa.misc.event_source": "temqu3331.api.host", @@ -782,6 +873,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "radi1512.mail.example" + ], "rsa.db.index": "ris", "rsa.internal.event_desc": "uamqu", "rsa.internal.messageid": "openvpn-member", @@ -806,6 +900,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "onsecte7184.mail.domain" + ], "rsa.internal.event_desc": "reme", "rsa.internal.messageid": "syslog-ng", "rsa.misc.event_source": "onsecte7184.mail.domain", @@ -828,6 +925,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "eveli265.www5.localdomain" + ], "rsa.db.index": "nse", "rsa.internal.messageid": "ipmievd", "rsa.misc.event_source": "eveli265.www5.localdomain", @@ -853,6 +953,10 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "uptatema6843.www.host", + "derit4688.mail.localhost" + ], "related.ip": [ "10.74.104.215" ], @@ -887,6 +991,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "evolup4403.local" + ], "rsa.internal.data": "smo", "rsa.internal.messageid": "INFOBLOX-Grid", "rsa.misc.event_source": "evolup4403.local", @@ -909,6 +1016,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "nonn839.api.corp" + ], "rsa.internal.event_desc": "temquiav", "rsa.internal.messageid": "smart_check_io", "rsa.misc.event_source": "nonn839.api.corp", @@ -931,6 +1041,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "adm7744.mail.domain" + ], "rsa.internal.event_desc": "isc", "rsa.internal.messageid": "rcsysinit", "rsa.misc.event_source": "adm7744.mail.domain", @@ -955,6 +1068,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "process.pid": 845, + "related.hosts": [ + "ios6980.example" + ], "rsa.internal.messageid": "watchdog", "rsa.misc.action": [ "deny" @@ -979,6 +1095,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "osquira6030.internal.corp" + ], "rsa.internal.data": "com", "rsa.internal.event_desc": "tnulapa", "rsa.internal.messageid": "diskcheck", @@ -1002,6 +1121,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "squirati63.mail.lan" + ], "rsa.internal.data": "nbyCic", "rsa.internal.event_desc": "utlabor", "rsa.internal.messageid": "watchdog", @@ -1025,6 +1147,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "lup2134.www.localhost" + ], "rsa.internal.data": "upida", "rsa.internal.messageid": "rc", "rsa.misc.client": "tvolupt", @@ -1048,6 +1173,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "umdo4017.www.local" + ], "rsa.internal.data": "ati", "rsa.internal.event_desc": "uine", "rsa.internal.messageid": "snmptrapd", @@ -1071,6 +1199,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "loreme853.www5.localdomain" + ], "rsa.internal.event_desc": "con", "rsa.internal.messageid": "snmptrapd", "rsa.misc.event_source": "loreme853.www5.localdomain", @@ -1094,6 +1225,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "orumSe728.internal.test" + ], "rsa.db.index": "evit", "rsa.internal.data": "itess", "rsa.internal.event_desc": "runtm", @@ -1119,6 +1253,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "oremi7400.www.local" + ], "rsa.internal.data": "ineavo", "rsa.internal.event_desc": "pexe", "rsa.internal.messageid": "acpid", @@ -1142,6 +1279,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ess651.test" + ], "related.ip": [ "10.143.187.97" ], @@ -1171,6 +1311,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "epre6970.www.example" + ], "related.user": [ "temUt" ], @@ -1202,6 +1345,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "tali7803.www.localdomain" + ], "rsa.internal.event_desc": "ender", "rsa.internal.messageid": "httpd", "rsa.misc.event_source": "tali7803.www.localdomain", @@ -1225,6 +1371,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "uradi6198.test" + ], "rsa.internal.event_desc": "frequency initialized from file", "rsa.internal.messageid": "ntpd", "rsa.misc.event_source": "uradi6198.test", @@ -1248,6 +1397,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "umSe1918.local" + ], "rsa.counters.dclass_c1": 2836, "rsa.internal.event_desc": "ntpd exiting on signal", "rsa.internal.messageid": "ntpd", @@ -1271,6 +1423,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "odoconse228.mail.localdomain" + ], "rsa.internal.event_desc": "tenim", "rsa.internal.messageid": "syslog-ng", "rsa.misc.event_source": "odoconse228.mail.localdomain", @@ -1293,6 +1448,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "cteturad4074.mail.host" + ], "rsa.internal.event_desc": "tetu", "rsa.internal.messageid": "validate_dhcpd", "rsa.misc.event_source": "cteturad4074.mail.host", @@ -1315,6 +1473,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "itation6137.home" + ], "rsa.internal.event_desc": "sequat", "rsa.internal.messageid": "debug_mount", "rsa.misc.event_source": "itation6137.home", @@ -1359,6 +1520,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "dun1276.api.localdomain" + ], "rsa.internal.event_desc": "time slew duraion", "rsa.internal.messageid": "ntpd", "rsa.misc.event_source": "dun1276.api.localdomain", @@ -1382,6 +1546,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "iquidexe304.mail.test" + ], "rsa.internal.event_desc": "oreetd", "rsa.internal.messageid": "smart_check_io", "rsa.misc.event_source": "iquidexe304.mail.test", @@ -1405,6 +1572,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "preh2690.api.localdomain" + ], "rsa.internal.data": "mac", "rsa.internal.event_desc": "qui", "rsa.internal.messageid": "captured_dns_uploader", @@ -1430,6 +1600,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.7214", + "related.hosts": [ + "rem3032.mail.domain" + ], "rsa.email.email_src": "ica", "rsa.internal.messageid": "kernel", "rsa.misc.event_source": "rem3032.mail.domain", @@ -1455,6 +1628,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.7727", + "related.hosts": [ + "tetur2694.mail.local" + ], "rsa.db.index": "itinv", "rsa.internal.messageid": "openvpn-member", "rsa.misc.event_source": "tetur2694.mail.local", @@ -1478,6 +1654,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "utaliqu6138.mail.localhost" + ], "rsa.internal.event_desc": "can't read sid", "rsa.internal.messageid": "pidof", "rsa.misc.client": "oremi", @@ -1501,6 +1680,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "tame4953.mail.localhost" + ], "rsa.db.index": "prehen", "rsa.internal.event_desc": "ntutlabo", "rsa.internal.messageid": "restarting", @@ -1525,6 +1707,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "loi7596.www5.home" + ], "rsa.internal.data": "deserun", "rsa.internal.messageid": "scheduled_backups", "rsa.misc.device_name": "esseq", @@ -1548,6 +1733,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "mmodoc4947.internal.test" + ], "rsa.internal.data": "atu", "rsa.internal.messageid": "ErrorMsg", "rsa.misc.event_source": "mmodoc4947.internal.test", @@ -1571,6 +1759,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "olorem2760.www5.test" + ], "rsa.internal.event_desc": "ntpd exiting", "rsa.internal.messageid": "ntpd_initres", "rsa.misc.event_source": "olorem2760.www5.test", @@ -1593,6 +1784,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "dol3346.www.lan" + ], "rsa.internal.data": "olorese", "rsa.internal.event_desc": "Scheduled backup to the FTP server failed", "rsa.internal.messageid": "scheduled_ftp_backups", @@ -1619,6 +1813,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ercit6496.api.local" + ], "rsa.internal.event_desc": "Scheduled backup to the SCP server was successful", "rsa.internal.messageid": "scheduled_scp_backups", "rsa.misc.device_name": "midestl", @@ -1662,6 +1859,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "col3570.www.invalid" + ], "rsa.email.email_dst": "tsed", "rsa.internal.messageid": "sSMTP", "rsa.misc.event_source": "col3570.www.invalid", @@ -1685,6 +1885,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "mipsamvo4282.api.home" + ], "rsa.internal.event_desc": "oreveri", "rsa.internal.messageid": "init", "rsa.misc.event_source": "mipsamvo4282.api.home", @@ -1707,6 +1910,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "umq1309.api.test" + ], "rsa.internal.event_desc": "mve", "rsa.internal.messageid": "debug", "rsa.misc.event_source": "umq1309.api.test", @@ -1729,6 +1935,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ugit5828.www5.test" + ], "rsa.internal.data": "asnu", "rsa.internal.messageid": "rc", "rsa.misc.client": "hitec", @@ -1772,6 +1981,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "archite1843.mail.home" + ], "rsa.internal.event_desc": "uta", "rsa.internal.messageid": "radiusd", "rsa.misc.event_source": "archite1843.mail.home", @@ -1794,6 +2006,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "derit5270.mail.local" + ], "rsa.internal.event_desc": "ntexpl", "rsa.internal.messageid": "rcsysinit", "rsa.misc.event_source": "derit5270.mail.local", @@ -1816,6 +2031,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "itanim4024.api.example" + ], "related.ip": [ "10.156.34.19" ], @@ -1873,6 +2091,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ataevi1984.internal.host" + ], "related.ip": [ "10.17.87.79" ], @@ -1900,6 +2121,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "tionula1586.host" + ], "rsa.internal.data": "idolor", "rsa.internal.event_desc": "ntpd exiting", "rsa.internal.messageid": "ntpd_initres", @@ -1923,6 +2147,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "llam1884.www.corp" + ], "rsa.internal.event_desc": "time slew duraion", "rsa.internal.messageid": "ntpd", "rsa.misc.event_source": "llam1884.www.corp", @@ -1946,6 +2173,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ore5643.api.lan" + ], "rsa.internal.data": "edolorin", "rsa.internal.event_desc": "dolorem", "rsa.internal.messageid": "acpid", @@ -1969,6 +2199,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "exeacomm79.api.corp" + ], "rsa.internal.data": "mides", "rsa.internal.event_desc": "ciun", "rsa.internal.messageid": "rc3", @@ -1993,6 +2226,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "lorsita6602.mail.local" + ], "rsa.internal.messageid": "watchdog", "rsa.misc.event_source": "lorsita6602.mail.local", "rsa.misc.result_code": "npr", @@ -2015,6 +2251,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ratv2649.www.host" + ], "rsa.internal.data": "tali", "rsa.internal.event_desc": "BCS", "rsa.internal.messageid": "speedstep_control", @@ -2038,6 +2277,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "abor4353.www5.host" + ], "rsa.internal.event_desc": "tesseq", "rsa.internal.messageid": "python", "rsa.misc.event_source": "abor4353.www5.host", @@ -2062,6 +2304,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.388", + "related.hosts": [ + "rerepre6748.internal.domain" + ], "rsa.db.index": "sinto", "rsa.internal.data": "tdolore", "rsa.internal.messageid": "openvpn-member", @@ -2086,6 +2331,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "qui3176.internal.example" + ], "rsa.internal.messageid": "rc", "rsa.misc.client": "amvolu", "rsa.misc.event_source": "qui3176.internal.example", @@ -2109,6 +2357,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "der7349.invalid" + ], "rsa.internal.event_desc": "eiusmod", "rsa.internal.messageid": "monitor", "rsa.misc.event_source": "der7349.invalid", @@ -2132,6 +2383,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "veleum3833.internal.test" + ], "rsa.internal.event_desc": "iusmodt", "rsa.internal.messageid": "diskcheck", "rsa.misc.event_source": "veleum3833.internal.test", @@ -2154,6 +2408,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "aquio6685.internal.test" + ], "rsa.internal.data": "aquio", "rsa.internal.event_desc": "riatu", "rsa.internal.messageid": "rc6", @@ -2177,6 +2434,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "tanimid4871.internal.domain" + ], "rsa.internal.data": "abor", "rsa.internal.event_desc": "nBCSe", "rsa.internal.messageid": "debug", @@ -2200,6 +2460,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "icta82.internal.lan" + ], "rsa.internal.data": "uei", "rsa.internal.event_desc": "can't read sid", "rsa.internal.messageid": "pidof", @@ -2224,6 +2487,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "dol6197.mail.localdomain" + ], "rsa.internal.data": "inBCSe", "rsa.internal.event_desc": "otamrem", "rsa.internal.messageid": "speedstep_control", @@ -2247,6 +2513,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "lumqu617.www.test" + ], "rsa.internal.event_desc": "time slew duraion", "rsa.internal.messageid": "ntpd", "rsa.misc.event_source": "lumqu617.www.test", @@ -2270,6 +2539,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "uido492.www5.home" + ], "rsa.internal.data": "uid", "rsa.internal.messageid": "pidof", "rsa.misc.client": "snostrum", @@ -2294,6 +2566,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.6198", + "related.hosts": [ + "reseosqu1629.mail.lan" + ], "rsa.internal.event_desc": "ommo", "rsa.internal.messageid": "snmptrapd", "rsa.misc.event_source": "reseosqu1629.mail.lan", @@ -2317,6 +2592,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "itseddoe5595.internal.localhost" + ], "rsa.internal.data": "ehende", "rsa.internal.event_desc": "tutla", "rsa.internal.messageid": "smart_check_io", @@ -2340,6 +2618,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "olu5333.www.domain" + ], "rsa.internal.event_desc": "dolor", "rsa.internal.messageid": "diskcheck", "rsa.misc.event_source": "olu5333.www.domain", @@ -2362,6 +2643,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "dtemp1362.internal.example" + ], "rsa.internal.event_desc": "itae", "rsa.internal.messageid": "init", "rsa.misc.event_source": "dtemp1362.internal.example", diff --git a/x-pack/filebeat/module/juniper/junos/config/input.yml b/x-pack/filebeat/module/juniper/junos/config/input.yml index 95d8bf8a477..ac3e93cc485 100644 --- a/x-pack/filebeat/module/juniper/junos/config/input.yml +++ b/x-pack/filebeat/module/juniper/junos/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml index afa4b02bec4..bc38869e537 100644 --- a/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.hostname}}' + allow_duplicates: false + if: ctx?.host?.hostname && ctx.host?.hostname != '' + - append: + field: related.hosts + value: '{{server.domain}}' + allow_duplicates: false + if: ctx?.server?.domain && ctx.server?.domain != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/juniper/netscreen/config/input.yml b/x-pack/filebeat/module/juniper/netscreen/config/input.yml index 9b4a5566a9b..0fde2181329 100644 --- a/x-pack/filebeat/module/juniper/netscreen/config/input.yml +++ b/x-pack/filebeat/module/juniper/netscreen/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml b/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml index 5108ebdad07..f69e14d5f97 100644 --- a/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml +++ b/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml @@ -40,4 +40,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml index 392f3a441a7..0f35c753092 100644 --- a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml @@ -279,6 +279,11 @@ processors: field: related.hash value: '{{file.hash.sha256}}' if: ctx.file?.hash?.sha256 != null +- append: + field: related.hosts + value: '{{host.hostname}}' + if: ctx.host?.hostname != null && ctx.host?.hostname != '' + allow_duplicates: false ############# ## Cleanup ## diff --git a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json index b7b2b12ff40..0423289d6ac 100644 --- a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json +++ b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json @@ -40,6 +40,9 @@ "observer.name": "WindowsDefenderAv", "observer.product": "Defender ATP", "observer.vendor": "Microsoft", + "related.hosts": [ + "testserver4" + ], "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.", "service.type": "microsoft", "tags": [ @@ -102,6 +105,9 @@ "b6d237154f2e528f0b503b58b025862d66b02b73", "a92056d772260b39a876d01552496b2f8b4610a0b1e084952fe1176784e2ce77" ], + "related.hosts": [ + "testserver4" + ], "related.user": [ "administrator1" ], @@ -157,6 +163,9 @@ "observer.name": "WindowsDefenderAtp", "observer.product": "Defender ATP", "observer.vendor": "Microsoft", + "related.hosts": [ + "testserver4" + ], "related.user": [ "administrator1" ], @@ -215,6 +224,9 @@ "ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281", "fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356" ], + "related.hosts": [ + "testserver4" + ], "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.", "service.type": "microsoft", "tags": [ diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/input.yml b/x-pack/filebeat/module/microsoft/dhcp/config/input.yml index e8e683f9022..83985fba51d 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/config/input.yml +++ b/x-pack/filebeat/module/microsoft/dhcp/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml index 7c917d05c81..6ba5eef3032 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.hostname}}' + allow_duplicates: false + if: ctx?.host?.hostname != null && ctx.host?.hostname != '' + - append: + field: related.hosts + value: '{{source.address}}' + allow_duplicates: false + if: ctx?.source?.address != null && ctx.source?.address != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json index a350394d3bd..48ad613503d 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json +++ b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json @@ -12,6 +12,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ciade5699.domain" + ], "related.ip": [ "10.124.22.221" ], @@ -41,6 +44,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "orev6153.internal.domain" + ], "related.ip": [ "10.103.162.55" ], @@ -70,6 +76,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "uatDuis2964.test" + ], "related.ip": [ "10.58.0.245" ], @@ -99,6 +108,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "untNequ5075.www5.domain" + ], "related.ip": [ "10.163.217.10" ], @@ -130,6 +142,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "idexea3181.www.local" + ], "related.ip": [ "10.111.27.193" ], @@ -159,6 +174,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "etM953.api.domain" + ], "related.ip": [ "10.97.38.141" ], @@ -188,6 +206,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "inv5716.mail.invalid" + ], "related.ip": [ "10.17.21.125" ], @@ -217,6 +238,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "uines6355.internal.localdomain" + ], "related.ip": [ "10.73.69.75" ], @@ -246,6 +270,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "rehender4535.www5.test" + ], "related.ip": [ "10.45.25.68" ], @@ -275,6 +302,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "mporain2624.www.localhost" + ], "related.ip": [ "10.68.93.6" ], @@ -304,6 +334,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tutla2716.www.domain" + ], "related.ip": [ "10.192.110.182" ], @@ -333,6 +366,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "conseq557.mail.lan" + ], "related.ip": [ "10.148.153.201" ], @@ -362,6 +398,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "etconse7424.internal.lan" + ], "related.ip": [ "10.213.147.241" ], @@ -391,6 +430,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tMalor7410.www.localhost" + ], "related.ip": [ "10.183.233.5" ], @@ -422,6 +464,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "equat2243.www5.localdomain" + ], "related.ip": [ "10.52.186.29" ], @@ -451,6 +496,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ectio2175.www.localhost" + ], "related.ip": [ "10.194.114.58" ], @@ -480,6 +528,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "liqui6106.internal.home" + ], "related.ip": [ "10.212.42.224" ], @@ -509,6 +560,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "eratv6205.internal.lan" + ], "related.ip": [ "10.244.144.198" ], @@ -540,6 +594,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "piscin6866.internal.host" + ], "related.ip": [ "10.90.86.89" ], @@ -569,6 +626,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "riosamn7650.api.test" + ], "related.ip": [ "10.158.237.92" ], @@ -601,6 +661,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "aper5651.test" + ], "related.ip": [ "10.20.147.134" ], @@ -633,6 +696,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "inventor6088.www.invalid" + ], "related.ip": [ "10.213.145.202" ], @@ -662,6 +728,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "cipitlab6201.www5.example" + ], "related.ip": [ "10.76.10.73" ], @@ -691,6 +760,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "Nemoenim2039.api.localhost" + ], "related.ip": [ "10.226.199.190" ], @@ -721,6 +793,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "iquipe2458.api.host" + ], "related.ip": [ "10.20.129.206" ], @@ -750,6 +825,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "intoc1426.mail.lan" + ], "related.ip": [ "10.22.110.210" ], @@ -779,6 +857,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "rsitvolu3751.mail.lan" + ], "related.ip": [ "10.218.87.174" ], @@ -808,6 +889,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tqu4367.www5.localhost" + ], "related.ip": [ "10.140.113.244" ], @@ -837,6 +921,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "inci5738.www5.invalid" + ], "related.ip": [ "10.159.181.29" ], @@ -866,6 +953,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "itecto1300.internal.corp" + ], "related.ip": [ "10.178.173.128" ], @@ -895,6 +985,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "siut1579.www.domain" + ], "related.ip": [ "10.217.38.30" ], @@ -924,6 +1017,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ame6223.www5.localhost" + ], "related.ip": [ "10.178.49.161" ], @@ -953,6 +1049,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "aturve1647.mail.localhost" + ], "related.ip": [ "10.175.103.215" ], @@ -982,6 +1081,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "aco6894.mail.home" + ], "related.ip": [ "10.192.21.74" ], @@ -1013,6 +1115,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tetu2485.internal.invalid" + ], "related.ip": [ "10.142.25.100" ], @@ -1043,6 +1148,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "doloreme60.www5.localhost" + ], "related.ip": [ "10.162.114.217" ], @@ -1074,6 +1182,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "luptat7214.domain" + ], "related.ip": [ "10.0.132.176" ], @@ -1104,6 +1215,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "amcor5091.internal.corp" + ], "related.ip": [ "10.22.187.69" ], @@ -1135,6 +1249,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ncidid5410.internal.domain" + ], "related.ip": [ "10.2.128.234" ], @@ -1165,6 +1282,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "nofd988.api.example" + ], "related.ip": [ "10.223.160.140" ], @@ -1197,6 +1317,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "borisnis6159.www5.localdomain" + ], "related.ip": [ "10.137.14.180" ], @@ -1226,6 +1349,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "dminima4348.mail.home" + ], "related.ip": [ "10.192.182.230" ], @@ -1256,6 +1382,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "oluptas6981.www5.localhost" + ], "related.ip": [ "10.95.241.28" ], @@ -1288,6 +1417,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "equ4808.www.localhost" + ], "related.ip": [ "10.74.240.121" ], @@ -1320,6 +1452,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "nsec923.internal.local" + ], "related.ip": [ "10.139.127.232" ], @@ -1351,6 +1486,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "emoe4059.api.localdomain" + ], "related.ip": [ "10.170.6.54" ], @@ -1380,6 +1518,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "equun6662.home" + ], "related.ip": [ "10.46.115.216" ], @@ -1409,6 +1550,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "dtempori5735.www5.local" + ], "related.ip": [ "10.226.5.189" ], @@ -1438,6 +1582,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "cupi7581.internal.local" + ], "related.ip": [ "10.0.20.5" ], @@ -1468,6 +1615,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "quasiar5281.mail.invalid" + ], "related.ip": [ "10.180.101.232" ], @@ -1500,6 +1650,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tionula1586.host" + ], "related.ip": [ "10.141.158.225" ], @@ -1529,6 +1682,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ore5643.api.lan" + ], "related.ip": [ "10.94.88.5" ], @@ -1559,6 +1715,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ciun39.localdomain" + ], "related.ip": [ "10.155.18.139" ], @@ -1591,6 +1750,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "iutali7297.www.domain" + ], "related.ip": [ "10.85.48.117" ], @@ -1620,6 +1782,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "docon5398.mail.host" + ], "related.ip": [ "10.224.146.6" ], @@ -1649,6 +1814,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "destlabo7803.mail.localhost" + ], "related.ip": [ "10.182.152.242" ], @@ -1678,6 +1846,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "fugits1163.host" + ], "related.ip": [ "10.225.157.110" ], @@ -1707,6 +1878,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "adol170.internal.example" + ], "related.ip": [ "10.236.185.102" ], @@ -1736,6 +1910,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "red5516.localhost" + ], "related.ip": [ "10.146.72.62" ], @@ -1767,6 +1944,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "qui3176.internal.example" + ], "related.ip": [ "10.221.7.206" ], @@ -1796,6 +1976,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "luptat2979.internal.local" + ], "related.ip": [ "10.196.35.130" ], @@ -1825,6 +2008,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "prehe1037.api.example" + ], "related.ip": [ "10.182.219.241" ], @@ -1854,6 +2040,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "abor1370.www.domain" + ], "related.ip": [ "10.101.163.40" ], @@ -1883,6 +2072,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "atDuis5759.internal.test" + ], "related.ip": [ "10.141.39.190" ], @@ -1912,6 +2104,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ict2699.internal.localhost" + ], "related.ip": [ "10.41.89.217" ], @@ -1941,6 +2136,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "cive2292.api.local" + ], "related.ip": [ "10.86.44.130" ], @@ -1971,6 +2169,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "aconsequ2331.www5.localhost" + ], "related.ip": [ "10.209.71.69" ], @@ -2004,6 +2205,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "rsitvolu3596.www.test" + ], "related.ip": [ "10.48.104.137" ], @@ -2036,6 +2240,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "elites6366.mail.lan" + ], "related.ip": [ "10.225.255.211" ], @@ -2068,6 +2275,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "orumSe4514.www.corp" + ], "related.ip": [ "10.137.103.62" ], @@ -2097,6 +2307,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "fdeFi6975.www5.local" + ], "related.ip": [ "10.156.88.51" ], @@ -2126,6 +2339,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "dol3000.www5.local" + ], "related.ip": [ "10.7.99.47" ], @@ -2155,6 +2371,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "umd5182.mail.host" + ], "related.ip": [ "10.243.252.157" ], @@ -2186,6 +2405,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "expl2616.www.test" + ], "related.ip": [ "10.95.73.196" ], @@ -2215,6 +2437,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "risni1535.example" + ], "related.ip": [ "10.145.104.170" ], @@ -2244,6 +2469,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "umtotamr7221.mail.host" + ], "related.ip": [ "10.18.152.236" ], @@ -2273,6 +2501,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "teir7585.www5.localdomain" + ], "related.ip": [ "10.15.240.220" ], @@ -2302,6 +2533,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tur4536.localdomain" + ], "related.ip": [ "10.147.130.71" ], @@ -2331,6 +2565,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ffic6926.home" + ], "related.ip": [ "10.203.146.137" ], @@ -2360,6 +2597,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ate4386.api.localhost" + ], "related.ip": [ "10.5.98.182" ], @@ -2389,6 +2629,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "iameaque5093.api.corp" + ], "related.ip": [ "10.6.180.90" ], @@ -2418,6 +2661,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tatisetq3237.www5.corp" + ], "related.ip": [ "10.111.93.224" ], @@ -2447,6 +2693,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "rvelill32.internal.corp" + ], "related.ip": [ "10.196.157.28" ], @@ -2476,6 +2725,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ectetura2657.www.localdomain" + ], "related.ip": [ "10.143.0.78" ], @@ -2505,6 +2757,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ico3220.api.test" + ], "related.ip": [ "10.184.187.32" ], @@ -2534,6 +2789,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "Duisa7769.test" + ], "related.ip": [ "10.30.87.51" ], @@ -2563,6 +2821,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ptatev6552.www.test" + ], "related.ip": [ "10.180.62.222" ], @@ -2593,6 +2854,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "olore6487.www5.local" + ], "related.ip": [ "10.198.9.209" ], @@ -2625,6 +2889,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "nvol548.corp" + ], "related.ip": [ "10.41.217.115" ], @@ -2656,6 +2923,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "pteursi466.www.localdomain" + ], "related.ip": [ "10.212.196.228" ], @@ -2685,6 +2955,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "olupt1936.host" + ], "related.ip": [ "10.166.180.119" ], @@ -2714,6 +2987,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "uisaut2157.corp" + ], "related.ip": [ "10.7.142.212" ], @@ -2744,6 +3020,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ecte882.www5.host" + ], "related.ip": [ "10.209.237.97" ], @@ -2776,6 +3055,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "doloreeu4417.example" + ], "related.ip": [ "10.61.26.207" ], @@ -2806,6 +3088,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tper4341.lan" + ], "related.ip": [ "10.139.88.194" ], @@ -2837,6 +3122,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "nimve4965.mail.corp" + ], "related.ip": [ "10.86.134.125" ], @@ -2866,6 +3154,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "mquisno5146.home" + ], "related.ip": [ "10.41.78.169" ], @@ -2895,6 +3186,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "imaveni4500.api.localdomain" + ], "related.ip": [ "10.69.181.95" ], @@ -2925,6 +3219,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "veleu2874.www5.localhost" + ], "related.ip": [ "10.222.6.52" ], @@ -2956,6 +3253,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "nemul5083.api.localdomain" + ], "related.ip": [ "10.218.41.80" ], diff --git a/x-pack/filebeat/module/netscout/sightline/config/input.yml b/x-pack/filebeat/module/netscout/sightline/config/input.yml index ec1e377e5cd..dbbca93154b 100644 --- a/x-pack/filebeat/module/netscout/sightline/config/input.yml +++ b/x-pack/filebeat/module/netscout/sightline/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml index ed3d089bb28..258dda2c70d 100644 --- a/x-pack/filebeat/module/panw/panos/config/input.yml +++ b/x-pack/filebeat/module/panw/panos/config/input.yml @@ -195,4 +195,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml index 412ddeb5c58..a958993a61c 100644 --- a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml @@ -472,6 +472,12 @@ processors: value: "{{panw.panos.file.hash}}" if: "ctx?.panw?.panos?.file?.hash != null" + - append: + field: related.hosts + value: "{{observer.hostname}}" + if: "ctx?.observer?.hostname != null && ctx.observer?.hostname != ''" + allow_duplicates: false + # Remove temporary fields. - remove: field: diff --git a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json index 20c28165a42..93fe08f75d9 100644 --- a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json @@ -73,6 +73,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -171,6 +174,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -269,6 +275,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -367,6 +376,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -465,6 +477,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -563,6 +578,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -661,6 +679,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -759,6 +780,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -857,6 +881,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -955,6 +982,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1053,6 +1083,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1151,6 +1184,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1249,6 +1285,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1347,6 +1386,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1445,6 +1487,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1543,6 +1588,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1641,6 +1689,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1739,6 +1790,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1837,6 +1891,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1935,6 +1992,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2033,6 +2093,9 @@ "panw.panos.threat.resource": "b.scorecardresearch.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.137.131", @@ -2131,6 +2194,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2229,6 +2295,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2327,6 +2396,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2425,6 +2497,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2523,6 +2598,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2621,6 +2699,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2719,6 +2800,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2817,6 +2901,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2915,6 +3002,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -3013,6 +3103,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -3111,6 +3204,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -3209,6 +3305,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -3307,6 +3406,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -3405,6 +3507,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -3503,6 +3608,9 @@ "panw.panos.threat.resource": "cdn.taboola.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "151.101.2.2", @@ -3604,6 +3712,9 @@ "panw.panos.threat.resource": "rules.quantcount.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.192.7.152", @@ -3705,6 +3816,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -3806,6 +3920,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -3907,6 +4024,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4008,6 +4128,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4109,6 +4232,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4210,6 +4336,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4311,6 +4440,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4412,6 +4544,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4513,6 +4648,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4614,6 +4752,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4715,6 +4856,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4816,6 +4960,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4917,6 +5064,9 @@ "panw.panos.threat.resource": "www.googleadservices.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "216.58.194.98", @@ -5015,6 +5165,9 @@ "panw.panos.threat.resource": "service.maxymiser.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5113,6 +5266,9 @@ "panw.panos.threat.resource": "service.maxymiser.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5211,6 +5367,9 @@ "panw.panos.threat.resource": "service.maxymiser.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5309,6 +5468,9 @@ "panw.panos.threat.resource": "service.maxymiser.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5407,6 +5569,9 @@ "panw.panos.threat.resource": "service.maxymiser.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5505,6 +5670,9 @@ "panw.panos.threat.resource": "service.maxymiser.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5603,6 +5771,9 @@ "panw.panos.threat.resource": "service.maxymiser.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5701,6 +5872,9 @@ "panw.panos.threat.resource": "service.maxymiser.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5799,6 +5973,9 @@ "panw.panos.threat.resource": "service.maxymiser.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5897,6 +6074,9 @@ "panw.panos.threat.resource": "service.maxymiser.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5998,6 +6178,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6099,6 +6282,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6200,6 +6386,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6301,6 +6490,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6402,6 +6594,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6503,6 +6698,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6604,6 +6802,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6705,6 +6906,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6806,6 +7010,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6907,6 +7114,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -7008,6 +7218,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -7109,6 +7322,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -7210,6 +7426,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -7311,6 +7530,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -7412,6 +7634,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -7513,6 +7738,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", diff --git a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json index 60e5c4a2b29..5f979092c4b 100644 --- a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json @@ -79,6 +79,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "184.51.253.152", @@ -185,6 +188,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -294,6 +300,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "17.253.3.202", @@ -400,6 +409,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -509,6 +521,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.196", "216.58.194.99", @@ -615,6 +630,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "web-advertisements", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "209.234.224.22", @@ -721,6 +739,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -827,6 +848,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "172.217.2.238", @@ -933,6 +957,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -1039,6 +1066,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -1145,6 +1175,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "17.249.60.78", @@ -1251,6 +1284,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -1357,6 +1393,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -1463,6 +1502,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -1569,6 +1611,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -1675,6 +1720,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -1781,6 +1829,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -1887,6 +1938,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "web-advertisements", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "98.138.49.44", @@ -1993,6 +2047,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "web-advertisements", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "72.30.3.43", @@ -2099,6 +2156,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.196", "8.8.8.8", @@ -2205,6 +2265,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "172.217.9.142", @@ -2311,6 +2374,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -2420,6 +2486,9 @@ "panw.panos.sub_type": "start", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.84.80.198", @@ -2527,6 +2596,9 @@ "panw.panos.sub_type": "drop", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "199.167.55.52", @@ -2633,6 +2705,9 @@ "panw.panos.sub_type": "deny", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -2735,6 +2810,9 @@ "panw.panos.source.zone": "trust", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.210", "8.8.8.8", @@ -2838,6 +2916,9 @@ "panw.panos.sub_type": "test", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "172.217.9.142", @@ -2944,6 +3025,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "151.101.2.2", @@ -3053,6 +3137,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "216.58.194.66", @@ -3159,6 +3246,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -3265,6 +3355,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.210", "8.8.8.8", @@ -3371,6 +3464,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "web-advertisements", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "184.51.253.193", @@ -3477,6 +3573,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -3584,6 +3683,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "199.167.55.52", @@ -3693,6 +3795,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "199.167.52.219", @@ -3802,6 +3907,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.71.117.196", @@ -3908,6 +4016,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4014,6 +4125,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4123,6 +4237,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "insufficient-content", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "35.186.194.41", @@ -4228,6 +4345,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "insufficient-content", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "35.201.124.9", @@ -4337,6 +4457,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "100.24.131.237", @@ -4443,6 +4566,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "184.51.252.247", @@ -4552,6 +4678,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "35.190.88.148", @@ -4661,6 +4790,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "35.186.243.83", @@ -4767,6 +4899,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4873,6 +5008,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4982,6 +5120,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "100.24.165.74", @@ -5088,6 +5229,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "184.51.252.247", @@ -5193,6 +5337,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "35.201.94.140", @@ -5295,6 +5442,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5401,6 +5551,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5507,6 +5660,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5613,6 +5769,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5719,6 +5878,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5825,6 +5987,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5931,6 +6096,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6037,6 +6205,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.196", "8.8.8.8", @@ -6143,6 +6314,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6249,6 +6423,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6355,6 +6532,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6461,6 +6641,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6567,6 +6750,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6673,6 +6859,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6782,6 +6971,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "66.28.0.45", @@ -6888,6 +7080,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6994,6 +7189,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -7100,6 +7298,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -7206,6 +7407,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -7312,6 +7516,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -7421,6 +7628,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.52.174.25", @@ -7527,6 +7737,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -7633,6 +7846,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -7742,6 +7958,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.230.5.228", @@ -7848,6 +8067,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -7954,6 +8176,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -8060,6 +8285,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -8166,6 +8394,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.195", "208.83.246.20", @@ -8271,6 +8502,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.196", "8.8.8.8", @@ -8376,6 +8610,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -8481,6 +8718,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -8588,6 +8828,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "35.185.88.112", @@ -8694,6 +8937,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -8800,6 +9046,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -8906,6 +9155,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -9015,6 +9267,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "50.19.85.24", @@ -9124,6 +9379,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "50.19.85.24", @@ -9233,6 +9491,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "50.19.85.24", @@ -9339,6 +9600,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "web-advertisements", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "104.254.150.9", @@ -9448,6 +9712,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "50.19.85.24", @@ -9557,6 +9824,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.0.218.108", @@ -9666,6 +9936,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.6.117.19", @@ -9775,6 +10048,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "34.238.96.22", @@ -9884,6 +10160,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "130.211.47.17", @@ -9990,6 +10269,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -10096,6 +10378,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -10202,6 +10487,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -10308,6 +10596,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -10414,6 +10705,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -10520,6 +10814,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -10626,6 +10923,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml b/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml index 0598b8e63d1..05fe8a00db0 100644 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml b/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml index 5618f330e7c..a5eafc083d9 100644 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' + - append: + field: related.hosts + value: '{{destination.address}}' + allow_duplicates: false + if: ctx?.destination?.address != null && ctx.destination?.address != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json b/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json index ea2fb8b7304..f9043afa34a 100644 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json @@ -89,6 +89,9 @@ "observer.type": "Firewall", "observer.vendor": "Proofpoint", "process.pid": 3391, + "related.hosts": [ + "tenbyCic5882.api.home" + ], "related.ip": [ "10.69.20.77" ], @@ -247,6 +250,9 @@ "observer.type": "Firewall", "observer.vendor": "Proofpoint", "process.pid": 7183, + "related.hosts": [ + "ommod3671.mail.domain" + ], "rsa.email.email_src": "dexeaco", "rsa.internal.messageid": "queued-reinject", "rsa.misc.client": "emaperi", @@ -477,6 +483,9 @@ "observer.type": "Firewall", "observer.vendor": "Proofpoint", "process.pid": 4499, + "related.hosts": [ + "ersp3536.www5.lan" + ], "rsa.db.index": "mod", "rsa.email.email_dst": "fugiatn", "rsa.internal.messageid": "queued-aglife", @@ -666,6 +675,9 @@ "observer.type": "Firewall", "observer.vendor": "Proofpoint", "process.pid": 3866, + "related.hosts": [ + "sit6590.lan" + ], "related.ip": [ "10.123.143.188" ], @@ -1256,6 +1268,9 @@ "observer.product": "Email", "observer.type": "Firewall", "observer.vendor": "Proofpoint", + "related.hosts": [ + "lors7553.api.local" + ], "rsa.internal.messageid": "dkimv_run", "rsa.misc.client": "uido", "rsa.misc.log_session_id": "tiaecon", @@ -1473,6 +1488,9 @@ "observer.type": "Firewall", "observer.vendor": "Proofpoint", "process.pid": 2861, + "related.hosts": [ + "str4641.domain" + ], "related.ip": [ "10.151.31.58" ], @@ -2407,6 +2425,9 @@ "observer.type": "Firewall", "observer.vendor": "Proofpoint", "process.pid": 3274, + "related.hosts": [ + "Sedutper7794.www5.domain" + ], "related.ip": [ "10.154.22.241" ], @@ -2533,6 +2554,9 @@ "observer.type": "Firewall", "observer.vendor": "Proofpoint", "process.pid": 4250, + "related.hosts": [ + "estla4081.corp" + ], "rsa.internal.messageid": "queued-default", "rsa.misc.client": "queued-default", "rsa.network.host_dst": "estla4081.corp", diff --git a/x-pack/filebeat/module/radware/defensepro/config/input.yml b/x-pack/filebeat/module/radware/defensepro/config/input.yml index 24f226db8f3..e978b023425 100644 --- a/x-pack/filebeat/module/radware/defensepro/config/input.yml +++ b/x-pack/filebeat/module/radware/defensepro/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/snort/log/config/input.yml b/x-pack/filebeat/module/snort/log/config/input.yml index cd99c6e04da..f36e381ab96 100644 --- a/x-pack/filebeat/module/snort/log/config/input.yml +++ b/x-pack/filebeat/module/snort/log/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/snort/log/ingest/pipeline.yml b/x-pack/filebeat/module/snort/log/ingest/pipeline.yml index 0db6047881b..640c5b2556a 100644 --- a/x-pack/filebeat/module/snort/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/snort/log/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json index 62a15952dd8..f0150dcb87f 100644 --- a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json @@ -12,6 +12,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "quid2184.invalid" + ], "related.ip": [ "10.202.72.124" ], @@ -54,6 +57,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "uptatev4292.www.invalid" + ], "related.ip": [ "10.212.11.114", "10.38.77.13" @@ -100,6 +106,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "tlabo6088.www.localdomain" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "itecto", "rsa.misc.result": "failure", @@ -127,6 +136,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "eporroqu4200.domain" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "suntinc", "rsa.misc.result": "success", @@ -153,6 +165,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "conseq557.mail.lan" + ], "related.user": [ "aaliquaU" ], @@ -193,9 +208,12 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "itame189.domain" + ], "related.ip": [ - "10.182.199.231", - "10.24.67.250" + "10.24.67.250", + "10.182.199.231" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "oei", @@ -238,6 +256,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "vitaedi1318.corp" + ], "related.user": [ "temqu" ], @@ -268,6 +289,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "itatione1916.www.host" + ], "related.user": [ "oluptate" ], @@ -306,9 +330,12 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.4418", + "related.hosts": [ + "its7829.localhost" + ], "related.ip": [ - "10.110.31.190", - "10.157.18.252" + "10.157.18.252", + "10.110.31.190" ], "rsa.crypto.sig_type": "rQu", "rsa.internal.messageid": "5979", @@ -351,6 +378,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "aec3673.internal.host" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "niamq", "rsa.misc.result": "failure", @@ -378,6 +408,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "inibu2292.www.invalid" + ], "related.user": [ "isetquas" ], @@ -412,6 +445,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ori1241.www.corp" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "ercit", "rsa.misc.result": "failure", @@ -438,6 +474,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ueipsa748.localdomain" + ], "related.user": [ "aparia" ], @@ -470,6 +509,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "oluptat548.www5.invalid" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "dolorem", "rsa.misc.result": "failure", @@ -496,6 +538,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "loremag6816.www5.lan" + ], "related.user": [ "inrepreh" ], @@ -528,6 +573,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "tionemu5269.internal.localhost" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "occaec", "rsa.misc.result": "failure", @@ -554,6 +602,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "onulamco7734.www.local" + ], "related.user": [ "uptat" ], @@ -586,6 +637,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "luptatem3834.lan" + ], "rsa.counters.dclass_c1_str": " The number of intrusion events", "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "tise", @@ -618,6 +672,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "exercita2068.api.invalid" + ], "related.ip": [ "10.169.84.140" ], @@ -651,6 +708,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "orumS757.www5.corp" + ], "related.ip": [ "10.130.231.129" ], @@ -685,6 +745,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "sedquian4212.www5.domain" + ], "rsa.counters.dclass_c1_str": " The number of intrusion events", "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "eca", @@ -718,6 +781,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "oinBCSed3444.api.local" + ], "related.user": [ "smodtem" ], @@ -756,6 +822,9 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.6724", + "related.hosts": [ + "apari5002.api.test" + ], "related.ip": [ "10.9.200.197", "10.182.213.195" @@ -810,9 +879,12 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "tper4341.lan" + ], "related.ip": [ - "10.210.180.142", - "10.111.33.70" + "10.111.33.70", + "10.210.180.142" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "animi", @@ -856,6 +928,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "antiu3533.internal.domain" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "lapari", "rsa.misc.result": "success", @@ -884,6 +959,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "cidu921.internal.lan" + ], "related.ip": [ "10.222.183.123", "10.165.33.19" @@ -924,9 +1002,12 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.890", + "related.hosts": [ + "unturmag6190.api.lan" + ], "related.ip": [ - "10.238.223.171", - "10.52.190.18" + "10.52.190.18", + "10.238.223.171" ], "rsa.crypto.sig_type": "Finibus", "rsa.internal.messageid": "16539", @@ -974,6 +1055,9 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.3902", + "related.hosts": [ + "conseq6079.www.corp" + ], "related.ip": [ "10.68.233.163", "10.160.178.109" @@ -1018,6 +1102,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "tvol3402.www.local" + ], "related.ip": [ "10.162.109.83" ], @@ -1050,6 +1137,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "xcep3783.internal.localhost" + ], "related.user": [ "serro" ], @@ -1081,6 +1171,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ciatisun7378.www5.invalid" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "riaturEx", "rsa.misc.result": "unknown", @@ -1112,9 +1205,12 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.6627", + "related.hosts": [ + "iqu4858.mail.invalid" + ], "related.ip": [ - "10.116.175.84", - "10.213.100.153" + "10.213.100.153", + "10.116.175.84" ], "rsa.crypto.sig_type": "exercit", "rsa.internal.messageid": "11634", @@ -1156,6 +1252,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ionu3320.api.localhost" + ], "related.user": [ "estq" ], @@ -1186,6 +1285,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ollitan5079.www.lan" + ], "related.user": [ "deriti" ], @@ -1218,6 +1320,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "nihilmol1849.api.local" + ], "rsa.counters.dclass_c1_str": "Number of Files", "rsa.internal.messageid": "connection_events", "rsa.misc.action": [ @@ -1247,6 +1352,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ota4562.local" + ], "related.user": [ "epteurs" ], @@ -1278,6 +1386,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "gnama5033.www5.home" + ], "related.user": [ "ction" ], @@ -1309,6 +1420,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "sum6106.www.home" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "doe", "rsa.misc.result": "failure", @@ -1335,6 +1449,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "squa2763.www.lan" + ], "related.user": [ "trude" ], @@ -1375,9 +1492,12 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "stiae3403.internal.localhost" + ], "related.ip": [ - "10.240.144.78", - "10.251.159.118" + "10.251.159.118", + "10.240.144.78" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "ostrudex", @@ -1421,6 +1541,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "setq5996.corp" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "odi", "rsa.misc.result": "success", @@ -1448,6 +1571,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "quiano3025.api.localhost" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "sequatD", "rsa.misc.result": "unknown", @@ -1475,6 +1601,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "qui7797.www.host" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "umet", "rsa.misc.result": "failure", @@ -1510,6 +1639,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "urau1660.www.lan" + ], "related.ip": [ "10.201.132.114", "10.140.209.249" @@ -1555,6 +1687,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "edutpers3482.www5.corp" + ], "related.user": [ "mnisis" ], @@ -1592,6 +1727,9 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.2633", + "related.hosts": [ + "nofde7732.internal.test" + ], "related.ip": [ "10.198.44.231", "10.36.122.169" @@ -1644,9 +1782,12 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "evita850.localdomain" + ], "related.ip": [ - "10.144.162.122", - "10.77.86.215" + "10.77.86.215", + "10.144.162.122" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "eav", @@ -1689,6 +1830,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "aturau3002.api.corp" + ], "related.user": [ "sci" ], @@ -1720,6 +1864,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ntiumt238.internal.corp" + ], "rsa.counters.dclass_c1_str": " The number of intrusion events", "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "odite", @@ -1753,6 +1900,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "atu2951.test" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "pitlab", "rsa.misc.result": "success", @@ -1779,6 +1929,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "uipe5295.api.localhost" + ], "related.user": [ "mwrit" ], @@ -1810,6 +1963,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "tatiset5041.www5.local" + ], "rsa.counters.dclass_c1_str": " The number of intrusion events", "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "Utenim", @@ -1842,6 +1998,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "esse2198.mail.example" + ], "related.user": [ "uaturvel" ], @@ -1873,6 +2032,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "pitlab5165.localdomain" + ], "related.ip": [ "10.17.172.91" ], @@ -1906,6 +2068,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "uinesci6041.api.local" + ], "related.user": [ "pers" ], @@ -1944,6 +2109,9 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.2115", + "related.hosts": [ + "uovol2459.www5.invalid" + ], "related.ip": [ "10.60.137.215", "10.28.105.106" @@ -1988,6 +2156,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ptate7215.www5.home" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "ssequa", "rsa.misc.result": "failure", @@ -2015,6 +2186,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "metc7395.lan" + ], "rsa.counters.dclass_c1_str": "Number of Files", "rsa.internal.messageid": "connection_events", "rsa.misc.action": [ @@ -2051,11 +2225,14 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "Loremips5368.www5.corp" + ], "related.ip": [ - "10.20.167.114", "10.49.190.163", "10.166.40.137", - "10.65.144.119" + "10.65.144.119", + "10.20.167.114" ], "rsa.internal.event_desc": "Offloaded TCP Flow for connection", "rsa.internal.messageid": "FTD_events", @@ -2095,9 +2272,12 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "mexer1548.www5.example" + ], "related.ip": [ - "10.162.128.87", - "10.104.78.147" + "10.104.78.147", + "10.162.128.87" ], "rsa.internal.messageid": "MALWARE", "rsa.misc.checksum": "emu", @@ -2132,6 +2312,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "emulla6625.www5.corp" + ], "related.ip": [ "10.237.43.87", "10.82.180.46" @@ -2174,6 +2357,9 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.4189", + "related.hosts": [ + "magn3657.api.invalid" + ], "related.ip": [ "10.180.28.156", "10.234.234.205" @@ -2221,6 +2407,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "nis3942.mail.example" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "architec", "rsa.misc.result": "success", @@ -2256,9 +2445,12 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "upta788.invalid" + ], "related.ip": [ - "10.40.250.209", - "10.166.10.187" + "10.166.10.187", + "10.40.250.209" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "high-temUte", @@ -2302,6 +2494,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "consequu3962.api.localdomain" + ], "rsa.counters.dclass_c1_str": "Number of Files", "rsa.internal.messageid": "connection_events", "rsa.misc.action": [ @@ -2333,9 +2528,12 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ita7851.localhost" + ], "related.ip": [ - "10.198.202.72", - "10.78.180.219" + "10.78.180.219", + "10.198.202.72" ], "rsa.internal.messageid": "MALWARE", "rsa.misc.checksum": "equaturv", @@ -2376,6 +2574,9 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.2390", + "related.hosts": [ + "laparia5374.api.domain" + ], "related.ip": [ "10.147.155.100", "10.232.67.182" @@ -2427,9 +2628,12 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.1034", + "related.hosts": [ + "onse3711.api.domain" + ], "related.ip": [ - "10.95.152.78", - "10.4.147.70" + "10.4.147.70", + "10.95.152.78" ], "rsa.crypto.sig_type": "cid", "rsa.internal.messageid": "9193", @@ -2472,6 +2676,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "iac7016.api.lan" + ], "related.user": [ "antiu" ], @@ -2502,6 +2709,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "tte4006.www5.test" + ], "related.user": [ "lors" ], @@ -2534,6 +2744,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "equatD1241.www5.host" + ], "rsa.counters.dclass_c1_str": " The number of intrusion events", "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "econs", @@ -2568,6 +2781,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "essequ121.localdomain" + ], "related.ip": [ "10.216.14.36", "10.224.250.83" @@ -2608,6 +2824,9 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.6298", + "related.hosts": [ + "borios1685.www.localhost" + ], "related.ip": [ "10.231.10.63", "10.38.22.60" @@ -2663,9 +2882,12 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "Bonoru5658.mail.invalid" + ], "related.ip": [ - "10.46.57.181", - "10.29.231.11" + "10.29.231.11", + "10.46.57.181" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "remape", @@ -2708,6 +2930,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ueipsa6797.mail.home" + ], "related.user": [ "agnaal" ], @@ -2738,6 +2963,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "iono5161.www5.localhost" + ], "related.user": [ "ita" ], @@ -2770,6 +2998,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "untut3537.domain" + ], "rsa.counters.dclass_c1_str": "Number of Files", "rsa.internal.messageid": "connection_events", "rsa.misc.action": [ @@ -2808,6 +3039,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "reetd7201.invalid" + ], "related.ip": [ "10.135.250.25", "10.107.144.80" @@ -2854,6 +3088,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "tnula4380.mail.test" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "olupta", "rsa.misc.result": "failure", @@ -2880,6 +3117,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "apar2567.www.localhost" + ], "related.user": [ "iscing" ], @@ -2916,6 +3156,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "onsecte5119.www.invalid" + ], "related.ip": [ "10.198.207.31", "10.5.88.183" @@ -2952,6 +3195,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "iutali3143.host" + ], "related.user": [ "ect" ], @@ -2983,6 +3229,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "orro7466.www5.lan" + ], "related.user": [ "issu" ], @@ -3013,6 +3262,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "epre7710.www.domain" + ], "related.user": [ "aria" ], @@ -3044,6 +3296,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "nsequatu2799.www5.invalid" + ], "related.user": [ "mape" ], @@ -3076,6 +3331,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "scingel1634.api.home" + ], "rsa.counters.dclass_c1_str": " The number of intrusion events", "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "meaq", @@ -3109,6 +3367,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "inBCSe364.www.corp" + ], "rsa.counters.dclass_c1_str": " The number of intrusion events", "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "high-tsedquia", @@ -3150,9 +3411,12 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "onofdeFi1149.www5.domain" + ], "related.ip": [ - "10.154.87.98", - "10.186.68.87" + "10.186.68.87", + "10.154.87.98" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "uptate", @@ -3204,6 +3468,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "lumdol5252.internal.test" + ], "related.ip": [ "10.35.59.140", "10.67.211.63" @@ -3250,6 +3517,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "quianonn2762.api.localhost" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "eeufugia", "rsa.misc.result": "unknown", @@ -3276,6 +3546,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "atn2219.api.invalid" + ], "related.user": [ "radip" ], @@ -3308,6 +3581,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "equu1159.internal.localhost" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "atcup", "rsa.misc.result": "failure", @@ -3335,6 +3611,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "urQuisau2442.mail.invalid" + ], "related.user": [ "uptate" ], @@ -3370,9 +3649,12 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "cididu3187.home" + ], "related.ip": [ - "10.179.27.185", - "10.14.46.141" + "10.14.46.141", + "10.179.27.185" ], "rsa.internal.messageid": "MALWARE", "rsa.misc.checksum": "llumdolo", @@ -3406,6 +3688,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "aliqua4025.www.localdomain" + ], "related.user": [ "deFinibu" ], @@ -3439,6 +3724,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "citati1297.api.domain" + ], "related.user": [ "emp" ], @@ -3471,6 +3759,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "nreprehe2138.www5.domain" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "eursi", "rsa.misc.result": "success", @@ -3498,6 +3789,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "idolore6589.api.localdomain" + ], "related.user": [ "ctobea" ], @@ -3538,6 +3832,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "erunt3957.internal.lan" + ], "related.ip": [ "10.118.103.185", "10.32.195.34", @@ -3582,9 +3879,12 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ntNe7144.api.lan" + ], "related.ip": [ - "10.188.88.133", - "10.111.130.177" + "10.111.130.177", + "10.188.88.133" ], "rsa.internal.messageid": "MALWARE", "rsa.misc.checksum": "numqu", diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml index 91bbc2d960f..b0bed38d214 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml index 921b02b96ea..01202648b26 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml @@ -53,6 +53,26 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' + - append: + field: related.hosts + value: '{{host.hostname}}' + allow_duplicates: false + if: ctx?.host?.hostname != null && ctx.host?.hostname != '' + - append: + field: related.hosts + value: '{{source.address}}' + allow_duplicates: false + if: ctx?.source?.address != null && ctx.source?.address != '' + - append: + field: related.hosts + value: '{{destination.address}}' + allow_duplicates: false + if: ctx?.destination?.address != null && ctx.destination?.address != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index 56ba3e6e78d..5b84648b930 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -18,9 +18,13 @@ "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.hosts": [ + "nostrud4819.mail.test", + "oreetdol1714.internal.corp" + ], "related.ip": [ - "10.92.136.230", - "10.49.111.67" + "10.49.111.67", + "10.92.136.230" ], "rsa.internal.messageid": "914", "rsa.internal.msg": "lupt", @@ -81,9 +85,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ + "10.227.15.1", "10.149.203.46", - "10.150.156.22", - "10.227.15.1" + "10.150.156.22" ], "rsa.internal.event_desc": "ctetur", "rsa.internal.messageid": "1369", @@ -416,9 +420,12 @@ "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.hosts": [ + "fugi4637.www.lan" + ], "related.ip": [ - "10.30.196.102", - "10.241.178.107" + "10.241.178.107", + "10.30.196.102" ], "rsa.internal.messageid": "353", "rsa.internal.msg": "onproide", @@ -471,8 +478,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.157.161.103", - "10.78.151.178" + "10.78.151.178", + "10.157.161.103" ], "rsa.internal.event_desc": "taut", "rsa.internal.messageid": "24", @@ -504,8 +511,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.204.11.20", - "10.239.201.234" + "10.239.201.234", + "10.204.11.20" ], "rsa.internal.messageid": "87", "rsa.internal.msg": "Loremip", @@ -544,8 +551,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.245.200.97", "10.34.161.166", + "10.245.200.97", "10.219.116.137" ], "rsa.internal.event_desc": "rehend", @@ -592,8 +599,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.252.122.195", - "10.118.80.140" + "10.118.80.140", + "10.252.122.195" ], "rsa.internal.messageid": "401", "rsa.internal.msg": "inesci", @@ -781,8 +788,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.237.163.139", - "10.135.187.104" + "10.135.187.104", + "10.237.163.139" ], "rsa.internal.messageid": "882", "rsa.internal.msg": "itatio", @@ -838,8 +845,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.60.129.15", - "10.248.101.25" + "10.248.101.25", + "10.60.129.15" ], "rsa.internal.messageid": "372", "rsa.internal.msg": "ommodico", @@ -1207,9 +1214,13 @@ "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.hosts": [ + "tiaec5551.www.local", + "ise5905.www.local" + ], "related.ip": [ - "10.53.113.23", - "10.97.124.211" + "10.97.124.211", + "10.53.113.23" ], "rsa.identity.user_sid_dst": "iumdol", "rsa.internal.messageid": "1154", @@ -1420,9 +1431,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.113.100.237", + "10.108.84.24", "10.251.248.228", - "10.108.84.24" + "10.113.100.237" ], "rsa.internal.event_desc": "volupt", "rsa.internal.messageid": "606", @@ -1635,8 +1646,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.104.49.142", - "10.102.166.19" + "10.102.166.19", + "10.104.49.142" ], "rsa.internal.messageid": "252", "rsa.internal.msg": "eprehend", @@ -1766,8 +1777,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.191.242.168", - "10.165.48.224" + "10.165.48.224", + "10.191.242.168" ], "rsa.internal.event_desc": "equep", "rsa.internal.messageid": "995", @@ -1852,8 +1863,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.219.42.212", - "10.57.85.98" + "10.57.85.98", + "10.219.42.212" ], "rsa.internal.event_desc": "mquisno", "rsa.internal.messageid": "995", @@ -1906,8 +1917,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.195.223.82", - "10.135.70.159" + "10.135.70.159", + "10.195.223.82" ], "rsa.internal.messageid": "351", "rsa.internal.msg": "CSe", @@ -2057,8 +2068,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.12.54.142", - "10.56.10.84" + "10.56.10.84", + "10.12.54.142" ], "rsa.internal.messageid": "658", "rsa.internal.msg": "osquirat", @@ -2176,8 +2187,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.57.255.4", - "10.200.122.184" + "10.200.122.184", + "10.57.255.4" ], "rsa.identity.user_sid_dst": "sBon", "rsa.internal.event_desc": "fic", @@ -2318,8 +2329,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.78.29.246", - "10.125.85.128" + "10.125.85.128", + "10.78.29.246" ], "rsa.internal.messageid": "355", "rsa.internal.msg": "labo", @@ -2449,8 +2460,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.245.216.15", - "10.110.208.170" + "10.110.208.170", + "10.245.216.15" ], "rsa.internal.messageid": "931", "rsa.internal.msg": "aecatcup", @@ -2673,8 +2684,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.219.228.115", - "10.179.3.247" + "10.179.3.247", + "10.219.228.115" ], "rsa.internal.messageid": "373", "rsa.misc.action": [ diff --git a/x-pack/filebeat/module/sophos/utm/config/input.yml b/x-pack/filebeat/module/sophos/utm/config/input.yml index c2774be9846..865b6e27119 100644 --- a/x-pack/filebeat/module/sophos/utm/config/input.yml +++ b/x-pack/filebeat/module/sophos/utm/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml b/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml index 777046121c7..62aaa2a3c30 100644 --- a/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml +++ b/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' + - append: + field: related.hosts + value: '{{destination.address}}' + allow_duplicates: false + if: ctx?.destination?.address != null && ctx.destination?.address != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json index d820157c77c..b57ab7067ab 100644 --- a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json @@ -51,14 +51,17 @@ "observer.vendor": "Sophos", "observer.version": "1.5102", "process.pid": 5716, + "related.hosts": [ + "ercit2385.internal.home" + ], "related.ip": [ "10.47.202.102", "10.57.170.140" ], "related.user": [ - "dexeac", "sunt", - "icistatuscode=giatquov" + "icistatuscode=giatquov", + "dexeac" ], "rsa.db.index": "run", "rsa.identity.logon_type": "nofdeF", @@ -119,6 +122,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 3905, + "related.hosts": [ + "eirure7587.internal.localhost" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "aaliquaU", "rsa.misc.result": "No form context found", @@ -150,12 +156,15 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "observer.version": "1.3129", + "related.hosts": [ + "data4478.api.lan" + ], "related.ip": [ "10.106.239.55" ], "related.user": [ - "eaq", - "itquiin" + "itquiin", + "eaq" ], "rsa.identity.logon_type": "stquidol", "rsa.internal.event_desc": "bor", @@ -196,6 +205,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 7692, + "related.hosts": [ + "ctetura3009.www5.corp" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.disposition": "corp", "rsa.misc.event_id": "AH00292", @@ -275,6 +287,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 945, + "related.hosts": [ + "ptasnu6684.mail.lan" + ], "related.ip": [ "10.18.13.211" ], @@ -306,6 +321,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "ssecillu7166.internal.lan" + ], "rsa.internal.event_desc": "barnyard:Initializing daemon mode", "rsa.internal.messageid": "barnyard", "rsa.network.alias_host": [ @@ -333,6 +351,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 2164, + "related.hosts": [ + "ore5643.api.lan" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "acom", "rsa.misc.severity": "high", @@ -362,6 +383,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 4006, + "related.hosts": [ + "ciun39.localdomain" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.context": "Unclean shutdown", "rsa.misc.event_id": "AH00098", @@ -392,6 +416,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 1263, + "related.hosts": [ + "atatnon6064.www.invalid" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_id": "AH00291", "rsa.misc.event_log": "adol", @@ -420,6 +447,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "gitse2463.www5.invalid" + ], "related.user": [ "agnaaliq" ], @@ -475,6 +505,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "oriosam6277.mail.localdomain" + ], "related.ip": [ "10.169.5.162" ], @@ -509,6 +542,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 5996, + "related.hosts": [ + "ptate3830.internal.localhost" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_id": "AH02572", "rsa.misc.event_log": "ntut", @@ -538,6 +574,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 3340, + "related.hosts": [ + "nvo6105.invalid" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.disposition": "isn", "rsa.misc.event_id": "AH00020", @@ -592,6 +631,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "observer.version": "1.5889", + "related.hosts": [ + "edic2758.api.domain" + ], "related.ip": [ "10.54.169.175" ], @@ -698,6 +740,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 170, + "related.hosts": [ + "ectobeat3157.mail.local" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.disposition": "ditau", "rsa.misc.event_id": "AH02312", @@ -733,6 +778,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 873, + "related.hosts": [ + "ident2323.internal.corp" + ], "related.ip": [ "10.144.21.112" ], @@ -764,6 +812,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "ttenb4581.www.host" + ], "rsa.internal.event_desc": "httpproxy:shutdown finished, exiting.", "rsa.internal.messageid": "httpproxy", "rsa.network.alias_host": [ @@ -789,6 +840,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "lapari5763.api.invalid" + ], "related.ip": [ "10.103.2.48" ], @@ -829,6 +883,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "elites4713.www.localhost" + ], "related.ip": [ "10.161.51.135", "10.52.190.18" @@ -878,6 +935,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 3338, + "related.hosts": [ + "sam1795.invalid" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.disposition": "animide", "rsa.misc.event_id": "AH02312", @@ -968,13 +1028,17 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "observer.version": "1.5146", + "related.hosts": [ + "nostrum6305.internal.localhost", + "Duis583.api.local" + ], "related.ip": [ "10.17.51.153", "10.89.41.97" ], "related.user": [ - "tio", "tcustatuscode=eumiu", + "tio", "pteurs" ], "rsa.db.index": "eavolupt", @@ -1037,6 +1101,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "xeaco7887.www.localdomain" + ], "related.user": [ "uptate" ], @@ -1071,6 +1138,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 5430, + "related.hosts": [ + "iscivel3512.invalid" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.operation_id": "eriti", "rsa.network.host_dst": "iscivel3512.invalid", @@ -1119,6 +1189,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "dolor5799.home" + ], "rsa.internal.event_desc": "afcd: IM/P2P Classifier configuration reloaded successfully.", "rsa.internal.messageid": "afcd", "rsa.network.alias_host": [ @@ -1147,6 +1220,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 6691, + "related.hosts": [ + "oreseosq1859.api.lan" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "essequam", "rsa.misc.result": "Virus daemon connection problem", @@ -1203,6 +1279,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 1121, + "related.hosts": [ + "autodit272.www.localhost" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "imadmin", "rsa.misc.severity": "very-high", @@ -1234,6 +1313,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 3705, + "related.hosts": [ + "rporis6787.www5.localdomain" + ], "related.ip": [ "10.148.21.7" ], @@ -1268,6 +1350,10 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "reprehe5661.www.lan", + "ntore4333.api.invalid" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.context": "iumd", "rsa.misc.operation_id": "equam", @@ -1298,6 +1384,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 2384, + "related.hosts": [ + "sequatD163.internal.example" + ], "related.ip": [ "10.151.206.38" ], @@ -1331,6 +1420,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "elillu5777.www5.lan" + ], "related.ip": [ "10.230.4.70" ], @@ -1362,6 +1454,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "ecatcup3022.mail.invalid" + ], "rsa.db.index": "nproide", "rsa.internal.event_desc": "xl2tpd:xl2tpd Software copyright.", "rsa.internal.messageid": "xl2tpd", @@ -1388,6 +1483,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "qui7797.www.host" + ], "rsa.internal.event_desc": "ipsec_starter: Starting strongSwan 4.2.3 IPsec [starter]...", "rsa.internal.messageid": "ipsec_starter", "rsa.network.alias_host": [ @@ -1416,6 +1514,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 3994, + "related.hosts": [ + "nofdeFin2037.mail.example" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "nevol", "rsa.misc.result": "Cannot read reply", @@ -1471,6 +1572,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 4074, + "related.hosts": [ + "eFinib2403.api.example" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.disposition": "ecatcu", "rsa.misc.event_log": "sun", @@ -1506,8 +1610,8 @@ "10.244.96.61" ], "related.user": [ - "iumt", - "itsedqui" + "itsedqui", + "iumt" ], "rsa.identity.logon_type": "psamvolu", "rsa.internal.event_desc": "orroqui", @@ -1572,6 +1676,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 1853, + "related.hosts": [ + "obeatae2042.www.domain" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.disposition": "ula", "rsa.misc.event_id": "AH01110", @@ -1602,6 +1709,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "aerat1267.www5.example" + ], "rsa.internal.event_desc": "pop3proxy:Master started.", "rsa.internal.messageid": "pop3proxy", "rsa.network.alias_host": [ @@ -1630,6 +1740,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 478, + "related.hosts": [ + "writt2238.internal.localdomain" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "aed", "rsa.misc.severity": "low", @@ -1660,6 +1773,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 7721, + "related.hosts": [ + "siutaliq4937.api.lan" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.comments": "server certificate has a different hostname from actual hostname", "rsa.misc.event_log": "urvel", @@ -1731,14 +1847,17 @@ "observer.vendor": "Sophos", "observer.version": "1.3726", "process.pid": 1090, + "related.hosts": [ + "tenbyCi4371.www5.localdomain" + ], "related.ip": [ "10.98.126.206", "10.214.167.164" ], "related.user": [ "hen", - "amremapstatuscode=dolorsit", - "isnostru" + "isnostru", + "amremapstatuscode=dolorsit" ], "rsa.db.index": "spernatu", "rsa.identity.logon_type": "untutl", @@ -1853,6 +1972,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 7755, + "related.hosts": [ + "ectob5542.www5.corp" + ], "related.ip": [ "10.231.77.26" ], @@ -1902,15 +2024,19 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "observer.version": "1.2707", + "related.hosts": [ + "iusmo901.www.home", + "tenima5715.api.example" + ], "related.ip": [ "10.2.24.156", "10.92.93.236" ], "related.user": [ "ulpaq", - "ntoccae", + "Sedutper", "dolorsistatuscode=acc", - "Sedutper" + "ntoccae" ], "rsa.db.index": "snisiut", "rsa.identity.logon_type": "umdol", @@ -1919,8 +2045,8 @@ "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ - "block", - "icons" + "icons", + "block" ], "rsa.misc.comments": "porincid", "rsa.misc.content_type": "temvele", @@ -1990,14 +2116,17 @@ "observer.vendor": "Sophos", "observer.version": "1.3155", "process.pid": 6463, + "related.hosts": [ + "mni4032.lan" + ], "related.ip": [ "10.180.169.49", "10.202.65.2" ], "related.user": [ - "tasu", + "atatno", "iscivelistatuscode=urve", - "atatno" + "tasu" ], "rsa.db.index": "amrem", "rsa.identity.logon_type": "nulamcol", @@ -2057,6 +2186,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 5350, + "related.hosts": [ + "iscing6960.api.invalid" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.context": "SSL Library Error", "rsa.misc.event_log": "incidu", @@ -2090,6 +2222,9 @@ "observer.vendor": "Sophos", "observer.version": "1.6420", "process.pid": 793, + "related.hosts": [ + "olupta3647.host" + ], "rsa.internal.event_desc": "imvenia", "rsa.internal.messageid": "httpd", "rsa.misc.event_log": "ruredo", @@ -2124,6 +2259,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 6633, + "related.hosts": [ + "iavolu7814.www5.localhost" + ], "related.ip": [ "10.194.12.83" ], @@ -2172,14 +2310,17 @@ "observer.vendor": "Sophos", "observer.version": "1.4256", "process.pid": 5792, + "related.hosts": [ + "obea2960.mail.corp" + ], "related.ip": [ "10.33.138.154", "10.45.12.53" ], "related.user": [ + "eturadip", "umqustatuscode=ntexpli", - "porincid", - "eturadip" + "porincid" ], "rsa.db.index": "dolor", "rsa.identity.logon_type": "eturadi", @@ -2269,6 +2410,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 212, + "related.hosts": [ + "olli5982.www.test" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "uatDui", "rsa.misc.result": "virus daemon error", @@ -2300,6 +2444,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 3136, + "related.hosts": [ + "nsecte3644.internal.test" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "isund", "rsa.misc.severity": "high", @@ -2334,8 +2481,8 @@ "10.32.85.21" ], "related.user": [ - "etconsec", - "antium" + "antium", + "etconsec" ], "rsa.identity.logon_type": "umiurere", "rsa.internal.event_desc": "serro", @@ -2371,6 +2518,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "econseq7119.www.home" + ], "rsa.internal.event_desc": "sshd:error:Could not get shadow information for NOUSER", "rsa.internal.messageid": "sshd", "rsa.network.alias_host": [ @@ -2399,6 +2549,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 3669, + "related.hosts": [ + "ant2543.www5.lan" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "lapa", "rsa.misc.result": "Cannot read reply", @@ -2471,15 +2624,18 @@ "observer.vendor": "Sophos", "observer.version": "1.7641", "process.pid": 6562, + "related.hosts": [ + "nisiuta4810.api.test" + ], "related.ip": [ - "10.210.175.52", - "10.85.200.58" + "10.85.200.58", + "10.210.175.52" ], "related.user": [ - "reetd", - "inimastatuscode=emipsum", "Loremi", - "rExce" + "rExce", + "reetd", + "inimastatuscode=emipsum" ], "rsa.db.index": "apa", "rsa.identity.logon_type": "sedquia", @@ -2547,9 +2703,12 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "itametc1599.api.test" + ], "related.ip": [ - "10.115.166.48", - "10.133.45.45" + "10.133.45.45", + "10.115.166.48" ], "rsa.internal.event_desc": "Authentication", "rsa.internal.messageid": "ulogd", @@ -2594,6 +2753,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "tiumt5462.mail.localhost" + ], "rsa.internal.event_desc": "sshd:Invalid user admin.", "rsa.internal.messageid": "sshd", "rsa.network.alias_host": [ @@ -2619,6 +2781,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "vol1450.internal.host" + ], "related.ip": [ "10.71.184.162" ], @@ -2675,6 +2840,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 5943, + "related.hosts": [ + "rporissu573.api.test" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.disposition": "nihi", "rsa.misc.event_id": "AH02312", @@ -2705,6 +2873,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "nostru774.corp" + ], "rsa.internal.messageid": "URID", "rsa.misc.action": [ "allow" @@ -2759,6 +2930,9 @@ "observer.vendor": "Sophos", "observer.version": "1.7102", "process.pid": 5037, + "related.hosts": [ + "lorsita2216.www5.example" + ], "rsa.internal.event_desc": "olorsita", "rsa.internal.messageid": "httpd", "rsa.misc.event_log": "iadese", @@ -2795,6 +2969,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 4346, + "related.hosts": [ + "sum2208.host" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "nia", "rsa.misc.severity": "medium", @@ -2824,6 +3001,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 5126, + "related.hosts": [ + "ore6843.local" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.comments": "No signature on cookie", "rsa.misc.event_log": "aveniam", @@ -2857,6 +3037,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 7442, + "related.hosts": [ + "Sedu1610.mail.corp" + ], "related.ip": [ "10.177.35.133" ], @@ -2892,6 +3075,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 6600, + "related.hosts": [ + "corpo6737.example" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "aliquide", "rsa.misc.result": "failure", @@ -2942,6 +3128,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "eratvol314.www.home" + ], "rsa.internal.event_desc": "pop3proxy:Master started.", "rsa.internal.messageid": "pop3proxy", "rsa.network.alias_host": [ @@ -2971,6 +3160,10 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 2389, + "related.hosts": [ + "utemvele1838.mail.test", + "seosquir715.local" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.comments": "rci", "rsa.misc.event_log": "aco", @@ -3008,6 +3201,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 2237, + "related.hosts": [ + "ulapari2656.local" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "non", "rsa.misc.result": "failure", @@ -3120,6 +3316,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 7766, + "related.hosts": [ + "stla2856.host" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.disposition": "configured", "rsa.misc.event_log": "adolo", @@ -3150,6 +3349,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 2404, + "related.hosts": [ + "peri6748.www5.domain" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.context": "Unclean shutdown", "rsa.misc.event_id": "AH00098", @@ -3181,6 +3383,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 6108, + "related.hosts": [ + "tnon5442.internal.test" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.action": [ "accept" @@ -3215,6 +3420,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 7690, + "related.hosts": [ + "ariatu2606.www.host" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.context": "Not all file sent to client", "rsa.misc.event_log": "umquid", @@ -3251,6 +3459,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "imv1805.api.host" + ], "related.ip": [ "10.248.62.55", "10.96.243.231" @@ -3303,6 +3514,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 7650, + "related.hosts": [ + "rita600.www5.localdomain" + ], "related.ip": [ "10.132.101.158" ], @@ -3359,6 +3573,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 1817, + "related.hosts": [ + "admini1122.www.local" + ], "related.ip": [ "10.96.193.132" ], @@ -3402,8 +3619,8 @@ "10.96.200.83" ], "related.user": [ - "acommod", - "lapariat" + "lapariat", + "acommod" ], "rsa.identity.logon_type": "remeumf", "rsa.internal.event_desc": "dol", @@ -3439,6 +3656,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "emvel4391.localhost" + ], "rsa.internal.event_desc": "sshd: Did not receive identification string.", "rsa.internal.messageid": "sshd", "rsa.network.alias_host": [ @@ -3489,6 +3709,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "untinc5531.www5.test" + ], "rsa.internal.event_desc": "sshd:error:Could not get shadow information for NOUSER", "rsa.internal.messageid": "sshd", "rsa.network.alias_host": [ diff --git a/x-pack/filebeat/module/squid/log/config/input.yml b/x-pack/filebeat/module/squid/log/config/input.yml index ac392325320..5ce8949c381 100644 --- a/x-pack/filebeat/module/squid/log/config/input.yml +++ b/x-pack/filebeat/module/squid/log/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/squid/log/ingest/pipeline.yml b/x-pack/filebeat/module/squid/log/ingest/pipeline.yml index 96b12b89731..9a8f547c6d1 100644 --- a/x-pack/filebeat/module/squid/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/squid/log/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{server.domain}}' + allow_duplicates: false + if: ctx?.server?.domain != null && ctx.server?.domain != '' + - append: + field: related.hosts + value: '{{url.domain}}' + allow_duplicates: false + if: ctx?.url?.domain != null && ctx.url?.domain != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json index 3bd7adbce31..26b891ba4f1 100644 --- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -21,6 +21,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "login.yahoo.com" + ], "related.ip": [ "209.73.177.115", "10.105.21.199" @@ -82,9 +85,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -145,6 +151,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "10.105.21.199", "207.58.145.61" @@ -196,6 +205,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "10.105.21.199" ], @@ -208,8 +220,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -246,6 +258,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.google-analytics.com" + ], "related.ip": [ "10.105.21.199" ], @@ -307,6 +322,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "10.105.21.199", "207.58.145.61" @@ -320,8 +338,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -367,9 +385,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.google-analytics.com" + ], "related.ip": [ - "66.102.9.147", - "10.105.21.199" + "10.105.21.199", + "66.102.9.147" ], "related.user": [ "badeyek" @@ -380,8 +401,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -430,6 +451,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "207.58.145.61", "10.105.21.199" @@ -443,8 +467,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -493,9 +517,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -556,6 +583,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "207.58.145.61", "10.105.21.199" @@ -569,8 +599,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -607,6 +637,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "10.105.21.199" ], @@ -619,8 +652,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -669,6 +702,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "as.casalemedia.com" + ], "related.ip": [ "10.105.21.199", "209.85.16.38" @@ -682,8 +718,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -726,6 +762,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.bc.yahoo.com" + ], "related.ip": [ "10.105.21.199", "68.142.213.132" @@ -738,8 +777,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -785,9 +824,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "impgb.tradedoubler.com" + ], "related.ip": [ - "217.212.240.172", - "10.105.21.199" + "10.105.21.199", + "217.212.240.172" ], "related.user": [ "badeyek" @@ -798,8 +840,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -848,9 +890,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "4.adbrite.com" + ], "related.ip": [ - "206.169.136.22", - "10.105.21.199" + "10.105.21.199", + "206.169.136.22" ], "related.user": [ "badeyek" @@ -861,8 +906,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -899,6 +944,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "10.105.21.199" ], @@ -911,8 +959,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -961,9 +1009,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -974,8 +1025,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -1024,9 +1075,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1037,8 +1091,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -1082,9 +1136,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "4.adbrite.com" + ], "related.ip": [ - "64.127.126.178", - "10.105.21.199" + "10.105.21.199", + "64.127.126.178" ], "related.user": [ "badeyek" @@ -1145,6 +1202,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "ff.connextra.com" + ], "related.ip": [ "213.160.98.161", "10.105.21.199" @@ -1208,6 +1268,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "dd.connextra.com" + ], "related.ip": [ "213.160.98.160", "10.105.21.199" @@ -1258,6 +1321,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "hi5.com" + ], "related.ip": [ "10.105.47.218" ], @@ -1270,8 +1336,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1316,9 +1382,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "login.yahoo.com" + ], "related.ip": [ - "10.105.21.199", - "209.73.177.115" + "209.73.177.115", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1328,8 +1397,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1366,6 +1435,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "update.messenger.yahoo.com" + ], "related.ip": [ "10.105.33.214" ], @@ -1378,8 +1450,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1424,6 +1496,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "shttp.msg.yahoo.com" + ], "related.ip": [ "216.155.194.239", "10.105.33.214" @@ -1436,8 +1511,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -1485,9 +1560,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "hi5.com" + ], "related.ip": [ - "204.13.51.238", - "10.105.47.218" + "10.105.47.218", + "204.13.51.238" ], "related.user": [ "nazsoau" @@ -1498,8 +1576,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1548,6 +1626,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "hi5.com" + ], "related.ip": [ "10.105.47.218", "204.13.51.238" @@ -1561,8 +1642,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -1607,6 +1688,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "shttp.msg.yahoo.com" + ], "related.ip": [ "10.105.33.214", "216.155.194.239" @@ -1657,6 +1741,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "rms.adobe.com" + ], "related.ip": [ "10.105.37.58" ], @@ -1669,8 +1756,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1707,6 +1794,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "images.hi5.com" + ], "related.ip": [ "10.105.47.218" ], @@ -1757,6 +1847,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "images.hi5.com" + ], "related.ip": [ "10.105.47.218" ], @@ -1769,8 +1862,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -1818,9 +1911,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "hi5.com" + ], "related.ip": [ - "10.105.47.218", - "204.13.51.238" + "204.13.51.238", + "10.105.47.218" ], "related.user": [ "nazsoau" @@ -1881,9 +1977,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "hi5.com" + ], "related.ip": [ - "204.13.51.238", - "10.105.47.218" + "10.105.47.218", + "204.13.51.238" ], "related.user": [ "nazsoau" @@ -1894,8 +1993,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -1940,6 +2039,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "shttp.msg.yahoo.com" + ], "related.ip": [ "216.155.194.239", "10.105.33.214" @@ -1952,8 +2054,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -1996,9 +2098,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "insider.msg.yahoo.com" + ], "related.ip": [ - "68.142.194.14", - "10.105.33.214" + "10.105.33.214", + "68.142.194.14" ], "related.user": [ "adeolaegbedokun" @@ -2056,6 +2161,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "10.105.33.214", "68.142.219.132" @@ -2069,8 +2177,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2115,6 +2223,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "shttp.msg.yahoo.com" + ], "related.ip": [ "216.155.194.239", "10.105.33.214" @@ -2127,8 +2238,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2172,9 +2283,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "address.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "209.191.93.51" + "209.191.93.51", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2235,6 +2349,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "fxfeeds.mozilla.org" + ], "related.ip": [ "63.245.209.21", "10.105.21.199" @@ -2294,9 +2411,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "insider.msg.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "68.142.231.252" + "68.142.231.252", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2307,8 +2427,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2351,9 +2471,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "insider.msg.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "68.142.194.14" + "68.142.194.14", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2401,6 +2524,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.37.17" ], @@ -2412,8 +2538,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" + "TCP_DENIED", + "CONNECT" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2450,6 +2576,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.37.17" ], @@ -2499,6 +2628,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.37.17" ], @@ -2547,6 +2679,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.37.17" ], @@ -2558,8 +2693,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "CONNECT" + "CONNECT", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2605,9 +2740,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -2618,8 +2756,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2655,6 +2793,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.37.17" ], @@ -2666,8 +2807,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" + "TCP_DENIED", + "CONNECT" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2713,9 +2854,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2726,8 +2870,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2772,9 +2916,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "shttp.msg.yahoo.com" + ], "related.ip": [ - "216.155.194.239", - "10.105.33.214" + "10.105.33.214", + "216.155.194.239" ], "related.user": [ "adeolaegbedokun" @@ -2831,6 +2978,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "68.142.219.132", "10.105.33.214" @@ -2891,6 +3041,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "10.105.33.214", "68.142.219.132" @@ -2942,6 +3095,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.47.191" ], @@ -2953,8 +3109,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_DENIED" + "TCP_DENIED", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2991,6 +3147,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.47.191" ], @@ -3049,6 +3208,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "68.142.219.132", "10.105.33.214" @@ -3109,6 +3271,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "68.142.219.132", "10.105.33.214" @@ -3169,9 +3334,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3229,9 +3397,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3280,6 +3451,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "10.105.33.214" ], @@ -3330,6 +3504,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "10.105.33.214" ], @@ -3342,8 +3519,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -3380,6 +3557,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.i1.yimg.com" + ], "related.ip": [ "10.105.33.214" ], @@ -3392,8 +3572,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3439,9 +3619,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "newsrss.bbc.co.uk" + ], "related.ip": [ - "10.105.21.199", - "212.58.226.33" + "212.58.226.33", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -3452,8 +3635,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_MISS", - "GET" + "GET", + "TCP_REFRESH_MISS" ], "rsa.misc.content_type": "application/xml", "rsa.misc.result_code": "200", @@ -3499,6 +3682,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "insider.msg.yahoo.com" + ], "related.ip": [ "68.142.231.252", "10.105.33.214" @@ -3550,6 +3736,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.ent1.yimg.com" + ], "related.ip": [ "10.105.33.214" ], @@ -3600,6 +3789,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.news1.yimg.com" + ], "related.ip": [ "10.105.33.214" ], @@ -3612,8 +3804,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -3659,6 +3851,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "68.142.219.132", "10.105.33.214" @@ -3721,9 +3916,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.news1.yimg.com" + ], "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3734,8 +3932,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -3781,9 +3979,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.music.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3841,6 +4042,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.music.yahoo.com" + ], "related.ip": [ "10.105.33.214", "68.142.219.132" @@ -3901,9 +4105,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3914,8 +4121,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -3952,6 +4159,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "natrocket.kmip.net" + ], "related.ip": [ "10.105.37.65" ], @@ -3964,8 +4174,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4002,6 +4212,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "natrocket.kmip.net" + ], "related.ip": [ "10.105.37.65" ], @@ -4064,9 +4277,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.news1.yimg.com" + ], "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "related.user": [ "adeolaegbedokun" @@ -4124,6 +4340,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "68.142.219.132", "10.105.33.214" @@ -4137,8 +4356,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -4184,9 +4403,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -4247,9 +4469,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.a2.yimg.com" + ], "related.ip": [ - "213.160.98.152", - "10.105.33.214" + "10.105.33.214", + "213.160.98.152" ], "related.user": [ "adeolaegbedokun" @@ -4260,8 +4485,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "application/x-shockwave-flash", "rsa.misc.result_code": "200", @@ -4307,9 +4532,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -4365,6 +4593,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.bc.yahoo.com" + ], "related.ip": [ "10.105.33.214", "68.142.213.132" @@ -4423,9 +4654,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "insider.msg.yahoo.com" + ], "related.ip": [ - "68.142.194.14", - "10.105.33.214" + "10.105.33.214", + "68.142.194.14" ], "related.user": [ "adeolaegbedokun" @@ -4480,9 +4714,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "pclick.internal.yahoo.com" + ], "related.ip": [ - "216.109.124.55", - "10.105.33.214" + "10.105.33.214", + "216.109.124.55" ], "related.user": [ "adeolaegbedokun" @@ -4530,6 +4767,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ "10.105.33.214" ], @@ -4592,6 +4832,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ "10.105.33.214", "213.160.98.159" @@ -4605,8 +4848,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -4655,6 +4898,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ "10.105.33.214", "213.160.98.159" @@ -4668,8 +4914,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4714,6 +4960,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "login.yahoo.com" + ], "related.ip": [ "209.73.177.115", "10.105.21.199" @@ -4726,8 +4975,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4776,9 +5025,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ - "213.160.98.167", - "10.105.33.214" + "10.105.33.214", + "213.160.98.167" ], "related.user": [ "adeolaegbedokun" @@ -4839,9 +5091,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4852,8 +5107,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4890,6 +5145,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ "10.105.33.214" ], @@ -4902,8 +5160,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4952,9 +5210,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ - "213.160.98.167", - "10.105.33.214" + "10.105.33.214", + "213.160.98.167" ], "related.user": [ "adeolaegbedokun" @@ -5015,6 +5276,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ "213.160.98.159", "10.105.33.214" @@ -5078,6 +5342,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ "10.105.33.214", "213.160.98.167" @@ -5091,8 +5358,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5129,6 +5396,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.google.com" + ], "related.ip": [ "10.105.37.180" ], @@ -5179,6 +5449,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.47.191" ], @@ -5191,8 +5464,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5236,9 +5509,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "launch.adserver.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "216.109.125.112" + "216.109.125.112", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -5249,8 +5525,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -5296,6 +5572,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "uk.f250.mail.yahoo.com" + ], "related.ip": [ "217.12.10.96", "10.105.21.199" @@ -5346,6 +5625,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "login.live.com" + ], "related.ip": [ "10.105.37.180" ], @@ -5407,9 +5689,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.js2.yimg.com" + ], "related.ip": [ - "10.105.21.199", - "213.160.98.169" + "213.160.98.169", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -5458,6 +5743,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.js1.yimg.com" + ], "related.ip": [ "10.105.21.199" ], @@ -5520,6 +5808,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.js2.yimg.com" + ], "related.ip": [ "10.105.21.199", "213.160.98.169" @@ -5533,8 +5824,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -5571,6 +5862,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.js1.yimg.com" + ], "related.ip": [ "10.105.21.199" ], @@ -5621,6 +5915,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.js2.yimg.com" + ], "related.ip": [ "10.105.21.199" ], @@ -5671,6 +5968,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.i1.yimg.com" + ], "related.ip": [ "10.105.21.199" ], diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml index 226b7f9c6c2..01ed5accbe6 100644 --- a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml +++ b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml @@ -333,6 +333,11 @@ processors: field: file.x509.not_before value: '{{tls.server.not_before}}' ignore_empty_value: true + - append: + field: related.hosts + value: '{{url.domain}}' + if: ctx.url?.domain != null && ctx.url?.domain != '' + allow_duplicates: false - remove: field: - suricata.eve.app_proto diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json index b7bc49cb9e0..68412b504dc 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json @@ -41,6 +41,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "example.net" + ], "related.ip": [ "192.168.1.146", "93.184.216.34" @@ -118,6 +121,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "example.net" + ], "related.ip": [ "192.168.1.146", "93.184.216.34" @@ -195,6 +201,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "example.net" + ], "related.ip": [ "192.168.1.146", "93.184.216.34" @@ -272,6 +281,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "example.org" + ], "related.ip": [ "192.168.1.146", "93.184.216.34" @@ -349,6 +361,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "example.org" + ], "related.ip": [ "192.168.1.146", "93.184.216.34" @@ -426,6 +441,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "example.org" + ], "related.ip": [ "192.168.1.146", "93.184.216.34" @@ -503,6 +521,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "security.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.88.152" @@ -580,6 +601,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -657,6 +681,9 @@ "network.packets": 11, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -734,6 +761,9 @@ "network.packets": 126, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "security.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.88.152" @@ -811,6 +841,9 @@ "network.packets": 185, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "security.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.88.152" @@ -888,6 +921,9 @@ "network.packets": 377, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "security.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.88.152" @@ -965,6 +1001,9 @@ "network.packets": 131, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1042,6 +1081,9 @@ "network.packets": 210, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1119,6 +1161,9 @@ "network.packets": 412, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1196,6 +1241,9 @@ "network.packets": 504, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1273,6 +1321,9 @@ "network.packets": 916, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1350,6 +1401,9 @@ "network.packets": 921, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1426,6 +1480,9 @@ "network.packets": 1503, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1502,6 +1559,9 @@ "network.packets": 1654, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index cbc0f39eb76..5d113c8d370 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -130,6 +130,9 @@ "network.community_id": "1:gjMiDGtS5SVvdwzjjQdAKGBrDA4=", "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "192.168.86.28" + ], "related.ip": [ "192.168.86.85", "192.168.86.28" @@ -182,6 +185,9 @@ "network.community_id": "1:XhhAO/Twj86+bD+1fV8FnpLIEDs=", "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "192.168.86.28" + ], "related.ip": [ "192.168.86.28", "192.168.86.85" diff --git a/x-pack/filebeat/module/symantec/endpointprotection/config/input.yml b/x-pack/filebeat/module/symantec/endpointprotection/config/input.yml index a735b86e766..b888ca3989d 100644 --- a/x-pack/filebeat/module/symantec/endpointprotection/config/input.yml +++ b/x-pack/filebeat/module/symantec/endpointprotection/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml b/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml index 26f7511d6c8..cf257ba5d64 100644 --- a/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml +++ b/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml @@ -53,6 +53,26 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' + - append: + field: related.hosts + value: '{{host.hostname}}' + allow_duplicates: false + if: ctx?.host?.hostname != null && ctx.host?.hostname != '' + - append: + field: related.hosts + value: '{{source.address}}' + allow_duplicates: false + if: ctx?.source?.address != null && ctx.source?.address != '' + - append: + field: related.hosts + value: '{{destination.address}}' + allow_duplicates: false + if: ctx?.destination?.address != null && ctx.destination?.address != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json b/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json index c35bd2dbb66..9b9183fe35a 100644 --- a/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json +++ b/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json @@ -12,6 +12,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "exe7309.internal.local" + ], "rsa.internal.event_desc": "rsitam", "rsa.internal.messageid": "302776834", "rsa.misc.event_source": "reprehe", @@ -41,6 +44,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "llam2073.internal.localdomain", + "sitas4259.mail.corp" + ], "rsa.internal.event_desc": "aboreetd", "rsa.internal.messageid": "303235083", "rsa.misc.event_source": "iumto", @@ -72,6 +79,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "olupt3702.www.localhost" + ], "rsa.internal.event_desc": "colabor", "rsa.internal.messageid": "302450432", "rsa.misc.event_source": "tectobe", @@ -99,6 +109,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "onse254.www5.localdomain", + "tat6349.internal.lan" + ], "rsa.db.index": "uiineavo", "rsa.internal.event_desc": "Invalid log record", "rsa.internal.messageid": "Invalid", @@ -146,6 +160,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "mdolore2062.mail.host" + ], "rsa.internal.event_desc": "tutla", "rsa.internal.messageid": "302449409", "rsa.misc.event_source": "den", @@ -175,6 +192,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "nisi6901.mail.home" + ], "related.user": [ "rem" ], @@ -208,6 +228,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "dutp6197.www.test" + ], "rsa.internal.event_desc": "tconsect", "rsa.internal.messageid": "303235076", "rsa.misc.event_source": "siut", @@ -237,6 +260,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "umSe1918.local", + "nBCSedut1502.www5.example" + ], "rsa.internal.event_desc": "oditautf", "rsa.internal.messageid": "302449410", "rsa.misc.event_source": "fugia", @@ -270,6 +297,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "olupt2189.lan", + "temporin7150.mail.local" + ], "rsa.internal.event_desc": "rem", "rsa.internal.messageid": "302449169", "rsa.misc.event_source": "rationev", @@ -303,6 +334,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "emq6633.domain" + ], "related.user": [ "tinvolup" ], @@ -336,6 +370,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "Except6889.www.corp" + ], "rsa.internal.event_desc": "umq", "rsa.internal.messageid": "302452736", "rsa.misc.event_source": "asper", @@ -363,6 +400,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "quatD1370.invalid" + ], "rsa.internal.event_desc": "veniamqu", "rsa.internal.messageid": "302452802", "rsa.misc.event_source": "iruredol", @@ -392,6 +432,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "iatqu6203.mail.corp", + "quaeab2653.mail.localdomain" + ], "rsa.db.index": "itat", "rsa.internal.event_desc": "aco", "rsa.internal.messageid": "303235080", @@ -428,6 +472,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "redol124.mail.invalid" + ], "rsa.internal.event_desc": "orinrep", "rsa.internal.messageid": "302450688", "rsa.misc.event_source": "ctetu", @@ -455,6 +502,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "enim5999.mail.localhost" + ], "rsa.internal.event_desc": "orroquis", "rsa.internal.messageid": "303169538", "rsa.misc.event_source": "iame", @@ -484,6 +534,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "reseosqu1629.mail.lan", + "rsitvolu3596.www.test" + ], "rsa.internal.event_desc": "gelitsed", "rsa.internal.messageid": "302449410", "rsa.misc.event_source": "adm", @@ -515,6 +569,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "tan3170.api.example" + ], "rsa.internal.event_desc": "dolorsi", "rsa.internal.messageid": "303235081", "rsa.misc.checksum": "dtemp", @@ -543,6 +600,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "eseruntm4247.mail.local", + "magnaal5792.www5.domain" + ], "rsa.counters.dclass_c1": 7519, "rsa.counters.dclass_c1_str": "Number of Virus Cleaned.", "rsa.internal.event_desc": "Cleaned up downloaded content.", @@ -571,6 +632,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "itatio6735.api.example" + ], "rsa.internal.event_desc": "rumSec", "rsa.internal.messageid": "302452801", "rsa.misc.event_source": "rsin", @@ -598,6 +662,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "radip163.mail.invalid" + ], "rsa.internal.event_desc": "miurerep", "rsa.internal.messageid": "302449166", "rsa.misc.event_source": "ainc", @@ -632,10 +699,14 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "vol866.api.domain", + "bore5546.www.local" + ], "related.ip": [ "10.7.164.113", - "10.207.125.114", - "10.175.83.138" + "10.175.83.138", + "10.207.125.114" ], "related.user": [ "remip" @@ -679,6 +750,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "inc5923.www.test", + "tatemseq5797.home" + ], "rsa.internal.event_desc": "eufugi", "rsa.internal.messageid": "302452817", "rsa.misc.event_source": "oremip", @@ -716,9 +791,13 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "enima7673.api.localhost", + "sequ6424.www.invalid" + ], "related.ip": [ - "10.217.91.49", - "10.139.207.36" + "10.139.207.36", + "10.217.91.49" ], "related.user": [ "lumqui" @@ -766,6 +845,10 @@ "observer.vendor": "Symantec", "process.parent.name": "mquis", "process.ppid": 5040, + "related.hosts": [ + "tnulapa7580.www.domain", + "madminim6826.www.host" + ], "related.ip": [ "10.249.243.41" ], @@ -820,6 +903,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ici182.invalid", + "caecat4678.www.home" + ], "rsa.internal.event_desc": "rem", "rsa.internal.messageid": "302449415", "rsa.misc.event_source": "quisn", @@ -851,6 +938,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "beat2952.internal.localhost" + ], "rsa.internal.event_desc": "iarchite", "rsa.internal.messageid": "302449410", "rsa.misc.event_source": "qua", @@ -880,6 +970,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ured3428.www.corp", + "uames7663.internal.local" + ], "rsa.internal.event_desc": "taspe", "rsa.internal.messageid": "302776321", "rsa.misc.event_source": "oreeu", @@ -911,6 +1005,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "velillum6639.www5.local" + ], "rsa.internal.event_desc": "itinvo", "rsa.internal.messageid": "302449153", "rsa.misc.event_source": "Mal", @@ -940,6 +1037,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "dictasun3408.internal.invalid", + "onoru5767.internal.domain" + ], "rsa.internal.event_desc": "uam", "rsa.internal.messageid": "303235079", "rsa.misc.event_source": "dipisciv", @@ -1002,6 +1103,11 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "uipe6805.www5.domain", + "atisu6579.test", + "tqui1142.www5.domain" + ], "related.ip": [ "10.209.205.25", "10.185.64.46" @@ -1091,9 +1197,14 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "observer.version": "1.7457", + "related.hosts": [ + "udexerci6630.mail.test", + "isiut4530.localdomain", + "deomn904.www.home" + ], "related.ip": [ - "10.35.89.51", - "10.202.55.203" + "10.202.55.203", + "10.35.89.51" ], "related.user": [ "Quis" @@ -1149,6 +1260,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "niamqui7696.mail.test", + "taliqu701.www.localhost" + ], "rsa.internal.event_desc": "Traffic Redirection disabled.", "rsa.internal.messageid": "Traffic", "rsa.network.alias_host": [ @@ -1181,6 +1296,10 @@ "observer.vendor": "Symantec", "process.parent.name": "onnu", "process.ppid": 724, + "related.hosts": [ + "ngelits6213.internal.test", + "lumd4298.mail.localdomain" + ], "related.ip": [ "10.139.89.148" ], @@ -1263,9 +1382,13 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "tuserror810.www5.corp", + "uptate5787.api.local" + ], "related.ip": [ - "10.87.92.95", - "10.247.21.74" + "10.247.21.74", + "10.87.92.95" ], "related.user": [ "Sedutper" @@ -1313,6 +1436,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ruredolo7392.internal.host", + "mipsu3757.www5.home" + ], "rsa.db.index": "oris", "rsa.internal.event_desc": "labor", "rsa.internal.messageid": "303235080", @@ -1365,6 +1492,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ntmo4076.lan" + ], "rsa.internal.event_desc": "doconse", "rsa.internal.messageid": "302449158", "rsa.misc.event_source": "ationula", @@ -1414,6 +1544,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "amni48.internal.localdomain", + "alo6036.www5.local" + ], "rsa.internal.event_desc": "ita", "rsa.internal.messageid": "302710785", "rsa.misc.event_source": "mdolore", @@ -1447,6 +1581,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "tenatus4129.www.local", + "uredo4613.home" + ], "rsa.internal.event_desc": "olupta", "rsa.internal.messageid": "303235082", "rsa.misc.event_source": "upi", @@ -1498,6 +1636,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "mini3181.api.test" + ], "rsa.internal.event_desc": "mwrit", "rsa.internal.messageid": "302452819", "rsa.misc.event_source": "ommodoc", @@ -1533,6 +1674,10 @@ "observer.vendor": "Symantec", "observer.version": "1.3638", "process.name": "remap", + "related.hosts": [ + "rsitam2337.mail.localdomain", + "iduntu7302.www.invalid" + ], "related.ip": [ "10.8.143.229" ], @@ -1557,8 +1702,8 @@ "rsa.misc.version": "1.3638", "rsa.misc.virusname": "isqu", "rsa.network.alias_host": [ - "rsitam2337.mail.localdomain", - "assit1598.www5.invalid" + "assit1598.www5.invalid", + "rsitam2337.mail.localdomain" ], "rsa.network.domain": "ema7531.api.example", "rsa.threat.threat_category": "isqu", @@ -1589,6 +1734,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "equu7361.www5.localdomain" + ], "rsa.internal.event_desc": "pta", "rsa.internal.messageid": "302449178", "rsa.misc.event_source": "non", @@ -1623,6 +1771,10 @@ "observer.vendor": "Symantec", "process.parent.name": "ipsum", "process.ppid": 885, + "related.hosts": [ + "uisno4545.www5.corp", + "iono5777.invalid" + ], "related.ip": [ "10.137.5.67" ], @@ -1726,6 +1878,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "adminima6097.corp", + "agnamali3222.example" + ], "related.ip": [ "10.66.203.117", "10.92.93.236" @@ -1777,6 +1933,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "equ2353.internal.local", + "eratv6521.example" + ], "rsa.internal.event_desc": "dolorsi", "rsa.internal.messageid": "302452807", "rsa.misc.event_source": "tlaboree", @@ -1810,6 +1970,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "bori7611.invalid", + "iset1992.internal.example" + ], "rsa.internal.event_desc": "imadmini", "rsa.internal.messageid": "302776321", "rsa.misc.event_source": "ffic", @@ -1860,6 +2024,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ntin2655.www.localdomain" + ], "rsa.internal.event_desc": "epo", "rsa.internal.messageid": "302449413", "rsa.misc.event_source": "itasper", @@ -1887,6 +2054,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "siuta395.home" + ], "rsa.internal.event_desc": "iumdolor", "rsa.internal.messageid": "302449414", "rsa.misc.event_source": "fugiat", @@ -1914,6 +2084,9 @@ "observer.product": "oluptate", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "umdolore5014.api.lan" + ], "rsa.internal.event_desc": "Configuration Change", "rsa.internal.messageid": "Configuration", "rsa.misc.severity": "low", @@ -1939,6 +2112,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "tisund4302.www5.local", + "vel1911.lan" + ], "related.ip": [ "10.147.225.53" ], @@ -2032,6 +2209,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "evelites2448.www.host", + "quisnost7124.api.domain" + ], "rsa.internal.event_desc": "odtem", "rsa.internal.messageid": "303169540", "rsa.misc.event_source": "uidexea", @@ -2076,6 +2257,11 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "observer.version": "1.132", + "related.hosts": [ + "iatquovo4868.test", + "madmi2948.internal.lan", + "edi6108.internal.domain" + ], "related.ip": [ "10.72.200.11", "10.132.171.142" @@ -2137,6 +2323,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "reverita794.mail.domain" + ], "related.user": [ "nis" ], @@ -2170,6 +2359,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "lillumq4387.www5.localhost" + ], "rsa.internal.event_desc": "sse", "rsa.internal.messageid": "302452743", "rsa.misc.event_source": "turExce", @@ -2199,6 +2391,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ipi563.api.lan" + ], "related.user": [ "anti" ], @@ -2232,6 +2427,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "uptatemU1147.mail.corp", + "mqu3327.internal.host" + ], "rsa.internal.event_desc": "Connection reset.", "rsa.internal.messageid": "Connection", "rsa.network.alias_host": [ @@ -2260,6 +2459,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "emp42.mail.test", + "ecatcupi4759.internal.local" + ], "rsa.internal.event_desc": "ritati", "rsa.internal.messageid": "302452736", "rsa.misc.event_source": "tenb", @@ -2312,6 +2515,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ipsu7538.www5.host" + ], "rsa.internal.event_desc": "squa", "rsa.internal.messageid": "302450944", "rsa.misc.event_source": "lamc", @@ -2368,9 +2574,13 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "iusmo5734.internal.invalid", + "dita2048.www5.home" + ], "related.ip": [ - "10.40.133.90", - "10.171.13.85" + "10.171.13.85", + "10.40.133.90" ], "related.user": [ "bor" @@ -2441,6 +2651,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ngelits2743.www5.host", + "inrepr7369.www.domain" + ], "rsa.internal.event_desc": "tatemac", "rsa.internal.messageid": "302452816", "rsa.misc.event_source": "lore", @@ -2474,6 +2688,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "olupt717.invalid", + "alorum1804.mail.test" + ], "rsa.internal.event_desc": "ano", "rsa.internal.messageid": "302452808", "rsa.misc.event_source": "psum", @@ -2507,6 +2725,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "queporr7029.internal.test" + ], "related.user": [ "unti" ], @@ -2569,9 +2790,13 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "upidat1328.internal.localhost", + "urExcep6087.www5.localhost" + ], "related.ip": [ - "10.31.231.57", - "10.155.163.6" + "10.155.163.6", + "10.31.231.57" ], "related.user": [ "norumetM" @@ -2641,6 +2866,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "tesseci33.internal.example" + ], "rsa.internal.event_desc": "nost", "rsa.internal.messageid": "302452816", "rsa.misc.event_source": "met", @@ -2668,6 +2896,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "alo7567.www5.test" + ], "rsa.internal.event_desc": "quisnos", "rsa.internal.messageid": "302452736", "rsa.misc.event_source": "proident", @@ -2695,6 +2926,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "process.name": "sumq.exe", + "related.hosts": [ + "idest4209.api.domain" + ], "rsa.internal.event_desc": "The process can not lock the process status table", "rsa.internal.messageid": "275", "rsa.misc.reference_id": "275", @@ -2730,9 +2964,14 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "exer3621.www5.test", + "tisetqua6007.api.home", + "its1301.www.test" + ], "related.ip": [ - "10.216.134.62", - "10.134.6.246" + "10.134.6.246", + "10.216.134.62" ], "related.user": [ "ntexpl" @@ -2789,6 +3028,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ventorev7571.www5.corp", + "Remote:" + ], "related.ip": [ "10.202.96.232" ], @@ -2832,6 +3075,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "umSectio5136.www.local", + "untexpli391.internal.domain" + ], "rsa.internal.event_desc": "ipitlabo", "rsa.internal.messageid": "302449156", "rsa.misc.event_source": "num", @@ -2874,6 +3121,11 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "quide2790.mail.invalid", + "eniamqu1863.api.lan", + "quipex2615.www5.localhost" + ], "related.ip": [ "10.56.95.160", "10.29.149.77" @@ -2941,6 +3193,11 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ugia146.www5.corp", + "tionul7555.www5.lan", + "remipsum5485.api.local" + ], "related.ip": [ "10.173.98.74", "10.70.185.238" @@ -2998,6 +3255,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ilmoles4582.api.lan" + ], "related.user": [ "dolor" ], @@ -3031,6 +3291,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "giatquo3267.www.lan", + "quiado6095.mail.localhost" + ], "rsa.internal.event_desc": "Connected to Management Server", "rsa.internal.messageid": "Connected", "rsa.network.alias_host": [ @@ -3059,6 +3323,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "odite7850.internal.corp", + "cidun7605.www5.example" + ], "related.ip": [ "10.201.112.171" ], @@ -3111,6 +3379,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ssitasp7492.test" + ], "rsa.internal.event_desc": "eserun", "rsa.internal.messageid": "302448900", "rsa.misc.event_source": "ssitaspe", @@ -3140,6 +3411,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "estq2131.api.localdomain", + "rem6392.internal.domain" + ], "rsa.internal.event_desc": "did", "rsa.internal.messageid": "302452802", "rsa.misc.event_source": "upt", @@ -3173,6 +3448,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "giatq7007.www.domain", + "upi3.www.home" + ], "rsa.internal.event_desc": "caecatc", "rsa.internal.messageid": "303235079", "rsa.misc.event_source": "iquaUt", @@ -3207,9 +3486,13 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "itess2258.api.lan", + "ianonnu4387.www.domain" + ], "related.ip": [ - "10.59.140.108", - "10.90.66.238" + "10.90.66.238", + "10.59.140.108" ], "related.user": [ "nulap" @@ -3270,6 +3553,11 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "observer.version": "1.6400", + "related.hosts": [ + "epteur5858.www5.local", + "rin5257.www5.test", + "ess3012.mail.test" + ], "related.ip": [ "10.38.136.160", "10.45.116.216" @@ -3326,6 +3614,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "aed3193.api.lan" + ], "rsa.internal.event_desc": "equa", "rsa.internal.messageid": "302449409", "rsa.misc.event_source": "sunti", @@ -3373,6 +3664,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "rumSec5271.home" + ], "rsa.internal.event_desc": "unt", "rsa.internal.messageid": "302449166", "rsa.misc.event_source": "evolupt", @@ -3402,6 +3696,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "volu7499.www5.localhost" + ], "related.user": [ "sedqui" ], @@ -3437,6 +3734,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "oNem5850.www.example", + "gnama2349.mail.domain" + ], "rsa.internal.event_desc": "ccusan", "rsa.internal.messageid": "302449409", "rsa.misc.event_source": "ntiu", diff --git a/x-pack/filebeat/module/tomcat/log/config/input.yml b/x-pack/filebeat/module/tomcat/log/config/input.yml index 256f657133f..d9f1e4a1452 100644 --- a/x-pack/filebeat/module/tomcat/log/config/input.yml +++ b/x-pack/filebeat/module/tomcat/log/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml b/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml index 9983081e838..64e1d82943a 100644 --- a/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml @@ -53,6 +53,21 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{rsa.web.fqdn}}' + allow_duplicates: false + if: ctx?.rsa?.web?.fqdn != null && ctx.rsa?.web?.fqdn != '' + - append: + field: related.hosts + value: '{{rsa.web.web_ref_domain}}' + allow_duplicates: false + if: ctx?.rsa?.web?.web_ref_domain != null && ctx.rsa?.web?.web_ref_domain != '' + - append: + field: related.hosts + value: '{{url.domain}}' + allow_duplicates: false + if: ctx?.url?.domain != null && ctx.url?.domain != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json index eb9298f3d1b..51d46cc753a 100644 --- a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json @@ -14,6 +14,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.com/illumqui/ventore.html?min=ite#utl", + "mail.example.net", + "example.com" + ], "related.ip": [ "10.251.224.219" ], @@ -68,6 +73,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev", + "mail.example.com", + "www5.example.net" + ], "related.ip": [ "10.196.153.12" ], @@ -121,6 +131,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.com/tetur/idolor.html?ntex=eius#luptat", + "www.example.com", + "internal.example.com" + ], "related.ip": [ "10.156.194.38" ], @@ -177,6 +192,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu", + "mail.example.com", + "www5.example.org" + ], "related.ip": [ "10.196.118.192" ], @@ -231,6 +251,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn", + "internal.example.net", + "internal.example.com" + ], "related.ip": [ "10.246.209.145" ], @@ -285,6 +310,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu", + "www5.example.org", + "internal.example.com" + ], "related.ip": [ "10.114.191.225" ], @@ -340,6 +370,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat", + "api.example.com", + "www5.example.net" + ], "related.ip": [ "10.38.77.13" ], @@ -397,6 +432,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/idexea/riat.txt?tvol=moll#tatione", + "mail.example.org", + "www.example.org" + ], "related.ip": [ "10.11.201.109" ], @@ -453,6 +493,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan", + "example.org", + "api.example.org" + ], "related.ip": [ "10.182.166.181" ], @@ -507,6 +552,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq", + "internal.example.com", + "mail.example.net" + ], "related.ip": [ "10.185.126.247" ], @@ -560,6 +610,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf", + "mail.example.net", + "example.com" + ], "related.ip": [ "10.72.114.23" ], @@ -617,6 +672,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun", + "internal.example.net", + "example.net" + ], "related.ip": [ "10.129.241.147" ], @@ -674,6 +734,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol", + "internal.example.net", + "www5.example.com" + ], "related.ip": [ "10.185.101.76" ], @@ -730,6 +795,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati", + "www.example.org", + "example.net" + ], "related.ip": [ "10.57.170.140" ], @@ -784,6 +854,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip", + "internal.example.net", + "internal.example.com" + ], "related.ip": [ "10.33.153.47" ], @@ -839,6 +914,10 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla", + "internal.example.net" + ], "related.ip": [ "10.116.104.101" ], @@ -895,6 +974,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame", + "example.com", + "internal.example.com" + ], "related.ip": [ "10.202.194.67" ], @@ -950,6 +1034,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.com/etconse/tincu.txt?lit=asun#estia", + "www.example.com", + "www5.example.com" + ], "related.ip": [ "10.153.111.103" ], @@ -1006,6 +1095,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex", + "internal.example.net", + "www5.example.org" + ], "related.ip": [ "10.52.186.29" ], @@ -1061,6 +1155,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela", + "example.net", + "www.example.org" + ], "related.ip": [ "10.209.182.237" ], @@ -1118,6 +1217,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn", + "api.example.org", + "mail.example.net" + ], "related.ip": [ "10.63.194.87" ], @@ -1174,6 +1278,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli", + "www5.example.org", + "www.example.org" + ], "related.ip": [ "10.62.191.18" ], @@ -1228,6 +1337,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/nisi/dant.txt?ecte=tinvolu#iurer", + "example.org", + "example.net" + ], "related.ip": [ "10.238.164.29" ], @@ -1282,6 +1396,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius", + "example.com", + "internal.example.com" + ], "related.ip": [ "10.155.230.17" ], @@ -1337,6 +1456,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/officiad/itam.html?madmi=tur#roi", + "mail.example.net", + "example.net" + ], "related.ip": [ "10.102.229.102" ], @@ -1394,6 +1518,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon", + "www5.example.org", + "mail.example.org" + ], "related.ip": [ "10.194.14.7" ], @@ -1450,6 +1579,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp", + "example.com", + "api.example.net" + ], "related.ip": [ "10.99.0.226" ], @@ -1504,6 +1638,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut", + "api.example.org", + "www.example.net" + ], "related.ip": [ "10.107.174.213" ], @@ -1559,6 +1698,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem", + "www.example.org", + "mail.example.org" + ], "related.ip": [ "10.84.25.23" ], @@ -1615,6 +1759,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab", + "api.example.com", + "www.example.org" + ], "related.ip": [ "10.193.143.108" ], @@ -1670,6 +1819,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.com/mexe/its.htm?ice=oles#edic", + "example.org", + "example.com" + ], "related.ip": [ "10.190.51.22" ], @@ -1727,6 +1881,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.com/velitess/naali.htm?nre=veli#volupta", + "www5.example.com", + "www.example.com" + ], "related.ip": [ "10.194.90.130" ], @@ -1779,6 +1938,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita", + "internal.example.com", + "www.example.org" + ], "related.ip": [ "10.10.213.83" ], @@ -1834,6 +1998,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon", + "mail.example.net", + "api.example.org" + ], "related.ip": [ "10.52.125.9" ], @@ -1890,6 +2059,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun", + "www5.example.org", + "api.example.net" + ], "related.ip": [ "10.19.17.202" ], @@ -1945,6 +2119,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal", + "api.example.com", + "mail.example.org" + ], "related.ip": [ "10.195.64.5" ], @@ -2002,6 +2181,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.com/llamc/nte.htm?utali=porinc#tetur", + "mail.example.com", + "internal.example.com" + ], "related.ip": [ "10.209.77.194" ], @@ -2058,6 +2242,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/ites/isetq.gif?nisiut=tur#avolupt", + "mail.example.org", + "example.net" + ], "related.ip": [ "10.168.6.90" ], @@ -2112,6 +2301,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu", + "api.example.org", + "mail.example.com" + ], "related.ip": [ "10.89.137.238" ], @@ -2166,6 +2360,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.org/Nequepor/eirure.htm?idid=tesse#sequat", + "www5.example.net", + "example.org" + ], "related.ip": [ "10.246.61.213" ], @@ -2221,6 +2420,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", + "www5.example.net", + "www.example.org" + ], "related.ip": [ "10.117.44.138" ], @@ -2277,6 +2481,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov", + "www.example.net", + "example.net" + ], "related.ip": [ "10.69.30.196" ], @@ -2329,6 +2538,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq", + "example.org", + "api.example.com" + ], "related.ip": [ "10.135.91.88" ], @@ -2384,6 +2598,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor", + "api.example.org", + "example.net" + ], "related.ip": [ "10.81.45.174" ], @@ -2440,6 +2659,10 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/umetMal/asper.htm?metcons=itasper#uae", + "www.example.org" + ], "related.ip": [ "10.87.179.233" ], @@ -2494,6 +2717,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.net/mquisn/queips.gif?emUte=molestia#quir", + "example.com", + "api.example.net" + ], "related.ip": [ "10.198.57.130" ], @@ -2548,6 +2776,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu", + "www.example.org", + "www.example.net" + ], "related.ip": [ "10.218.0.197" ], @@ -2603,6 +2836,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem", + "example.com", + "mail.example.com" + ], "related.ip": [ "10.123.199.198" ], @@ -2660,6 +2898,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu", + "example.org", + "internal.example.net" + ], "related.ip": [ "10.29.119.245" ], @@ -2717,6 +2960,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom", + "www.example.org", + "mail.example.net" + ], "related.ip": [ "10.130.175.17" ], @@ -2773,6 +3021,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat", + "internal.example.org", + "mail.example.net" + ], "related.ip": [ "10.166.90.130" ], @@ -2828,6 +3081,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.org/ratv/alorum.jpg?tali=BCS#qui", + "internal.example.org", + "api.example.org" + ], "related.ip": [ "10.248.111.207" ], @@ -2884,6 +3142,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore", + "api.example.net", + "internal.example.net" + ], "related.ip": [ "10.185.37.32" ], @@ -2938,6 +3201,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.org/pisc/urEx.html?rautod=olest#eataev", + "internal.example.com", + "example.org" + ], "related.ip": [ "10.5.194.202" ], @@ -2993,6 +3261,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation", + "www.example.org", + "www5.example.com" + ], "related.ip": [ "10.183.34.1" ], @@ -3049,6 +3322,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema", + "internal.example.com", + "mail.example.net" + ], "related.ip": [ "10.101.163.40" ], @@ -3104,6 +3382,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.com/mUteni/quira.htm?ore=tation#loinve", + "internal.example.com", + "www5.example.com" + ], "related.ip": [ "10.216.188.152" ], @@ -3160,6 +3443,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna", + "mail.example.net", + "www5.example.org" + ], "related.ip": [ "10.94.140.77" ], @@ -3212,6 +3500,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo", + "mail.example.org", + "www.example.com" + ], "related.ip": [ "10.223.205.204" ], @@ -3267,6 +3560,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula", + "example.com", + "mail.example.org" + ], "related.ip": [ "10.85.137.156" ], @@ -3324,6 +3622,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS", + "www5.example.net", + "mail.example.com" + ], "related.ip": [ "10.12.54.142" ], @@ -3380,6 +3683,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/labori/porai.gif?utali=sed#xeac", + "internal.example.org", + "example.net" + ], "related.ip": [ "10.158.6.52" ], @@ -3435,6 +3743,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni", + "example.com", + "www5.example.org" + ], "related.ip": [ "10.195.160.182" ], @@ -3491,6 +3804,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat", + "example.net", + "mail.example.com" + ], "related.ip": [ "10.20.68.117" ], @@ -3546,6 +3864,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex", + "www5.example.org", + "www5.example.com" + ], "related.ip": [ "10.94.136.235" ], @@ -3603,6 +3926,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol", + "example.com", + "www.example.net" + ], "related.ip": [ "10.152.11.26" ], @@ -3656,6 +3984,10 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.com/quu/xeac.htm?abor=oreverit#scip", + "www5.example.com" + ], "related.ip": [ "10.82.118.95" ], @@ -3712,6 +4044,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.net/mini/Loremip.html?tur=atnonpr#ita", + "www5.example.net", + "www.example.net" + ], "related.ip": [ "10.187.152.213" ], @@ -3767,6 +4104,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo", + "internal.example.net", + "www.example.net" + ], "related.ip": [ "10.98.71.45" ], @@ -3823,6 +4165,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.net/tev/nre.html?occaeca=eturadip#ent", + "www5.example.org", + "www5.example.net" + ], "related.ip": [ "10.86.123.33" ], @@ -3877,6 +4224,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi", + "api.example.net", + "www5.example.net" + ], "related.ip": [ "10.6.112.183" ], @@ -3932,6 +4284,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu", + "www5.example.org", + "example.net" + ], "related.ip": [ "10.227.156.143" ], @@ -3985,6 +4342,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu", + "example.net", + "example.org" + ], "related.ip": [ "10.124.129.248" ], @@ -4042,6 +4404,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa", + "www5.example.net", + "www5.example.org" + ], "related.ip": [ "10.173.125.112" ], @@ -4098,6 +4465,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit", + "api.example.net", + "www.example.org" + ], "related.ip": [ "10.37.156.140" ], @@ -4150,6 +4522,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex", + "www5.example.org", + "example.com" + ], "related.ip": [ "10.121.225.135" ], @@ -4204,6 +4581,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN", + "mail.example.net", + "www.example.org" + ], "related.ip": [ "10.123.68.56" ], @@ -4259,6 +4641,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.net/itesse/expl.html?prehende=lup#tpers", + "mail.example.net", + "api.example.net" + ], "related.ip": [ "10.63.56.164" ], @@ -4316,6 +4703,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/deritinv/evelite.html?iav=odico#rsint", + "example.com", + "example.net" + ], "related.ip": [ "10.62.10.137" ], @@ -4373,6 +4765,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB", + "api.example.net", + "example.org" + ], "related.ip": [ "10.89.154.115" ], @@ -4429,6 +4826,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus", + "api.example.org", + "www5.example.com" + ], "related.ip": [ "10.122.252.130" ], @@ -4483,6 +4885,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun", + "www.example.net", + "api.example.com" + ], "related.ip": [ "10.195.152.53" ], @@ -4534,6 +4941,10 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa", + "mail.example.com" + ], "related.ip": [ "10.9.255.204" ], @@ -4591,6 +5002,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor", + "internal.example.net", + "www.example.org" + ], "related.ip": [ "10.214.235.133" ], @@ -4648,6 +5064,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu", + "api.example.org", + "api.example.com" + ], "related.ip": [ "10.5.134.204" ], @@ -4704,6 +5125,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.org/rep/mveni.txt?utpers=num#ctetura", + "internal.example.com", + "example.org" + ], "related.ip": [ "10.144.111.42" ], @@ -4758,6 +5184,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/adm/snostr.jpg?tec=itaspe#con", + "www.example.com", + "example.net" + ], "related.ip": [ "10.122.0.80" ], @@ -4813,6 +5244,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec", + "www.example.net", + "mail.example.com" + ], "related.ip": [ "10.165.33.19" ], @@ -4870,6 +5306,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa", + "internal.example.org", + "mail.example.org" + ], "related.ip": [ "10.87.92.17" ], @@ -4926,6 +5367,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.com/lorese/olupta.jpg?onsec=idestl#litani", + "internal.example.org", + "example.com" + ], "related.ip": [ "10.51.52.203" ], @@ -4981,6 +5427,10 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN", + "internal.example.net" + ], "related.ip": [ "10.0.211.86" ], @@ -5037,6 +5487,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet", + "example.net", + "mail.example.net" + ], "related.ip": [ "10.106.34.244" ], @@ -5091,6 +5546,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu", + "example.net", + "www.example.org" + ], "related.ip": [ "10.191.210.188" ], @@ -5145,6 +5605,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.com/bori/dipi.gif?utf=dolor#dexe", + "www.example.org", + "www.example.com" + ], "related.ip": [ "10.2.38.49" ], @@ -5196,6 +5661,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.com/iat/tqui.gif?utaliqui=emse#emqui", + "mail.example.com", + "example.com" + ], "related.ip": [ "10.66.92.90" ], @@ -5253,6 +5723,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost", + "mail.example.com", + "example.com" + ], "related.ip": [ "10.97.108.108" ], @@ -5310,6 +5785,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni", + "www5.example.org", + "api.example.net" + ], "related.ip": [ "10.147.147.248" ], @@ -5367,6 +5847,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed", + "api.example.com", + "www.example.org" + ], "related.ip": [ "10.152.190.61" ], @@ -5424,6 +5909,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti", + "api.example.org", + "www.example.net" + ], "related.ip": [ "10.129.232.105" ], @@ -5480,6 +5970,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui", + "api.example.net", + "internal.example.org" + ], "related.ip": [ "10.12.173.112" ], diff --git a/x-pack/filebeat/module/zscaler/zia/config/input.yml b/x-pack/filebeat/module/zscaler/zia/config/input.yml index 05e5f5c886e..f2963a231f1 100644 --- a/x-pack/filebeat/module/zscaler/zia/config/input.yml +++ b/x-pack/filebeat/module/zscaler/zia/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml b/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml index aae73dd9ded..f60a8a2e9de 100644 --- a/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{rsa.web.fqdn}}' + allow_duplicates: false + if: ctx?.rsa?.web?.fqdn != null && ctx.rsa?.web?.fqdn != '' + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json index ea74e1c3b31..b7bd436496b 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -22,9 +22,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "rci737.www5.example" + ], "related.ip": [ - "10.206.191.17", - "10.176.10.114" + "10.176.10.114", + "10.206.191.17" ], "related.user": [ "sumdo" @@ -93,9 +96,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "eosquir5191.www.example" + ], "related.ip": [ - "10.173.22.152", - "10.26.46.95" + "10.26.46.95", + "10.173.22.152" ], "related.user": [ "eataevi" @@ -166,6 +172,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "orsitame3262.domain" + ], "related.ip": [ "10.254.146.57", "10.204.86.149" @@ -239,6 +248,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tempor4496.www.localdomain" + ], "related.ip": [ "10.252.125.53", "10.103.246.190" @@ -312,9 +324,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ore2933.www.test" + ], "related.ip": [ - "10.136.153.149", - "10.61.78.108" + "10.61.78.108", + "10.136.153.149" ], "related.user": [ "ercit" @@ -328,8 +343,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "inim", "rsa.misc.action": [ - "Blocked", - "reetdolo" + "reetdolo", + "Blocked" ], "rsa.misc.category": "osquir", "rsa.misc.filter": "ipit", @@ -385,9 +400,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ollit4105.mail.localdomain" + ], "related.ip": [ - "10.66.250.92", - "10.183.16.166" + "10.183.16.166", + "10.66.250.92" ], "related.user": [ "tessec" @@ -458,9 +476,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "cup1793.local" + ], "related.ip": [ - "10.123.104.59", - "10.243.224.205" + "10.243.224.205", + "10.123.104.59" ], "related.user": [ "xercitat" @@ -531,9 +552,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "icab4668.local" + ], "related.ip": [ - "10.119.185.63", - "10.74.17.5" + "10.74.17.5", + "10.119.185.63" ], "related.user": [ "erc" @@ -547,8 +571,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tame", "rsa.misc.action": [ - "Blocked", - "nsec" + "nsec", + "Blocked" ], "rsa.misc.category": "emaperi", "rsa.misc.filter": "rehe", @@ -604,9 +628,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "aperia4409.www5.invalid" + ], "related.ip": [ - "10.25.192.202", - "10.78.151.178" + "10.78.151.178", + "10.25.192.202" ], "related.user": [ "quip" @@ -620,8 +647,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "atquovo", "rsa.misc.action": [ - "Allowed", - "amvolup" + "amvolup", + "Allowed" ], "rsa.misc.category": "hil", "rsa.misc.filter": "deFinibu", @@ -677,6 +704,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "sitvolup368.internal.host" + ], "related.ip": [ "10.135.225.244", "10.71.170.37" @@ -750,6 +780,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ite2026.www.invalid" + ], "related.ip": [ "10.19.145.131", "10.223.247.86" @@ -766,8 +799,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "sci", "rsa.misc.action": [ - "emseq", - "Allowed" + "Allowed", + "emseq" ], "rsa.misc.category": "exercit", "rsa.misc.filter": "taevit", @@ -823,6 +856,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "radipisc7020.home" + ], "related.ip": [ "10.2.53.125", "10.181.80.139" @@ -896,9 +932,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "uamei2493.www.test" + ], "related.ip": [ - "10.167.98.76", - "10.31.240.6" + "10.31.240.6", + "10.167.98.76" ], "related.user": [ "ratvolu" @@ -969,9 +1008,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "piscin6866.internal.host" + ], "related.ip": [ - "10.0.55.9", - "10.135.160.125" + "10.135.160.125", + "10.0.55.9" ], "related.user": [ "volupta" @@ -985,8 +1027,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iurer", "rsa.misc.action": [ - "Allowed", - "ionevo" + "ionevo", + "Allowed" ], "rsa.misc.category": "tinvolu", "rsa.misc.filter": "idex", @@ -1042,6 +1084,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "spi3544.www.host" + ], "related.ip": [ "10.63.250.128", "10.111.187.12" @@ -1058,8 +1103,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nnum", "rsa.misc.action": [ - "Allowed", - "ntoccae" + "ntoccae", + "Allowed" ], "rsa.misc.category": "tium", "rsa.misc.filter": "uteirure", @@ -1115,9 +1160,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tlab5981.www.host" + ], "related.ip": [ - "10.252.124.150", - "10.5.126.127" + "10.5.126.127", + "10.252.124.150" ], "related.user": [ "inibusB" @@ -1188,6 +1236,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "upida508.example" + ], "related.ip": [ "10.201.171.120", "10.91.126.231" @@ -1204,8 +1255,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "umdo", "rsa.misc.action": [ - "Blocked", - "orumSe" + "orumSe", + "Blocked" ], "rsa.misc.category": "tanimid", "rsa.misc.filter": "itam", @@ -1261,6 +1312,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "oditem5255.api.localdomain" + ], "related.ip": [ "10.107.251.87", "10.135.82.97" @@ -1277,8 +1331,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quid", "rsa.misc.action": [ - "Allowed", - "itecto" + "itecto", + "Allowed" ], "rsa.misc.category": "quam", "rsa.misc.filter": "adeser", @@ -1334,6 +1388,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "uamei2389.internal.example" + ], "related.ip": [ "10.215.205.216", "10.31.198.58" @@ -1407,6 +1464,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "eacommod1930.internal.lan" + ], "related.ip": [ "10.229.83.165", "10.29.155.171" @@ -1423,8 +1483,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedi", "rsa.misc.action": [ - "Allowed", - "llitanim" + "llitanim", + "Allowed" ], "rsa.misc.category": "apariat", "rsa.misc.filter": "tasnulap", @@ -1480,6 +1540,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tem6984.www5.domain" + ], "related.ip": [ "10.161.148.64", "10.129.192.145" @@ -1553,6 +1616,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "lapariat7287.internal.host" + ], "related.ip": [ "10.203.65.161", "10.7.200.140" @@ -1569,8 +1635,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tdol", "rsa.misc.action": [ - "nte", - "Allowed" + "Allowed", + "nte" ], "rsa.misc.category": "adeseru", "rsa.misc.filter": "mac", @@ -1626,9 +1692,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "licabo1493.api.corp" + ], "related.ip": [ - "10.218.98.29", - "10.86.22.67" + "10.86.22.67", + "10.218.98.29" ], "related.user": [ "olori" @@ -1699,6 +1768,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "stenatu4844.www.invalid" + ], "related.ip": [ "10.39.31.115", "10.24.111.229" @@ -1772,6 +1844,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "sitam5077.internal.host" + ], "related.ip": [ "10.32.39.220", "10.179.210.218" @@ -1845,9 +1920,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "dquia107.www.test" + ], "related.ip": [ - "10.88.172.34", - "10.128.173.19" + "10.128.173.19", + "10.88.172.34" ], "related.user": [ "agnaaliq" @@ -1861,8 +1939,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntNeq", "rsa.misc.action": [ - "Blocked", - "dtempo" + "dtempo", + "Blocked" ], "rsa.misc.category": "ipsu", "rsa.misc.filter": "iqu", @@ -1918,9 +1996,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "lloin4019.www.localhost" + ], "related.ip": [ - "10.238.224.49", - "10.130.241.232" + "10.130.241.232", + "10.238.224.49" ], "related.user": [ "onse" @@ -1934,8 +2015,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mnisiut", "rsa.misc.action": [ - "Allowed", - "mod" + "mod", + "Allowed" ], "rsa.misc.category": "uiinea", "rsa.misc.filter": "aturQu", @@ -1991,9 +2072,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tamet6317.www.host" + ], "related.ip": [ - "10.115.53.31", - "10.2.67.127" + "10.2.67.127", + "10.115.53.31" ], "related.user": [ "Cic" @@ -2007,8 +2091,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quatD", "rsa.misc.action": [ - "Allowed", - "tatem" + "tatem", + "Allowed" ], "rsa.misc.category": "aincidun", "rsa.misc.filter": "uela", @@ -2064,9 +2148,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "saquaea6344.www.invalid" + ], "related.ip": [ - "10.204.214.251", - "10.101.38.213" + "10.101.38.213", + "10.204.214.251" ], "related.user": [ "ueipsa" @@ -2137,9 +2224,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "utaliqu4248.www.localhost" + ], "related.ip": [ - "10.101.85.169", - "10.18.226.72" + "10.18.226.72", + "10.101.85.169" ], "related.user": [ "rroqu" @@ -2210,6 +2300,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "mdolore473.internal.test" + ], "related.ip": [ "10.242.182.193", "10.87.100.240" @@ -2283,9 +2376,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tatio6513.www.invalid" + ], "related.ip": [ - "10.229.242.223", - "10.80.57.247" + "10.80.57.247", + "10.229.242.223" ], "related.user": [ "itasp" @@ -2356,6 +2452,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "lapar1599.www.lan" + ], "related.ip": [ "10.193.66.155", "10.106.77.138" @@ -2372,8 +2471,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uteir", "rsa.misc.action": [ - "Section", - "Allowed" + "Allowed", + "Section" ], "rsa.misc.category": "cididu", "rsa.misc.filter": "Utenima", @@ -2429,6 +2528,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "aquioff3853.www.localdomain" + ], "related.ip": [ "10.54.159.1", "10.236.230.136" @@ -2445,8 +2547,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tec", "rsa.misc.action": [ - "Allowed", - "tatema" + "tatema", + "Allowed" ], "rsa.misc.category": "emullamc", "rsa.misc.filter": "emveleum", @@ -2502,6 +2604,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ura675.mail.localdomain" + ], "related.ip": [ "10.131.246.134", "10.49.242.174" @@ -2518,8 +2623,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tvolup", "rsa.misc.action": [ - "Allowed", - "utemvel" + "utemvel", + "Allowed" ], "rsa.misc.category": "untutlab", "rsa.misc.filter": "dol", @@ -2575,6 +2680,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "iamea478.www5.host" + ], "related.ip": [ "10.142.120.198", "10.166.10.42" @@ -2648,9 +2756,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "eaque6543.api.domain" + ], "related.ip": [ - "10.138.188.201", - "10.128.184.241" + "10.128.184.241", + "10.138.188.201" ], "related.user": [ "etur" @@ -2721,6 +2832,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "eufug1756.mail.corp" + ], "related.ip": [ "10.53.101.131", "10.213.57.165" @@ -2737,8 +2851,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ese", "rsa.misc.action": [ - "litanim", - "Allowed" + "Allowed", + "litanim" ], "rsa.misc.category": "idata", "rsa.misc.filter": "urerepre", @@ -2794,9 +2908,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "orp5697.www.invalid" + ], "related.ip": [ - "10.55.81.14", - "10.243.6.41" + "10.243.6.41", + "10.55.81.14" ], "related.user": [ "eiusmo" @@ -2867,6 +2984,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "pariatur7238.www5.invalid" + ], "related.ip": [ "10.202.224.79", "10.33.144.10" @@ -2883,8 +3003,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lit", "rsa.misc.action": [ - "quu", - "Blocked" + "Blocked", + "quu" ], "rsa.misc.category": "oluptate", "rsa.misc.filter": "exercita", @@ -2940,6 +3060,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "fficia2304.www5.home" + ], "related.ip": [ "10.20.124.138", "10.158.18.51" @@ -2956,8 +3079,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Loremip", "rsa.misc.action": [ - "Allowed", - "quid" + "quid", + "Allowed" ], "rsa.misc.category": "mini", "rsa.misc.filter": "uisnos", @@ -3013,6 +3136,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "mquisnos7453.home" + ], "related.ip": [ "10.134.128.27", "10.118.177.136" @@ -3086,9 +3212,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "aquio748.www.localhost" + ], "related.ip": [ - "10.125.120.97", - "10.68.8.143" + "10.68.8.143", + "10.125.120.97" ], "related.user": [ "reet" @@ -3102,8 +3231,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "amni", "rsa.misc.action": [ - "edutp", - "Allowed" + "Allowed", + "edutp" ], "rsa.misc.category": "ames", "rsa.misc.filter": "dmi", @@ -3159,9 +3288,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "remagnam796.mail.corp" + ], "related.ip": [ - "10.143.0.78", - "10.137.164.122" + "10.137.164.122", + "10.143.0.78" ], "related.user": [ "orissus" @@ -3175,8 +3307,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "etdol", "rsa.misc.action": [ - "Blocked", - "mwrit" + "mwrit", + "Blocked" ], "rsa.misc.category": "inim", "rsa.misc.filter": "aturQu", @@ -3232,9 +3364,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "etdolore4227.internal.corp" + ], "related.ip": [ - "10.156.177.53", - "10.30.87.51" + "10.30.87.51", + "10.156.177.53" ], "related.user": [ "psaquaea" @@ -3248,8 +3383,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatno", "rsa.misc.action": [ - "Blocked", - "ptatev" + "ptatev", + "Blocked" ], "rsa.misc.category": "udexerc", "rsa.misc.filter": "ptatemse", @@ -3305,9 +3440,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "rors1935.api.domain" + ], "related.ip": [ - "10.111.249.184", - "10.83.138.34" + "10.83.138.34", + "10.111.249.184" ], "related.user": [ "dentsunt" @@ -3378,9 +3516,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "idexeac1655.internal.test" + ], "related.ip": [ - "10.180.150.47", - "10.141.195.13" + "10.141.195.13", + "10.180.150.47" ], "related.user": [ "taliq" @@ -3394,8 +3535,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itesse", "rsa.misc.action": [ - "uip", - "Allowed" + "Allowed", + "uip" ], "rsa.misc.category": "teturad", "rsa.misc.filter": "roquisqu", @@ -3451,9 +3592,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "laboree3880.api.invalid" + ], "related.ip": [ - "10.166.195.20", - "10.255.40.12" + "10.255.40.12", + "10.166.195.20" ], "related.user": [ "lamcolab" @@ -3522,6 +3666,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tecto708.www5.example" + ], "related.ip": [ "10.22.122.43", "10.100.143.226" @@ -3595,6 +3742,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ine3181.www.invalid" + ], "related.ip": [ "10.119.53.68", "10.121.9.5" @@ -3611,8 +3761,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dexea", "rsa.misc.action": [ - "Blocked", - "tinvolup" + "tinvolup", + "Blocked" ], "rsa.misc.category": "ende", "rsa.misc.filter": "onse", @@ -3668,9 +3818,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tsunt3403.www5.test" + ], "related.ip": [ - "10.237.0.173", - "10.31.153.177" + "10.31.153.177", + "10.237.0.173" ], "related.user": [ "sci" @@ -3684,8 +3837,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "eritqui", "rsa.misc.action": [ - "Blocked", - "dolor" + "dolor", + "Blocked" ], "rsa.misc.category": "taspe", "rsa.misc.filter": "oremipsu", @@ -3739,9 +3892,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "pitl6126.www.localdomain" + ], "related.ip": [ - "10.243.182.229", - "10.229.102.140" + "10.229.102.140", + "10.243.182.229" ], "related.user": [ "duntut" @@ -3755,8 +3911,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "epor", "rsa.misc.action": [ - "Allowed", - "etquasia" + "etquasia", + "Allowed" ], "rsa.misc.category": "iaturE", "rsa.misc.filter": "rep", @@ -3808,6 +3964,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "remaper3297.internal.test" + ], "related.ip": [ "10.120.138.109", "10.39.46.155" @@ -3824,8 +3983,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "adipisc", "rsa.misc.action": [ - "Blocked", - "exer" + "exer", + "Blocked" ], "rsa.misc.category": "remagna", "rsa.misc.filter": "emvel", @@ -3881,6 +4040,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tamr1693.api.home" + ], "related.ip": [ "10.53.191.49", "10.133.102.57" @@ -3954,6 +4116,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "cia5990.api.localdomain" + ], "related.ip": [ "10.89.41.97", "10.91.2.225" @@ -4027,6 +4192,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "riatu2467.lan" + ], "related.ip": [ "10.221.20.165", "10.7.18.226" @@ -4100,9 +4268,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "pici1525.www5.corp" + ], "related.ip": [ - "10.178.148.188", - "10.155.252.123" + "10.155.252.123", + "10.178.148.188" ], "related.user": [ "inrepreh" @@ -4173,9 +4344,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "dolo6418.internal.host" + ], "related.ip": [ - "10.220.1.249", - "10.190.42.245" + "10.190.42.245", + "10.220.1.249" ], "related.user": [ "olup" @@ -4189,8 +4363,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uamquaer", "rsa.misc.action": [ - "aerat", - "Blocked" + "Blocked", + "aerat" ], "rsa.misc.category": "quela", "rsa.misc.filter": "qui", @@ -4244,9 +4418,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "imveni193.www5.host" + ], "related.ip": [ - "10.112.190.154", - "10.55.38.153" + "10.55.38.153", + "10.112.190.154" ], "related.user": [ "oremeu" @@ -4260,8 +4437,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tin", "rsa.misc.action": [ - "urau", - "Allowed" + "Allowed", + "urau" ], "rsa.misc.category": "isiut", "rsa.misc.filter": "cons", @@ -4317,9 +4494,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ionu3320.api.localhost" + ], "related.ip": [ - "10.195.153.42", - "10.250.48.82" + "10.250.48.82", + "10.195.153.42" ], "related.user": [ "tsedquia" @@ -4333,8 +4513,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tDuisaut", "rsa.misc.action": [ - "Allowed", - "upidatat" + "upidatat", + "Allowed" ], "rsa.misc.category": "aliquide", "rsa.misc.filter": "deriti", @@ -4390,6 +4570,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "remips1499.www.local" + ], "related.ip": [ "10.252.164.230", "10.60.52.219" @@ -4406,8 +4589,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rroq", "rsa.misc.action": [ - "Blocked", - "fdeFin" + "fdeFin", + "Blocked" ], "rsa.misc.category": "diduntut", "rsa.misc.filter": "ano", @@ -4459,9 +4642,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "mdoloree96.domain" + ], "related.ip": [ - "10.122.102.156", - "10.187.16.73" + "10.187.16.73", + "10.122.102.156" ], "related.user": [ "emoen" @@ -4532,6 +4718,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "iatnulap7662.internal.local" + ], "related.ip": [ "10.120.215.174", "10.248.108.55" @@ -4548,8 +4737,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rema", "rsa.misc.action": [ - "Allowed", - "uatDu" + "uatDu", + "Allowed" ], "rsa.misc.category": "ent", "rsa.misc.filter": "iscivel", @@ -4603,9 +4792,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "sBonoru1929.example" + ], "related.ip": [ - "10.15.254.181", - "10.51.161.245" + "10.51.161.245", + "10.15.254.181" ], "related.user": [ "abo" @@ -4619,8 +4811,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "modit", "rsa.misc.action": [ - "uteiru", - "Allowed" + "Allowed", + "uteiru" ], "rsa.misc.category": "qua", "rsa.misc.filter": "saute", @@ -4676,9 +4868,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "onorumet4871.lan" + ], "related.ip": [ - "10.129.66.196", - "10.7.152.238" + "10.7.152.238", + "10.129.66.196" ], "related.user": [ "equamn" @@ -4749,9 +4944,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "onproi4354.www5.invalid" + ], "related.ip": [ - "10.29.162.157", - "10.185.107.27" + "10.185.107.27", + "10.29.162.157" ], "related.user": [ "evelite" @@ -4822,9 +5020,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "beataevi7552.api.test" + ], "related.ip": [ - "10.138.0.214", - "10.215.63.248" + "10.215.63.248", + "10.138.0.214" ], "related.user": [ "eavolupt" @@ -4838,8 +5039,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "odita", "rsa.misc.action": [ - "Blocked", - "dqu" + "dqu", + "Blocked" ], "rsa.misc.category": "ipex", "rsa.misc.filter": "ine", @@ -4895,9 +5096,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "rvelill1981.www.invalid" + ], "related.ip": [ - "10.26.115.88", - "10.12.130.224" + "10.12.130.224", + "10.26.115.88" ], "related.user": [ "Nequepo" @@ -4911,8 +5115,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tNequepo", "rsa.misc.action": [ - "rmagnido", - "Allowed" + "Allowed", + "rmagnido" ], "rsa.misc.category": "luptatem", "rsa.misc.filter": "deritq", @@ -4968,6 +5172,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "quia7214.example" + ], "related.ip": [ "10.91.20.27", "10.193.152.42" @@ -5041,6 +5248,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "aturExc7343.invalid" + ], "related.ip": [ "10.146.69.38", "10.55.192.102" @@ -5114,9 +5324,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "olo7317.www5.localhost" + ], "related.ip": [ - "10.124.177.226", - "10.249.1.143" + "10.249.1.143", + "10.124.177.226" ], "related.user": [ "isciveli" @@ -5130,8 +5343,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Utenim", "rsa.misc.action": [ - "Allowed", - "onevo" + "onevo", + "Allowed" ], "rsa.misc.category": "tdolore", "rsa.misc.filter": "ptasn", @@ -5187,9 +5400,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "uiin1342.mail.invalid" + ], "related.ip": [ - "10.167.176.220", - "10.146.228.249" + "10.146.228.249", + "10.167.176.220" ], "related.user": [ "estla" @@ -5260,9 +5476,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "agna5654.www.corp" + ], "related.ip": [ - "10.200.74.101", - "10.203.47.23" + "10.203.47.23", + "10.200.74.101" ], "related.user": [ "litesse" @@ -5333,6 +5552,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ites5711.internal.host" + ], "related.ip": [ "10.162.78.48", "10.24.23.209" @@ -5406,6 +5628,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "oluptat2848.api.home" + ], "related.ip": [ "10.211.66.68", "10.55.151.53" @@ -5479,9 +5704,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ngelitse7535.internal.lan" + ], "related.ip": [ - "10.209.203.156", - "10.110.16.169" + "10.110.16.169", + "10.209.203.156" ], "related.user": [ "mes" @@ -5495,8 +5723,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iamquisn", "rsa.misc.action": [ - "lupta", - "Blocked" + "Blocked", + "lupta" ], "rsa.misc.category": "uasiarch", "rsa.misc.filter": "usBonor", @@ -5552,9 +5780,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tiumtot3611.internal.localdomain" + ], "related.ip": [ - "10.84.9.150", - "10.107.68.114" + "10.107.68.114", + "10.84.9.150" ], "related.user": [ "sequatDu" @@ -5568,8 +5799,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnis", "rsa.misc.action": [ - "Allowed", - "uianonnu" + "uianonnu", + "Allowed" ], "rsa.misc.category": "Excepteu", "rsa.misc.filter": "enimadmi", @@ -5625,9 +5856,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "gnaa4656.api.example" + ], "related.ip": [ - "10.26.222.144", - "10.124.119.48" + "10.124.119.48", + "10.26.222.144" ], "related.user": [ "nre" @@ -5698,6 +5932,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "psaqu6066.www5.localhost" + ], "related.ip": [ "10.164.190.2", "10.223.11.164" @@ -5714,8 +5951,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "officiad", "rsa.misc.action": [ - "antium", - "Allowed" + "Allowed", + "antium" ], "rsa.misc.category": "emoeni", "rsa.misc.filter": "itvo", @@ -5771,9 +6008,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "iavol5202.api.example" + ], "related.ip": [ - "10.14.37.8", - "10.121.181.243" + "10.121.181.243", + "10.14.37.8" ], "related.user": [ "umwr" @@ -5844,9 +6084,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "uame1361.api.local" + ], "related.ip": [ - "10.10.93.133", - "10.90.20.202" + "10.90.20.202", + "10.10.93.133" ], "related.user": [ "evita" @@ -5917,6 +6160,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "rsitame4049.internal.corp" + ], "related.ip": [ "10.77.102.206", "10.34.98.144" @@ -5933,8 +6179,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Exce", "rsa.misc.action": [ - "ulapa", - "Allowed" + "Allowed", + "ulapa" ], "rsa.misc.category": "reprehen", "rsa.misc.filter": "itsedqui", @@ -5990,6 +6236,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "elit912.www5.test" + ], "related.ip": [ "10.176.233.249", "10.75.144.118" @@ -6006,8 +6255,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "essequa", "rsa.misc.action": [ - "odic", - "Blocked" + "Blocked", + "odic" ], "rsa.misc.category": "cto", "rsa.misc.filter": "odite", @@ -6063,6 +6312,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tat6671.www.local" + ], "related.ip": [ "10.149.6.107", "10.236.55.236" @@ -6079,8 +6331,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uis", "rsa.misc.action": [ - "mvele", - "Allowed" + "Allowed", + "mvele" ], "rsa.misc.category": "vitaedi", "rsa.misc.filter": "ndeomni", @@ -6136,6 +6388,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "uis5050.www.local" + ], "related.ip": [ "10.97.202.149", "10.13.125.101" @@ -6209,9 +6464,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ficiad1312.api.host" + ], "related.ip": [ - "10.230.61.102", - "10.141.66.163" + "10.141.66.163", + "10.230.61.102" ], "related.user": [ "umdolo" @@ -6225,8 +6483,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itautf", "rsa.misc.action": [ - "mini", - "Blocked" + "Blocked", + "mini" ], "rsa.misc.category": "gna", "rsa.misc.filter": "usmo", @@ -6282,9 +6540,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "itaspe921.mail.invalid" + ], "related.ip": [ - "10.224.249.228", - "10.10.25.145" + "10.10.25.145", + "10.224.249.228" ], "related.user": [ "mnisiuta" @@ -6355,6 +6616,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "archite4407.mail.invalid" + ], "related.ip": [ "10.247.255.107", "10.234.34.40" @@ -6371,8 +6635,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "neavolu", "rsa.misc.action": [ - "Blocked", - "nofdeF" + "nofdeF", + "Blocked" ], "rsa.misc.category": "remagnam", "rsa.misc.filter": "maveniam", @@ -6428,6 +6692,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "aria1424.mail.home" + ], "related.ip": [ "10.250.102.42", "10.124.81.20" @@ -6501,6 +6768,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "Bonoru7444.www5.example" + ], "related.ip": [ "10.166.205.159", "10.154.188.132" @@ -6570,9 +6840,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "icero1297.internal.domain" + ], "related.ip": [ - "10.138.193.38", - "10.46.71.46" + "10.46.71.46", + "10.138.193.38" ], "related.user": [ "sintocca" @@ -6639,9 +6912,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "oloremeu5047.www5.invalid" + ], "related.ip": [ - "10.254.119.31", - "10.172.159.251" + "10.172.159.251", + "10.254.119.31" ], "related.user": [ "usm" @@ -6655,8 +6931,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "imadmi", "rsa.misc.action": [ - "Blocked", - "tatemacc" + "tatemacc", + "Blocked" ], "rsa.misc.category": "tutlabor", "rsa.misc.filter": "eturad", @@ -6712,6 +6988,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "edutpe1255.internal.lan" + ], "related.ip": [ "10.195.62.230", "10.98.126.206" @@ -6728,8 +7007,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "isnost", "rsa.misc.action": [ - "oriosa", - "Allowed" + "Allowed", + "oriosa" ], "rsa.misc.category": "uis", "rsa.misc.filter": "nemul", @@ -6785,9 +7064,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "nderit1171.www5.domain" + ], "related.ip": [ - "10.84.140.5", - "10.144.93.186" + "10.144.93.186", + "10.84.140.5" ], "related.user": [ "eroi" @@ -6858,6 +7140,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "nos4114.api.lan" + ], "related.ip": [ "10.31.58.6", "10.198.84.190" @@ -6931,6 +7216,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "oremeum4231.internal.host" + ], "related.ip": [ "10.139.90.218", "10.131.81.172" @@ -6947,8 +7235,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rrorsi", "rsa.misc.action": [ - "exe", - "Allowed" + "Allowed", + "exe" ], "rsa.misc.category": "mnihi", "rsa.misc.filter": "consequa", @@ -7004,9 +7292,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ueip6097.api.host" + ], "related.ip": [ - "10.128.43.71", - "10.152.217.174" + "10.152.217.174", + "10.128.43.71" ], "related.user": [ "mquiado" @@ -7020,8 +7311,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "olupt", "rsa.misc.action": [ - "temvele", - "Blocked" + "Blocked", + "temvele" ], "rsa.misc.category": "natuser", "rsa.misc.filter": "amnihil", @@ -7077,6 +7368,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "fugiatqu7793.www.localdomain" + ], "related.ip": [ "10.26.149.221", "10.217.193.148" @@ -7150,6 +7444,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "onsequ3168.www.corp" + ], "related.ip": [ "10.172.17.6", "10.109.192.53" @@ -7166,8 +7463,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "temUte", "rsa.misc.action": [ - "tassit", - "Blocked" + "Blocked", + "tassit" ], "rsa.misc.category": "ita", "rsa.misc.filter": "scive", @@ -7223,6 +7520,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "oremquel3120.internal.localhost" + ], "related.ip": [ "10.135.38.213", "10.119.106.108" diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json index 66ca65108fd..bdf9957b55d 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -17,6 +17,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "" + ], "related.user": [ "" ], diff --git a/x-pack/filebeat/processors/decode_cef/docs/decode_cef.asciidoc b/x-pack/filebeat/processors/decode_cef/docs/decode_cef.asciidoc index 3078bf3477b..4666100a39e 100644 --- a/x-pack/filebeat/processors/decode_cef/docs/decode_cef.asciidoc +++ b/x-pack/filebeat/processors/decode_cef/docs/decode_cef.asciidoc @@ -28,7 +28,7 @@ The `decode_cef` processor has the following configuration settings. .Decode CEF options [options="header"] |====== -| Name | Required | Default | Description +| Name | Required | Default | Description | | `field` | no | message | Source field containing the CEF message to be parsed. | | `target_field` | no | cef | Target field where the parsed CEF object will be written. | | `ecs` | no | true | Generate Elastic Common Schema (ECS) fields from the CEF data. diff --git a/x-pack/functionbeat/Jenkinsfile.yml b/x-pack/functionbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..f3428ae7cc8 --- /dev/null +++ b/x-pack/functionbeat/Jenkinsfile.yml @@ -0,0 +1,32 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^x-pack/functionbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@xpack" ## special token regarding the changeset for the xpack + comments: ## when PR comment contains any of those entries + - "/test x-pack/functionbeat" + labels: ## when PR labels matches any of those entries + - "x-pack-functionbeat" + parameters: ## when parameter was selected in the UI. + - "x-pack-functionbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage build test && GO_VERSION=1.13.1 mage testGCPFunctions" + macos: + mage: "mage build unitTest" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test x-pack/functionbeat for macos" + labels: + - "macOS" + parameters: + - "macosTest" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/x-pack/libbeat/Jenkinsfile.yml b/x-pack/libbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..87019f071a0 --- /dev/null +++ b/x-pack/libbeat/Jenkinsfile.yml @@ -0,0 +1,17 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^x-pack/libbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@xpack" ## special token regarding the changeset for the xpack + comments: ## when PR comment contains any of those entries + - "/test x-pack/libbeat" + labels: ## when PR labels matches any of those entries + - "x-pack-libbeat" + parameters: ## when parameter was selected in the UI. + - "x-pack-libbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage build test" diff --git a/x-pack/metricbeat/Jenkinsfile.yml b/x-pack/metricbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..2448d43d85b --- /dev/null +++ b/x-pack/metricbeat/Jenkinsfile.yml @@ -0,0 +1,35 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^x-pack/metricbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@xpack" ## special token regarding the changeset for the xpack + comments: ## when PR comment contains any of those entries + - "/test x-pack/metricbeat" + labels: ## when PR labels matches any of those entries + - "x-pack-metricbeat" + parameters: ## when parameter was selected in the UI. + - "x-pack-metricbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + cloud: "mage build test" + withModule: true ## run the ITs only if the changeset affects a specific module. + dirs: ## run the cloud tests for the given modules. + - "x-pack/metricbeat/module/aws" + macos: + mage: "mage build unitTest" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test x-pack/metricbeat for macos" + labels: + - "macOS" + parameters: + - "macosTest" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/x-pack/metricbeat/metricbeat.reference.yml b/x-pack/metricbeat/metricbeat.reference.yml index 2c38df1fffc..507d8492485 100644 --- a/x-pack/metricbeat/metricbeat.reference.yml +++ b/x-pack/metricbeat/metricbeat.reference.yml @@ -1106,6 +1106,16 @@ metricbeat.modules: # Store counter rates instead of original cumulative counters (experimental, default: false) #rate_counters: true +# Metrics sent by a Prometheus server using remote_write option +#- module: prometheus +# metricsets: ["remote_write"] +# host: "localhost" +# port: "9201" + + # Secure settings for the server using TLS/SSL: + #ssl.certificate: "/etc/pki/server/cert.pem" + #ssl.key: "/etc/pki/server/cert.key" + # Use Elasticsearch histogram type to store histograms (beta, default: false) # This will change the default layout and put metric type in the field name #use_types: true @@ -1118,17 +1128,6 @@ metricbeat.modules: # counter_patterns: [] # histogram_patterns: [] - -# Metrics sent by a Prometheus server using remote_write option -#- module: prometheus -# metricsets: ["remote_write"] -# host: "localhost" -# port: "9201" - - # Secure settings for the server using TLS/SSL: - #ssl.certificate: "/etc/pki/server/cert.pem" - #ssl.key: "/etc/pki/server/cert.key" - # Metrics that will be collected using a PromQL #- module: prometheus # metricsets: ["query"] diff --git a/x-pack/metricbeat/module/aws/fields.go b/x-pack/metricbeat/module/aws/fields.go index 12efc5c0cf9..31a766459c7 100644 --- a/x-pack/metricbeat/module/aws/fields.go +++ b/x-pack/metricbeat/module/aws/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAws returns asset data. // This is the base64 encoded gzipped contents of module/aws. func AssetAws() string { - return "eJzsfd1zGzey73v+CtS+xE7JOo6dbN3Kw6nSlze6R5YVUV7njQvONEmsMMAYwFBmav/4W2gA8z0kh5yh5FPXD1sbkQR+/YFGd6PReEMeYf0boU/6B0IMMxx+I387+zL52w+ExKAjxVLDpPiN/PcPhBDyL/qk/0USGWccSCQ5h8hocvZlQhIpmJGKiQVJwCgWaTJXMsHPLrjM4idqouXpD4Qo4EA1/EYW9AdC5gx4rH/D0d8QQRMIaOw/s07tF5XMUv+XFlDVQcoDGbrQpz/lfw7jydm/ITKlP7s/TN2nj7B+kipu/3ia0DRlYuG/+7ef/lb6Xis29++BLuzAZEV5BiSlTHn+0CdNFGiZqQj0aYMC/f50lkWPYE7tfzcoaWLdgOGWJkDknFAyeU/8qI0JY5aA0EyKF8K4j6hMZVgNyD/+dOpV7vSn059+7Ik6ltmMwxigNTFLaogCkykBsZN3sRbI2d01+ZqBWjdJmjHOmVg0SCmvhC0Y/uXH+BeJpDCUCQsHCGjDEmogJtGSqgVoMpeKrGWmcKnSKJKZMISJ2qoN//LVOwNDS3+vL8EyNVdhzgs3ZeVLgTQuK/Q2qPtIv7EkSzoI8NgR/GkriItMKRDRunXypuo25r9qzBv5EUkmWMekE1ArFsFtde32mtcPgQMiqVaKSRcz2mGcJVIZ9hfEF1KbViB1xeoSaXlUmlhuNz4OQzYWVit5OTQSSW26xgxTWk53TtjOzG0zNoYMc51zEPFLZJkHdjSGVebrZNetVAnllq+fNV3AWRuuZ2ZcAZFkFuMxmNcxZzcfP4vZS1W8HNrRVK82YzfTLGv/yKgwzLRb+OdjGkr9q8d2FKZVZ+xkmjZUmWlMzf57kx2B2BFwZ1LW7YGVjQHsfmxFpltnBhEfNO+ViPeYFVVgGsOcCWbHGUxPHqGuc9uoaVD0sASiDYZP3mlMFWgQRhOKgYOllBKdQsTmDOJWnKXAZ522KeZQkKwLYsey0UQTSJXfs3UlkCDdbjnZHlCQHv55g6D/blBsTSyBbymXCpTDS2brIlDTDcc8yp3ig3zzYpiae56UI4cnUEB0pGgaooc8mv6CEcTTkkXLYoCWGNzKy5IUs/kclP0PS4dOaVT1FatBefi3yanPx9l3ETfFYTUuH7ak609LEC5SKvGf0JS1hK9rQRMZzw6SThjkSLKxP7zEKS/PDw21/NiDmbZJFkWg9Tzj9/A1A21uqLExzyld1aM10nNjbMqfeB2gK1B2C+NuLmtldI6DKAdEEyNzthEbAib0LymKP02MAprUWeGBZN6uldXMsARICorJ+LQ/QxL6bTSGhHDvJTLkk+BMwLWI4dsdqAiEoQu4U3KhQOtR1STNp7MMiWSScrC/cfaCEgFPZMHljHKiIZIipmpNmAVKmCYzsATT2DqXRhJKDJ1x6KbzTskV00wKiL8oZuCCpjRiZv1ZMDMunSJLZqAsjWmBgTxZECTyKNDL095LQEoI/t92+nei8h5o/NxEKqDx4DReSKGz5NgEBqNWENpGXOSxEbkC1b0cT1qn0ZKsZUYiKohRNHokS/lEkixa2tkwxVfmrVkqmS2WaWbscsg0bFjk3SzTWdLJspaUXg+G6Sz5Trl0ZPvQ1KxW2/D9MW103fqe+HQPKWcRtZQd0wcDTlMdKJ+BeQK7twqSpTHmnZmBhNA0BYoOBBPIsdzn0OhzWJvdOpMUYONKS5iz6CeEith52M2RqZBmCSr/hZ/M2/8t+3cL/47hsv2v4d+DokLTyNJ9IcWcs8iMpoBnXvkU2FDfc+kNhxWUvN04A+u4mQIX5XbxIjSd8zqSwh3UtOXVSDGcdMzQNAGcTvdjxUi2ShrKXyobztxxW5fLaBhnf+F6O4qhqkYD25zIDNFBbONvSy9tOzrcTGx1w3ox1Lbuab3Jnay1geRKKanG3Id7hq7OsC1AgGpmj90/KsjvDw935Ne3b4k21GR2Q4/hgAD3QoqYuXV1sYTo8QNl3Kq6Qz4icwp/bo5TEmoMJKnjVgpqLlVi13VA50S/YcHegYiZWJR2wgvUgmOQgLuR2/S8GKkCRGxAWIKaW1nrqLPMuJ8v6QqIkIaswZCZNXGlwQ70FGj8sFTSGA5XKxCjCfm+TfuROPgWAfqH0G3JWoccKEQO5I+t5r05UPKYOUuYac9mSUFoXlVFXmnrf1NdYYlwLHjdzQO07y9TD6o2fkxF8NveR/rNrgq90WU+zFQEh3lzfgS5YqOrGWC8ZDc0Krr3Mzc6005bSCxBo9GgacrXzuy8iSFBp9lySVs2tTNpk2Ut2PRgR7mxLtoLZlihEY7U9lC2ljOV8zKnyQepmswzBasjmupyrVKH20nj4AR4wDuoK9KT6Q0mvE0eX9zueEyBtPpiL1siDvKoInnRgnh+W/KRfitFGai/XXHVmAmMw+KpJVssoVG/5P41xqrp/hY978O4zhjteThXV8N2ppV/smGN7sm1vAZnVvad+h+Sw0wf8Xz86nxyWLnC0Afj/5Q8S3Bhnq+tNTs86A9JL83+QsUBGi3d+pCpjXeZFOUo1meh0UVMjXV5VwhJ2zCRRstwrHnLjJJvZtQaOCa0oSKCE/K0tPIxpYxCrbwn/LklCb4tYHaswaU3Km/cMvgumWP15lM6BGeswTGYJaz5gTlfNKZ+GxDtFw1LNuzYJTmOh7UmxAPB/pFBBjcgFmY5EN4aV+3mXte7PIn1RJlBDZTWpfAFCahZB5D0kEe8RXnFQLRVN6rr//pUlkMKym8p5NX1p7vJaxIDZytQ4KDnsrQfVna5uYuvfQ7v6nziF98p+WzX2RMzy3KdgRtgMrnM16gUfL2NLeUT6VFU1NdpbxC8Jq9EUd1tJHn369//p+YYvS6OEzdrwTC8Oc+UNueUWzs2ADcKTP/AnCsnd5lKpQaE9GqRvnt9QgoFJZ9SwxLkxu+Xl+SVNj+/dgdSF5KHv0U/v64S4+iNwS79ueUnLio6k5jpa9PSSEFsnc5XVtMsCILXYnIYlc+1+Rkh4MQKEspE6aBtZhnWuAzXrnJ4GIPJQSuwTamg/c2hW3Ha6olzfijnDXvuApeBzIsF4FJdR6aqsZqGJOs65scgaCNGV4cmpJefalLsnORsljBjymf/uY8evTvMR4/eHdNHv3h3mI8epdkpcvo0bRSGO+J1RDnE0zmXtP6FHWqLq5aEci4jPIO/uniHepcZKKcGqAJ/x89wG1SRTEM4Hw3OYvt9O0uIM0JTvPTTSsu2C48d9dG5Dl7cfc4tXb6wythwI7bfykqB7za8M7d5jIIYKN6DLQN3jBYF5iXVNmZVGcREM/sXZsgT1YTTTKDjjjadKlMvlikTozOV8kxPj0CUn6pKER5O4aFUYfIEyQRmjkqxhjMR9mcXd58vcAS/e/ub4kyTv0DJXSnVU3cPtJ43GIhUpKWVYLtWhDQkpSwmsXwSluSmvJ034MyKWWbWgEYZeos0zo8xHQntJAswT1I9njJxmlK7ae93mbid0rqV9zMQBRGwlVU9gTuXB0GYMKDmNALdWHpMhPYI1plpCwq7KZqmoKYaohEsYJO2kpuPttx6XTuTuZkimZkjCqk/+j2EVCLpf4uUmDidrc3ul/Kdi/4bafvRHuLDYY62wnC2o0jO0VWSW38St6vi8wvuaKvuGSU31IqLmX5k8tRGA8eTHEotLDLq3XxLRS4PbaSCIj+6oozjyYKR+8qtQehIcjsvyCqJa28KNxKDsduziK1c1nQUuZVIHVVwgbCS7PakcbsaynQwHwRFU6Qp6smZYy8wmW6WUn8KLzppG2KV9cnrtCrmeKJsZqSOu+TGFGWDtsNX3T6SdCW5p9ESosepK2sdiNR7SKUy2kbUWPpZQbqkmqRUY5GHNMvqh6FM2GLy1yeAaCyArn7mc8acakMSJjKzO5FTN96RaR2DkDDPM5DSLrFdick3i0gq+z9d7YmsW7eA+n2b/qk5qXxvsu07Vf4pS+gCTln7mti7p8L1ZTixw/FdsZORPqXWB1+RAT61Mhiw98O1iFmExeFBE2Iwruy9lHZmmoCwtqjDnOZAU8VW1MBpLPRUHNB9rSOR7EYnl7cT15fNs7cRGeyIktWrT7wm1v/cA9r13eoXQuNYgdaEai0jhrluPM3bC2s24ywai6E4eIOfO2qlhzYgFwPjPI4ra1xYRK7v8k9eWQa/JjOZuQ10H5biEjqNZNzOzb0NEY5b5+GJq4D/+e9vZsyQTGi2EJiJxkl2Qjq83FuRklepu6hC/kNUJoT7f3qZGcPE4g1ml/9DDKiECdTp/1iPBRsBhf8L8estFJmldW6dv2VN9VhbgZ8H3a2wLbQc9PHDOtYAP2azmqub9j41z1aMd06jRxDxhRTC+dwDXVyrijLKhy+zVUhTasbC1wS0oTPO9NI6m/72JTooksbEn0Sp3M9UsGDaYFVN0M0NtcG/PzzcXcgYpp7i6bs//xyYSrw99+7PP4kCnUqhwd2fC5fusFj1QNDvxwH9flTQv4wD+pdRQf86DuhfRwF9dXM+JpcjzqwNA2saELSuom6s0R0hj8hjDWoFahDI/o7ZMBc+64WRvv6xyKQg3MJaJrTrBi66SivKN9xEThnncgVqOOjNetlw/y636vmV+xlENNOuGlhnChtrgjuYt+Z+g44A5Wa5/l0Gph9636XK9KUbvlhg5VWHTj52G9lROyaWsnLx7BBgO9n8ChWcW7QC1Ou6trx6uCh/mtcXBK9QySyU2dIGH7pp/CxGFkkmhhXKcG1eCmlgXZrvSXJCmAiVbCfOLcSqXvuVpsOCDqAp7uw79reYepIJw3gjYaOMSzpoyD0fv4EsgcagNuwQeev1s5vzs8iwFRSenhPkMCwquqlXnD5fA0asWpb1lCIUxzi3uegQCTZ9vZy91Y/s96lagNmR/FD2fHPxeahy5zaqqyBrd71e3Vx8fl2+MXeW5g0FyI395flW3S7TdAtPx5OngKeGIMse+/GkeaekDRpgsAtEXST7A+0w3e5Cy/tgF189NFCtDnXEmLVE7osLX9tt2hiezguwZhc49sPN5BYW0jCah+tjuKYPN5MKkdj5u+w9+6AANS5mMUbzuTkglGjQGluKhrRplWDffIniROimbw4aph/YN4in937rm45B89xO8SbfXWkjY1FkK7aAvYeYKYjMKDCVH3wQgJ8Vn96whJnpFXbMgPiImCOZ8Vj8aKqXvsqBw+f7m3BMlcsFi8+tajn3xwYU3K4dZQcV5P/8z47h5/s//xyF1lJKxRFtsboYFKmWii0w/9phDHYP+MeD3xH2D4n/1zHxd+QABsX/9u2I+N++HRH4uzGBvxsR+Psxgb8fEfgvYwL/ZUjg13erv9cc7DH8qRbXuukk4C1xC2gz3BEzdHb4Iv2SVyL3yyC2hGljsPTZA7SXpja/IEGb9efepyvHENC2A7DWVGmVlCV2eXJ9F5jRLQ16SkM/bw67EEov/mccrlaUZ664bmhwGd+uLgu2Atf2zqXnlDWbvlGFJ4YKspTZhiU+QnZpr5zSpixp7XLAoQmJYpgjJiNu3aQvNBHxgcunIdNwG5IQcy6fNHlVPQB43bTx22x2Dfj04eJufPB2lxqNgJvJEQi4mYxGwOfLI0jg8+VwEvgebF8D8/i5tDr3rc4sqYj1kj4GN923J/YHvKLAUjS8D2G43Updtiwc8G10OAtTNJar2aE+Gz1Op0oho7NTE+kyLbi4R3Odu9f00DS9EEf5hDAR8QyPhh8u7v7r+m77iWIV+mgCaYFfVv1NTwygPL6LlV2myK9vp00bqLu4mzrbNb0HDUMmmJtFBxoMeXU/eXhdvSruLjDlBwByR9hXN+fPgnnfuh+L2SnTs7Pasdex2rH92apngrkr+rxIoVmMdQy+iOMZC0k2ocuLTJoREafJLKYHRUNuiCNGQjc4YWsU9IyvXl6LlT+dGd4VtFurdl7ePBPFsQrebfkGUWZcZU7Y0koPPbqP3WmtiMv/6R/o1Rk37lZePvSWQ0lfKD00kaxg4P7YLoHGN2AMqMFQfpCKUL0W0VJJIbH/TAB64q5w1OTk9LPy8gYWMFFBYJVvHDHQ+A1HqL48cJa5zXPDFn8J2jCBc1+6zorrD5TxTA1SDDIapTnonWjM1FBv4uC1nLwnoy9So6ZtJekURJz7XfjMpydi+4sXY66FWqEpxSaz/qGNDWcDxm78Up0N0vfT6oWTp38dwz+hna/T0CPCvTymnbL4lmn5PUsFkVRxiBa2sPYiD9ivcos1OJdzDShqL4vC0UIRwL3jsWFvt16MWmEqfQzUH3xz1C8Tcg+LltXoEBbg3Tu1lRgi0Oq/FUvxo285FsAXSZJogyNTajTaSu2wXk0vCREpKj1l96Yn2rnt+y4UofTIChQWBdn/4Iz6NeIatsn5NraSmK1YXDjy9XazHWQX/Qr7MqDszQx7MLGLLzOgJPOrAM9PkdXgmKqqhNy705x3ipBp30ay5TiDmgU18ETXhx1n5MN0OPFo2y+KV/Td04HRI8FGlZYFt2cPxI9hnXHqGoG43UK/NE8d8zfX4oOSScmfGlgpaj3K/Lot8yk/bi75Rxu6NBegJ8jW58Eb0n9MOIX/593FFsyfMvMgx+Zz3m7Ld3RugPeH/ruzGmGPyGl/NWIj2l7MLo7xz5w7Pu5pfuH040WtDkp2gXtVpJjHLkAoZ7N7I8aA8k4qc8ZDHeYoG0ldGbBU1D0a5HdzQoMjnkq1wYkODa1lNrIyeK8M35PFjqxQqqbxReLu2n5oBxRz/5cN+7lLB14qmY6BPmQbY4V3/1ss3lZoY+8hjV6yB+8iFeCjWLedMfcybh73yHtJoy3sELtJGfqoHB98R2m/YjLGLc/S8by3FvVqvq3WOoBW8WFPVKn4mE9U3V8e+ETVQe3vQ7NJ3+P+hw1S26U5ft+28f+/zf2x29zH1NAZ1TAtLa1RyAkT1S5SNV97zJHN8iZxp1SJVlB7dQzyLwrdh4d9b2kCr87ub1+jCrj30mK9HVTEqW7n1V6wLsoWpty+KrwpQUVMEkikWhelP4ghfPHyfFsr0xJ6FoMwbM4afYmGIIFasao3OktTziAuhF/MeuoewSz+QJgjPRPsawYWgNP3/Bt22F4kuv5+w5E38f0mHM6wPZWaTzGdU9rdp3OKRzvTGFKzbMV2cOtpmRlMLNkt5vqTJq8U0Pi/Kk+y6tflZ8Yong06B4bpx3bsoQPlVz51l4mmdAHCTP8tZ+NYDF81Mvnjhkzc7aUzOyGxE5bbgGxt2ThXAHTGYepWz1H7nRcJ2aIBqqIilkngugfViXyqjVR0ccSu0R2wPQ6i086edL4if5ppiKcY+7krjlMWD6kjofC/NAO5vgxvpmj3ZIrFcOoubAOeQ95JbRYKJn/ctIOX3HrvU//YP8LWXJopp4vTZDYgfE4XCzyT989QugudOGv+GbqZUuNZtwGVoJH/cnaDBiYPpXrRZ63AlMmt/YH3tD/hNcvSls/0ozsK7HwUsAspMgM536OLcdD52B8XH6L2eDJMyb1Ff+9lU9p8rJysni1ZaPTrfIny/lSWzcf15I+bE/KRKkYvz937NYW8KtN0eB76iabOP34mQ2ABuLXvioz9E1YVinFLd1GN3c4xQ5XbD+tdFca8ncqyzeByoae+YK0pzUMWICpmiRQbCpRMiZ2418rCrfX4S8vt6D3X1tcMFNtdffZC5+cojrq2gYqBxlxGj+PCymcJFQe5W7oNn2tijtvac60+v/lW6vvPMiVVxS5hMyacbBMhruU/69EC/0A6SkcdjPPwJEBNc/NS2kwbUB7qid0MJHZ9oob8+sb5eXnDt81kun74z0KnW5u4TGtk5nm3w8lE95DLiPJndhKDdlaNvYEklYqqtXtk3pUbWuO6TUu5XDCBneIzNbKp8kEGzlgcYG2zB8UrsaeRTBLWnmcbzNq7OfpY+RLAGDh0tFgfbjvCOXK73wddzMeFdnl5U7qW2wNYMjIwJjQoo09IlsbUgH/U0HGyF1I30DHA7iNgfzN2UHi53Qmt0kuvNuPDHPlRk9tTrI9u/Tv3QK61wOHUA5+XjJaVx0isdfY7K7rtdn/11rowXHuwYOpRDckKJiKZ2Hjx1b0b/HXBE0Xncxa1+OnlunBkV5RpIxNQhUMUfmxZF/Kll5P8z+iFWBNfOsyg+DpdHjvvzJUgmSHZIjOzkMiWBz/698MX6xqNsZjrVc/00T+a1XRStmLUwKHjcGkwk+Pm2MfkOIM6Ljo3xz7o0DMcF1zjxTcU8TaM3DeK7enRDJl18RBwCTWcHjS+CeOc+W6zm8no41mMRQMm62KYY8NAKQinYpFZWb26vLx5nfslfSnr4ZqMRdlG76UnPT0dmHFJCku6Jw29rPYAFAxl1AP+nhZ9LBlUjX5PGfS0+2PRUN0aetLQb3d4gYrUM9wczfJWItIdhYDHsz7HzjAB/Uz5lFKCWkZRljKX9JsxQdUaUyjBfU2ojUuaZw0uw6Y2HimUyK0feg174NWSby9NSOyEZM449Mu6l+DXjw1Gh3/QcUHpx/rUVbeNmuMKlQrlecO1X7HA96hFiHiLSo0QEW91bcvUzLiMHgd7jLOdnAoZ9Ux+ceHNIdl+9FAqGIlnUx/oT8coj9mz4CVkiv1zJxHl3Nk4H4AWpwD+m9sJVbJxxfAAui7PiR1QE84egXy5v364uidSkfurs8ur+5MhgYNYMAEDPx14RaNl5XBXZcLz3s134iirH+KWDnDxIr2J2gmgSOfUbynT0un2kOukfnStilProEHhGbyC99iQ3G0YkUxSatiMcWbWG863N8rKk7rgckb5NJ7lGwvE0/yUtNeeuoX067Lx+gdOSy69MajfiW09Ly0AFoXzqWKJ3WiL67Xtpzb+6WK0LtXv78gda7ZcAmwO6sh8KRRGQSztLubC1QBHlTni3IwaQw4ivexxYIXNUJSHq9E7kc7pwt23zOGIRQhpN+nDjg6lp9oPfjoinb545DD6KqfI+1A3Tei34Sgsl3pVSSo/iFgH72yxNenN4/HgLtQy+vuRysTApDLxEkid0egR7/JOoyUVC5i6Lg36NFLglqvqirIPrfjMpyZuat8gQhOcOvSfnbMV+HpP9zI21kJs25k6ycJn6gf1WCOTVfu3dZFVKebYnYAnJmL5dOrmGTTOmc9BgVWestb5hlsFFW7+/O1RT2/9812p4F25v0O1KdydpGYTTOuF64RyHp7M2ETyHBs3uB7Jrq9hmKijaM/VRfjCIRo9ZulUgbH+vRRT3xlxyG3/oaUThJs3r9HITzDD++06S1OpHJNSyYR5w8QbdCIV4OIgc6AmU4DeYvWAtFDaH3WYKCdwoyJUWKMFTfVSmmfjReTbtuKrVpwH8gIuZ2doS8iCxfYsBmxI3osBEY2WMF0yM0VX9HSW2dU3IO3Vq1jNpkG+x4u/B+Wmd6h2A+yacU01DLl8+4G+RwgazCbcPmbMUlynPeqJ+0ddubGp3NDCcnQfe5VfS+wofo711Mip9zhSF2Pqr3y6Z1V0zxTqogSwh+t4fzkpx8M5/UYSaZagiMD3OLz12LrRZWmoaJu6isGpu9L4XPbBLn93j3MtM5dfcoWM5R1hx3yGl6yvKeUwNyMRpyChDAP+0iUOTGNidV5LEWICVGfuFc56fV5ut99PY8r4OsjnhzrWPldr64PV7tniZ7kwxrx1O3l/2KXbWRY9gjnV7K/nKsHE2D3XV+fUuvyEx9aK23lLUzmfytm/ITLDr63StTQ3Qws2t4o4z0WN1xo7tM/vCYfqnR+mpHHhyYuXrGdhQ3Q3vEcUFr6mlG+/rqGLRA/I5W4n773sToiCBVUxB38RdZ127MM59sWgHkMN8z+uHmq4rXIF3WOijYYteNNsRLx3nwfHu+EIdhDIl1c3Vw9XQ6NedlVQDIL596uzy530eZsuSD2mMnya1LVhL5QbqjkOxVkgmVzdXF08kE8odLz7bQ3dwFrhKJnqiApx5Ms39Xq6sMl6LO7sZGd2HEK9ApOpl0J+AHMM+jkbc7VVo0s7l++3gNCR4s3eUyyfBJc0fh7JOLEUGHCx7bZlPy1BQfUhWVf6jGfOMxl33EfP0ucmNyAIb+ai21V6r8xiP+lvOcG1Bv/lW72T0YDq9su3b9VnZF1/CtcYdBe5uRVHixaxwDC0fkukIj9vJOzXMQn79du36vuyxyAs1JvNmdJmapWjx2nM4VVnKag3Qecw9ZNnRMLbzYVKYuvlcvezNhYY6bItlUWJrXuwpmgGueHdzA905EN0c1SWAKepdhU3HaxBWeFCLtgR3t6k4RMdusRvWrt5PCgO6+2lxTF7e01u23t7PWPn27sMu19O2F9DtIW3ahC6WiSgNV2AJmnmG2x295WbfJxM3AMV99QMBUT5vjylpy8mHycBF4ndawmsfgm1jOsWDd2n+UdPy11OyrAN+5q8sivA3fH2a+B2QoxMWbQD2ltpsNwKC1z8oxDjQS7Yy9eBqWG1tFPgDp1mdugZ9moXMZ479SXtA97dHYsuNAAl7P6msJGByL5oGTeWM5+yofuWViHXXtNdB1bjT8kcUZBUchbtpPpdNLy5FivKWXxmjGKzbKin2wahqvKGcBjnR0JzqJjBZ44A8sb1fftG7b59Uvlt/gvyfyefbl3j9UgqBZFxpYwJNRtb6W/l4q30tuW74aN7IkLIEjt70n8PsWIrEA/ykn8dlVqEisdvifTORsszO3uZnQfpyRifCmz3LH60nuSedEw+Tj5KYZYP8pIamKQgzOfJ5SCgoyVVC/fYgWN3tR8l1o5aLzbvZuiL0SPKQcQUr8qapb/843rWlXbptiOArwe6fF+P6vL9cWA7V9+VzPNjShe9jrAHuF6Tpkp+Ywk2GS/e73GwiJDijUs3x7lj5c94W1SycGK9cGPgdD1c8VXHIioDKioJ/NxYxtRsVKWAoi6yJIGYUQO8IyWS0yKkma6YZk3vdJhQu2oT3AZG5pwtlh05jRzZUVDV2WcUgxXlRfC3oz5YVRoXadDXXshCvDoutDy3OltbA8nzbkG+u4P3FYi7/bIFsm42cB5a5nEcNqMNPIQkNevQ/GKcVqE19pzdXQf24ctWzK1wx11CAwEdhWkgCnN79AP9RvS8G4/dR8Nei5n8MfE2szJu5d4XG+S5oepQez855If57p4dOsq7PTXmdPuK4a2b8d64yQ3vzpjyRyqO9DRFX2DDs6vyhMN+qPJnUs45jR6Xko/1zET+XkoRLa5JYhepda/ILExPlGz0aN4A+1be4/ePCDrsFAie0Drg/BhMH1r4hiPsbei0TACjixdr2S4o52M80eOvkkKMe3y1IZ7deV1dGaYdaRQhgE6M4QGAMXBi2JtjzcWU38Csg/T1muFrLj6ZM1GYpJglILR7tVlrGTHc2vDgrFCepqquUnGQoq5Ssbea/vPu9uXvwQ+ZEMAnZrhzh9KDAEAMDn+Kt/XsByyybNEn5C1hIsaLp5pcfvpyi3Hoz6U/fr5zvzr/x53/SfnTq8nD2fnN9eT3q0v85VvCdNF+jHLuy64RzIYEnSP/khq6ZXPdnf6a/1F+p8dqhOfIDoi27ap9ITWeQyrD+X8BAAD//8xXL/c=" + return "eJzsfd1zGzey73v+CtS+xE7JOo6dbN3Kw6nSlze6R5YVUV7njQvONEmsMMAYwFBmav/4W2gA8z0kh5yh5FPXD1sbkQR+/YFGd6PReEMeYf0boU/6B0IMMxx+I387+zL52w+ExKAjxVLDpPiN/PcPhBDyL/qk/0USGWccSCQ5h8hocvZlQhIpmJGKiQVJwCgWaTJXMsHPLrjM4idqouXpD4Qo4EA1/EYW9AdC5gx4rH/D0d8QQRMIaOw/s07tF5XMUv+XFlDVQcoDGbrQpz/lfw7jydm/ITKlP7s/TN2nj7B+kipu/3ia0DRlYuG/+7ef/lb6Xis29++BLuzAZEV5BiSlTHn+0CdNFGiZqQj0aYMC/f50lkWPYE7tfzcoaWLdgOGWJkDknFAyeU/8qI0JY5aA0EyKF8K4j6hMZVgNyD/+dOpV7vSn059+7Ik6ltmMwxigNTFLaogCkykBsZN3sRbI2d01+ZqBWjdJmjHOmVg0SCmvhC0Y/uXH+BeJpDCUCQsHCGjDEmogJtGSqgVoMpeKrGWmcKnSKJKZMISJ2qoN//LVOwNDS3+vL8EyNVdhzgs3ZeVLgTQuK/Q2qPtIv7EkSzoI8NgR/GkriItMKRDRunXypuo25r9qzBv5EUkmWMekE1ArFsFtde32mtcPgQMiqVaKSRcz2mGcJVIZ9hfEF1KbViB1xeoSaXlUmlhuNz4OQzYWVit5OTQSSW26xgxTWk53TtjOzG0zNoYMc51zEPFLZJkHdjSGVebrZNetVAnllq+fNV3AWRuuZ2ZcAZFkFuMxmNcxZzcfP4vZS1W8HNrRVK82YzfTLGv/yKgwzLRb+OdjGkr9q8d2FKZVZ+xkmjZUmWlMzf57kx2B2BFwZ1LW7YGVjQHsfmxFpltnBhEfNO+ViPeYFVVgGsOcCWbHGUxPHqGuc9uoaVD0sASiDYZP3mlMFWgQRhOKgYOllBKdQsTmDOJWnKXAZ522KeZQkKwLYsey0UQTSJXfs3UlkCDdbjnZHlCQHv55g6D/blBsTSyBbymXCpTDS2brIlDTDcc8yp3ig3zzYpiae56UI4cnUEB0pGgaooc8mv6CEcTTkkXLYoCWGNzKy5IUs/kclP0PS4dOaVT1FatBefi3yanPx9l3ETfFYTUuH7ak609LEC5SKvGf0JS1hK9rQRMZzw6SThjkSLKxP7zEKS/PDw21/NiDmbZJFkWg9Tzj9/A1A21uqLExzyld1aM10nNjbMqfeB2gK1B2C+NuLmtldI6DKAdEEyNzthEbAib0LymKP02MAprUWeGBZN6uldXMsARICorJ+LQ/QxL6bTSGhHDvJTLkk+BMwLWI4dsdqAiEoQu4U3KhQOtR1STNp7MMiWSScrC/cfaCEgFPZMHljHKiIZIipmpNmAVKmCYzsATT2DqXRhJKDJ1x6KbzTskV00wKiL8oZuCCpjRiZv1ZMDMunSJLZqAsjWmBgTxZECTyKNDL095LQEoI/t92+nei8h5o/NxEKqDx4DReSKGz5NgEBqNWENpGXOSxEbkC1b0cT1qn0ZKsZUYiKohRNHokS/lEkixa2tkwxVfmrVkqmS2WaWbscsg0bFjk3SzTWdLJspaUXg+G6Sz5Trl0ZPvQ1KxW2/D9MW103fqe+HQPKWcRtZQd0wcDTlMdKJ+BeQK7twqSpTHmnZmBhNA0BYoOBBPIsdzn0OhzWJvdOpMUYONKS5iz6CeEith52M2RqZBmCSr/hZ/M2/8t+3cL/47hsv2v4d+DokLTyNJ9IcWcs8iMpoBnXvkU2FDfc+kNhxWUvN04A+u4mQIX5XbxIjSd8zqSwh3UtOXVSDGcdMzQNAGcTvdjxUi2ShrKXyobztxxW5fLaBhnf+F6O4qhqkYD25zIDNFBbONvSy9tOzrcTGx1w3ox1Lbuab3Jnay1geRKKanG3Id7hq7OsC1AgGpmj90/KsjvDw935Ne3b4k21GR2Q4/hgAD3QoqYuXV1sYTo8QNl3Kq6Qz4icwp/bo5TEmoMJKnjVgpqLlVi13VA50S/YcHegYiZWJR2wgvUgmOQgLuR2/S8GKkCRGxAWIKaW1nrqLPMuJ8v6QqIkIaswZCZNXGlwQ70FGj8sFTSGA5XKxCjCfm+TfuROPgWAfqH0G3JWoccKEQO5I+t5r05UPKYOUuYac9mSUFoXlVFXmnrf1NdYYlwLHjdzQO07y9TD6o2fkxF8NveR/rNrgq90WU+zFQEh3lzfgS5YqOrGWC8ZDc0Krr3Mzc6005bSCxBo9GgacrXzuy8iSFBp9lySVs2tTNpk2Ut2PRgR7mxLtoLZlihEY7U9lC2ljOV8zKnyQepmswzBasjmupyrVKH20nj4AR4wDuoK9KT6Q0mvE0eX9zueEyBtPpiL1siDvKoInnRgnh+W/KRfitFGai/XXHVmAmMw+KpJVssoVG/5P41xqrp/hY978O4zhjteThXV8N2ppV/smGN7sm1vAZnVvad+h+Sw0wf8Xz86nxyWLnC0Afj/5Q8S3Bhnq+tNTs86A9JL83+QsUBGi3d+pCpjXeZFOUo1meh0UVMjXV5VwhJ2zCRRstwrHnLjJJvZtQaOCa0oSKCE/K0tPIxpYxCrbwn/LklCb4tYHaswaU3Km/cMvgumWP15lM6BGeswTGYJaz5gTlfNKZ+GxDtFw1LNuzYJTmOh7UmxAPB/pFBBjcgFmY5EN4aV+3mXte7PIn1RJlBDZTWpfAFCahZB5D0kEe8RXnFQLRVN6rr//pUlkMKym8p5NX1p7vJaxIDZytQ4KDnsrQfVna5uYuvfQ7v6nziF98p+WzX2RMzy3KdgRtgMrnM16gUfL2NLeUT6VFU1NdpbxC8Jq9EUd1tJHn369//p+YYvS6OEzdrwTC8Oc+UNueUWzs2ADcKTP/AnCsnd5lKpQaE9GqRvnt9QgoFJZ9SwxLkxu+Xl+SVNj+/dgdSF5KHv0U/v64S4+iNwS79ueUnLio6k5jpa9PSSEFsnc5XVtMsCILXYnIYlc+1+Rkh4MQKEspE6aBtZhnWuAzXrnJ4GIPJQSuwTamg/c2hW3Ha6olzfijnDXvuApeBzIsF4FJdR6aqsZqGJOs65scgaCNGV4cmpJefalLsnORsljBjymf/uY8evTvMR4/eHdNHv3h3mI8epdkpcvo0bRSGO+J1RDnE0zmXtP6FHWqLq5aEci4jPIO/uniHepcZKKcGqAJ/x89wG1SRTEM4Hw3OYvt9O0uIM0JTvPTTSsu2C48d9dG5Dl7cfc4tXb6wythwI7bfykqB7za8M7d5jIIYKN6DLQN3jBYF5iXVNmZVGcREM/sXZsgT1YTTTKDjjjadKlMvlikTozOV8kxPj0CUn6pKER5O4aFUYfIEyQRmjkqxhjMR9mcXd58vcAS/e/ub4kyTv0DJXSnVU3cPtJ43GIhUpKWVYLtWhDQkpSwmsXwSluSmvJ034MyKWWbWgEYZeos0zo8xHQntJAswT1I9njJxmlK7ae93mbid0rqV9zMQBRGwlVU9gTuXB0GYMKDmNALdWHpMhPYI1plpCwq7KZqmoKYaohEsYJO2kpuPttx6XTuTuZkimZkjCqk/+j2EVCLpf4uUmDidrc3ul/Kdi/4bafvRHuLDYY62wnC2o0jO0VWSW38St6vi8wvuaKvuGSU31IqLmX5k8tRGA8eTHEotLDLq3XxLRS4PbaSCIj+6oozjyYKR+8qtQehIcjsvyCqJa28KNxKDsduziK1c1nQUuZVIHVVwgbCS7PakcbsaynQwHwRFU6Qp6smZYy8wmW6WUn8KLzppG2KV9cnrtCrmeKJsZqSOu+TGFGWDtsNX3T6SdCW5p9ESosepK2sdiNR7SKUy2kbUWPpZQbqkmqRUY5GHNMvqh6FM2GLy1yeAaCyArn7mc8acakMSJjKzO5FTN96RaR2DkDDPM5DSLrFdick3i0gq+z9d7YmsW7eA+n2b/qk5qXxvsu07Vf4pS+gCTln7mti7p8L1ZTixw/FdsZORPqXWB1+RAT61Mhiw98O1iFmExeFBE2Iwruy9lHZmmoCwtqjDnOZAU8VW1MBpLPRUHNB9rSOR7EYnl7cT15fNs7cRGeyIktWrT7wm1v/cA9r13eoXQuNYgdaEai0jhrluPM3bC2s24ywai6E4eIOfO2qlhzYgFwPjPI4ra1xYRK7v8k9eWQa/JjOZuQ10H5biEjqNZNzOzb0NEY5b5+GJq4D/+e9vZsyQTGi2EJiJxkl2Qjq83FuRklepu6hC/kNUJoT7f3qZGcPE4g1ml/9DDKiECdTp/1iPBRsBhf8L8estFJmldW6dv2VN9VhbgZ8H3a2wLbQc9PHDOtYAP2azmqub9j41z1aMd06jRxDxhRTC+dwDXVyrijLKhy+zVUhTasbC1wS0oTPO9NI6m/72JTooksbEn0Sp3M9UsGDaYFVN0M0NtcG/PzzcXcgYpp7i6bs//xyYSrw99+7PP4kCnUqhwd2fC5fusFj1QNDvxwH9flTQv4wD+pdRQf86DuhfRwF9dXM+JpcjzqwNA2saELSuom6s0R0hj8hjDWoFahDI/o7ZMBc+64WRvv6xyKQg3MJaJrTrBi66SivKN9xEThnncgVqOOjNetlw/y636vmV+xlENNOuGlhnChtrgjuYt+Z+g44A5Wa5/l0Gph9636XK9KUbvlhg5VWHTj52G9lROyaWsnLx7BBgO9n8ChWcW7QC1Ou6trx6uCh/mtcXBK9QySyU2dIGH7pp/CxGFkkmhhXKcG1eCmlgXZrvSXJCmAiVbCfOLcSqXvuVpsOCDqAp7uw79reYepIJw3gjYaOMSzpoyD0fv4EsgcagNuwQeev1s5vzs8iwFRSenhPkMCwquqlXnD5fA0asWpb1lCIUxzi3uegQCTZ9vZy91Y/s96lagNmR/FD2fHPxeahy5zaqqyBrd71e3Vx8fl2+MXeW5g0FyI395flW3S7TdAtPx5OngKeGIMse+/GkeaekDRpgsAtEXST7A+0w3e5Cy/tgF189NFCtDnXEmLVE7osLX9tt2hiezguwZhc49sPN5BYW0jCah+tjuKYPN5MKkdj5u+w9+6AANS5mMUbzuTkglGjQGluKhrRplWDffIniROimbw4aph/YN4in937rm45B89xO8SbfXWkjY1FkK7aAvYeYKYjMKDCVH3wQgJ8Vn96whJnpFXbMgPiImCOZ8Vj8aKqXvsqBw+f7m3BMlcsFi8+tajn3xwYU3K4dZQcV5P/8z47h5/s//xyF1lJKxRFtsboYFKmWii0w/9phDHYP+MeD3xH2D4n/1zHxd+QABsX/9u2I+N++HRH4uzGBvxsR+Psxgb8fEfgvYwL/ZUjg13erv9cc7DH8qRbXuukk4C1xC2gz3BEzdHb4Iv2SVyL3yyC2hGljsPTZA7SXpja/IEGb9efepyvHENC2A7DWVGmVlCV2eXJ9F5jRLQ16SkM/bw67EEov/mccrlaUZ664bmhwGd+uLgu2Atf2zqXnlDWbvlGFJ4YKspTZhiU+QnZpr5zSpixp7XLAoQmJYpgjJiNu3aQvNBHxgcunIdNwG5IQcy6fNHlVPQB43bTx22x2Dfj04eJufPB2lxqNgJvJEQi4mYxGwOfLI0jg8+VwEvgebF8D8/i5tDr3rc4sqYj1kj4GN923J/YHvKLAUjS8D2G43Updtiwc8G10OAtTNJar2aE+Gz1Op0oho7NTE+kyLbi4R3Odu9f00DS9EEf5hDAR8QyPhh8u7v7r+m77iWIV+mgCaYFfVv1NTwygPL6LlV2myK9vp00bqLu4mzrbNb0HDUMmmJtFBxoMeXU/eXhdvSruLjDlBwByR9hXN+fPgnnfuh+L2SnTs7Pasdex2rH92apngrkr+rxIoVmMdQy+iOMZC0k2ocuLTJoREafJLKYHRUNuiCNGQjc44cuKgq7Fyp/NDO8I2o1VOx9vnoniUAVvtnyDKDOuLidsaKVnHt3H7qxWxOX/9M/z6owbdycvH3rLkaQvkx6aSFYwcH9sl0DjGzAG1GAoP0hFqF6LaKmkkNh9JgA9cRc4anJy2ll5dwPLl6ggsMq3jRho/IYjVF8cOMvc1rlhg78EbZjAuS9dX8X1B8p4pgYpBRmN0hz0TjRmaqgXcfBSTt6R0ZeoUdO2knQKIs69Lnzk0xOx/b2LMddCrcyUYotZ/8zGhpMBY7d9qc4G6fpp9cLJ07+N4R/Qztdp6BDh3h3TTll8w7T8lqWCSKo4xApbWHuRh+tXucUanMu5BhSVl0XZaKEI4F7x2LCzWx9GrTCRPgbqD7416pcJuYdFy2p0CAvw7pXaSgQRaPXfiqX40TccC+CLFEm0wY0ptRltpXZYn6aXhIgUlY6ye9MT7dz0fReKUHpkBQpLgux/cEb9GnHt2uR8G1tJzFYsLtz4erPZDrKLboV9GVD2ZoY9ltjFlxlQkvlFgOenyGpwTFVVQu7Vac47Rci0byLZcphBzYIaeKLrww4z8mE6XHi07RfFG/ru4cDokWCbSsuC27MH4sewrjh1bUDcbqFb/fRnfJ0eszfX4oOSScmfGlgpah3K/Lot8yk/bC75Rxt6NBegJ8jW58Ebkn9MOIX/593FFsyfMvMgx+Zz3mzL93NugPdH/ruzGmGPyGl/MWIj2l7MLg7xz5w7Pu5ZfuH04zWtDkp2gXtVJJjHLj8o57J7I8aA8k4qc8ZDFeYoG0ldGbBQ1D0Z5HdzQoMjnkq1wYkO7axlNrIyeK8MX5PFfqxQqqXxJeLu0n5oBhRz/5cN+7lLBl4qmY6BPuQaY4U3/1ss3lZoY+8hjU6yB+8iFeCjWLedMfcybh73yHtJoynsELtJGfqoHB98R2m/YDLGHc/S4by3FvVavq3WOoBW8WEPVKn4mA9U3V8e+EDVQc3vQ6tJ3+H+hw1S26U1ft+m8f+/yf2xm9zH1NAZ1TAtLa1RyAkT1a5RNd96zJHN8hZxp1SJVlB79Qvy7wndh2d9b2kCr87ub1+jCrjX0mK9HVTEqW7n1V6wLsoWpty8KrwoQUVMEkikWheFP4ghfPHyfFsj0xJ6FoMwbM4aXYmGIIFasao3OktTziAuhF/MeuqewCz+QJgjPRPsawYWgNP3/Bt22F4kuu5+w5E38d0mHM6wPZVaTzGdU9rdpXOKRzvTGFKzbMV2cONpmRlMLNkt5vqTJq8U0Pi/Kg+y6tflR8Yong06B4bpx3bsof/kVz51V4mmdAHCTP8tZ+NYDF8zMvnjhkzc3aUzOyGxE5abgGxt2DhXAHTGYepWz1G7nRcJ2aL9qaIilkngugfViXyqjVR0ccSe0R2wPQ6i086OdL4ef5ppiKcY+7kLjlMWD6kjoey/NAO5vgwvpmj3YIrFcOquawOeQ95JbRYKJn/ctIOX3HrvU//UP8LWXJopp4vTZDYgfE4XCzyT949QuuucOGv+GbqZUuNZtwGVoJH/cnaDBiYPpXrRZ63AlMmt3YH3tD/hLcvSls/0ozsK7HwSsAspMgM536OHcdD52B8XH6L2eDJMyb1Ff+9lU9p8rJysni1ZaPPrfIny/lSWzcf15I+bE/KRKkYvz93rNYW8KtN0eB76iabOP34mQ2ABuLXvSoz9A1YVinFLd1GN3c4xQ5XbD+tdFca8ncqyzeByoae+XK0pzUMWICpmiRQbCpRMiZ2418rCrfX4S8vt6D3X1tcMFNtdffZC5+cojrq2gYqBxlxGj+PCymcJFQe5W7oNn2thjtvac60+v/lWqvvPMiVVxS5hKyacbBMhruE/69EA/0A6SkcdjPPwIEBNc/NC2kwbUB7qid0MJPZ8oob8+sb5eXm7t81kum74z0KnW5u4TGtk5nm3w8lE95DLiPJndhKDdlaNvYEklYqqtXti3pUbWuO6TUu5XDCBfeIzNbKp8kEGzlgcYG2zB8UbsaeRTBLWnmcbzNq7OfpY+RLAGDh0NFgfbjvCOXK73wddzMeFdnl5U7qU2wNYMjIwJjQoo09IlsbUgH/S0HGyF1I30DHA7iNgfy92UHi53QmN0ktvNuOzHPlRk9tTrI9u/Tv3PK61wOHUAx+XjJaVp0isdfY7K7rtdn/11rowXHuwYOpRDckKJiKZ2Hjx1b0b/HXBE0Xncxa1+OnlunBkV5RpIxNQhUMUfmxZF/Kll5P8z+iFWBNfOsyg+DZdHjvvzJUgmSHZIjOzkMiWBz/698MX6xqNsZjrVc/00T+Z1XRStmLUwKHjcGkwk+Pm2MfkOIM6Ljo3xz7o0DMcF1zjvTcU8TaM3LeJ7enRDJl18RBwCTWcHjS+CeOc+V6zm8no41mMRQMm62KYY7tAKQinYpFZWb26vLx5nfslfSnr4ZqMRdlG76UnPT0dmHFJCku6Jw29rPYAFAxl1AP+nhZ9LBlUjX5PGfS0+2PRUN0aetLQb3d4gYrUM9wczfJWItIdhYDHsz7HzjAB/Uz5lFKCWkZRljKX9JsxQdUaUyjBfU2ojUuaZw0uw6Y2HimUyK0feg174NWSby9NSOyEZM449Mu6l+DXjw1Gh3/QcUHpx/rUVbeNmuMKlQrlecO1X7HA16hFiHiLSo0QEW91bcvUzLiMHgd7irOdnAoZ9Ux+ceHNIdl+9FAqGIlnUx/oT8coj9mz4CVkiv1jJxHl3Nk4H4AWpwD+m9sJVbJxxfAAui7PiR1QE84egXy5v364uidSkfurs8ur+5MhgYNYMAEDPxx4RaNl5XBXZcLz3s134iirH+KWDnDxIr2J2gmgSOfUbynT0un2kOukfnStilProEHhEbyC99iO3G0YkUxSatiMcWbWG863N8rKk7rgckb5NJ7lGwvE0/yUtNeeuoX067Lx+gdOSy69MajfiW09Ly0AFoXzqWKJ3WiL67Xtpzb+4WK0LtXv78gda7ZcAmwO6sh8KRRGQSztLubC1QBHlTni3IwaQw4ivexxYIXNUJSHq9E7kc7pwt23zOGIRQhpN+nDjg6lp9oPfjoinb545DD6KqfI+1A3Tei34Sgsl3pVSSo/h1gH72yxNenN4/HgLtQy+vuRysTApDLxEkid0egR7/JOoyUVC5i6Lg36NFLglqvqirIPrfjMpyZuat8gQhOcOnSfnbMV+HpP9y421kJs25k6ycJH6gf1WCOTVbu3dZFVKebYnYAnJmL5dOrmGTTOmc9BgVWestb5dlsFFW7+/OVRT2/9812p4F25v0O1KdydpGYTTOuF64RyHh7M2ETyHBs3uA7JrqthmKijaM/VRfjCIRo9ZulUgbH+vRRT3xdxyG3/oaUThJs3r9HITzDD6+06S1OpHJNSyYR5w8QbdCIV4OIgc6AmU4DeYvWAtFDaH3WYKCdwoyJUWKMFTfVSmmfjReSbtuKbVpwH8gIuZ2doS8iCxfYsBmxH3osBEY2WMF0yM0VX9HSW2dU3IO3Vq1jNpkG+x4u/B+Wmd6h2A+yacU01DLl8+4G+RwgazCbcPmbMUlynPeqJ+0ddubGp3NDCcnQfe5XfSuwofo711Mip9zhSF2Pqr3y6Z1V0zxTqogSwh+t4fzkpx8M5/UYSaZagiMDXOLz12LrRZWmoaJu6isGpu9L4XPbBLn93j3MtM5dfcoWM5R1hx3yGl6yvKeUwNyMRpyChDAP+0iUOTGNidV5LEWICVGfuDc56fV5ut99PY8r4OsjnhzrWPldr64PV7tniZ7kwxrx1O3l/2KXbWRY9gjnV7K/nKsHE2D3XV+fUuvyEx9aK23lLUzmfytm/ITLDr63StTQ3Qws2t4o4z0WN1xo7tM/vCYfqnR+mpHHhwYuXrGdhQ3Q3vEcUFr6llG+/rqGLRA/I5W4n773sToiCBVUxB38RdZ127MM59sWgHkMN8z+uHmq4rXIF3WOijYYteNNsRLx3nwfHu+EIdhDIl1c3Vw9XQ6NedlVQDIL596uzy530eZsuSD2mMnya1LVhL5QbqjkOxVkgmVzdXF08kE8odLz7bQ3dwFrhKJnqiApx5Ms39Xq6sMl6LO7sZGd2HEK9ApOpl0J+AHMM+jkbc7VVo0s7l++3gNCR4s3eUyyfBJc0fh7JOLEUGHCx7bZlPy1BQfUZWVf6jGfOMxl33EfP0ucmNyAIL+ai21V6rcxiP+lvOcG1Bv/lW72T0YDq9su3b9VHZF1/CtcYdBe5uRVHixaxwDC0fkukIj9vJOzXMQn79du36uuyxyAs1JvNmdJmapWjx2nM4VVnKag3Qecw9ZNnRMLLzYVKYuvlcvezNhYY6bItlUWJrXuwpmgGueHdzA905EN0c1SWAKepdhU3HaxBWeFCLtgRXt6k4RMdusRvWrt5PCgO6+2lxTF7e01u23t7PWPn27sMu19O2F9DtIW3ahC6WiSgNV2AJmnmG2x295WbfJxM3AMV99QMBUT5vjylpy8mHycBF4ndawmsfgm1jOsWDd2n+UdPy11OyrAN+5q8sivA3fH2a+B2QoxMWbQD2ltpsNwKC1z8oxDjQS7Yy9eBqWG1tFPgDp1mdugZ9moXMZ479SXtA97dHYsuNAAl7P6msJGByL5oGTeWM5+yofuWViHX3tJdB1bjT8kcUZBUchbtpPpdNLy5FivKWXxmjGKzbKiH2wahqvKCcBjnR0JzqJjBZ44A8sb1fftG7b59Uvlt/gvyfyefbl3j9UgqBZFxpYwJNRtb6W/l4q30tuW74aN7IkLIEjt70n8PsWIrEA/ykn8dlVqEisdvifTORsszO3uZnQfpyRifCmz3LH60nuSedEw+Tj5KYZYP8pIamKQgzOfJ5SCgoyVVC/fYgWN3tR8l1o5aLzbvZuiL0SPKQcQUr8qapb/843rWlXbptiOArwe6fF+P6vL9cWA7V9+VzPNjShe9jrAHuF6Tpkp+Ywk2GS/e73GwiJDijUs3x7lj5c94W1SycGK9cGPgdD1c8VXHIioDKioJ/NxYxtRsVKWAoi6yJIGYUQO8IyWS0yKkma6YZk3vdJhQu2oT3AZG5pwtlh05jRzZUVDV2WcUgxXlRfC3oz5YVRoXadDXXshCvDoutDy3OltbA8nzbkG+u4P3FYi7/bIFsm42cB5a5nEcNqMNPIQkNevQ/GKcVqE19pzdXQf24ctWzK1wx11CAwEdhWkgCnN79AP9RvS8G4/dR8Nei5n8MfE2szJu5d4XG+S5oepQez855If57p4dOsq7PTXmdPuK4a2b8d64yQ3vzpjyRyqO9DRFX2DDs6vyhMN+qPJnUs45jR6Xko/1zET+XkoRLa5JYhepda/ILExPlGz0aN4A+1be4/ePCDrsFAie0Drg/BhMH1r4hiPsbei0TACjixdr2S4o52M80eOvkkKMe3y1IZ7deV1dGaYdaRQhgE6M4QGAMXBi2JtjzcWU38Csg/T1muFrLj6ZM1GYpJglILR7tVlrGTHc2vDgrFCepqquUnGQoq5Ssbea/vPu9uXvwQ+ZEMAnZrhzh9KDAEAMDn+Kt/XsByyybNEn5C1hIsaLp5pcfvpyi3Hoz6U/fr5zvzr/x53/SfnTq8nD2fnN9eT3q0v85VvCdNF+jHLuy64RzIYEnSP/khq6ZXPdnf6a/1F+p8dqhOfIDoi27ap9ITWeQyrD+X8BAAD//yKjLyM=" } diff --git a/x-pack/metricbeat/module/aws/lambda/_meta/fields.yml b/x-pack/metricbeat/module/aws/lambda/_meta/fields.yml index 91becec6fef..74db186c905 100644 --- a/x-pack/metricbeat/module/aws/lambda/_meta/fields.yml +++ b/x-pack/metricbeat/module/aws/lambda/_meta/fields.yml @@ -2,7 +2,7 @@ type: group description: > `lambda` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS Lambda. - release: beta + release: ga fields: - name: metrics type: group diff --git a/x-pack/metricbeat/module/prometheus/_meta/config.yml b/x-pack/metricbeat/module/prometheus/_meta/config.yml index cd54c01383a..789e7937252 100644 --- a/x-pack/metricbeat/module/prometheus/_meta/config.yml +++ b/x-pack/metricbeat/module/prometheus/_meta/config.yml @@ -20,6 +20,16 @@ # Store counter rates instead of original cumulative counters (experimental, default: false) #rate_counters: true +# Metrics sent by a Prometheus server using remote_write option +#- module: prometheus +# metricsets: ["remote_write"] +# host: "localhost" +# port: "9201" + + # Secure settings for the server using TLS/SSL: + #ssl.certificate: "/etc/pki/server/cert.pem" + #ssl.key: "/etc/pki/server/cert.key" + # Use Elasticsearch histogram type to store histograms (beta, default: false) # This will change the default layout and put metric type in the field name #use_types: true @@ -32,17 +42,6 @@ # counter_patterns: [] # histogram_patterns: [] - -# Metrics sent by a Prometheus server using remote_write option -#- module: prometheus -# metricsets: ["remote_write"] -# host: "localhost" -# port: "9201" - - # Secure settings for the server using TLS/SSL: - #ssl.certificate: "/etc/pki/server/cert.pem" - #ssl.key: "/etc/pki/server/cert.key" - # Metrics that will be collected using a PromQL #- module: prometheus # metricsets: ["query"] diff --git a/x-pack/metricbeat/modules.d/prometheus.yml.disabled b/x-pack/metricbeat/modules.d/prometheus.yml.disabled index 5dbe163c62a..d6e00936b2a 100644 --- a/x-pack/metricbeat/modules.d/prometheus.yml.disabled +++ b/x-pack/metricbeat/modules.d/prometheus.yml.disabled @@ -23,6 +23,16 @@ # Store counter rates instead of original cumulative counters (experimental, default: false) #rate_counters: true +# Metrics sent by a Prometheus server using remote_write option +#- module: prometheus +# metricsets: ["remote_write"] +# host: "localhost" +# port: "9201" + + # Secure settings for the server using TLS/SSL: + #ssl.certificate: "/etc/pki/server/cert.pem" + #ssl.key: "/etc/pki/server/cert.key" + # Use Elasticsearch histogram type to store histograms (beta, default: false) # This will change the default layout and put metric type in the field name #use_types: true @@ -35,17 +45,6 @@ # counter_patterns: [] # histogram_patterns: [] - -# Metrics sent by a Prometheus server using remote_write option -#- module: prometheus -# metricsets: ["remote_write"] -# host: "localhost" -# port: "9201" - - # Secure settings for the server using TLS/SSL: - #ssl.certificate: "/etc/pki/server/cert.pem" - #ssl.key: "/etc/pki/server/cert.key" - # Metrics that will be collected using a PromQL #- module: prometheus # metricsets: ["query"] diff --git a/x-pack/packetbeat/Jenkinsfile.yml b/x-pack/packetbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..8496265e0ac --- /dev/null +++ b/x-pack/packetbeat/Jenkinsfile.yml @@ -0,0 +1,20 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^x-pack/winlogbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@xpack" ## special token regarding the changeset for the xpack + comments: ## when PR comment contains any of those entries + - "/test x-pack/winlogbeat" + labels: ## when PR labels matches any of those entries + - "x-pack-winlogbeat" + parameters: ## when parameter was selected in the UI. + - "x-pack-winlogbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + windows: + mage: "mage build unitTest" + withModule: true + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/x-pack/winlogbeat/Jenkinsfile.yml b/x-pack/winlogbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..396d1f03a7c --- /dev/null +++ b/x-pack/winlogbeat/Jenkinsfile.yml @@ -0,0 +1,20 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^x-pack/winlogbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@xpack" ## special token regarding the changeset for the xpack + comments: ## when PR comment contains any of those entries + - "/test x-pack/winlogbeat" + labels: ## when PR labels matches any of those entries + - "x-pack-winlogbeat" + parameters: ## when parameter was selected in the UI. + - "x-pack-winlogbeat" + tags: true ## for all the tags +platform: "windows-2019" ## default label for all the stages +stages: + build: + mage: "mage build unitTest" + withModule: true + platforms: ## override default labels in this specific stage. + - "windows-2019"