Bravura Monitor,"https://docs.elastic.co/integrations/hid_bravura_monitor
","{'@timestamp': '2021-01-16T00:35:25.258Z', 'agent': {'ephemeral_id': 'fa387b80-fca3-4488-ac1b-460792f3a8ea', 'id': '02ab444e-ca97-437b-85dc-d580f055047c', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.1.0'}, 'data_stream': {'dataset': 'hid_bravura_monitor.log', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '02ab444e-ca97-437b-85dc-d580f055047c', 'snapshot': False, 'version': '8.1.0'}, 'event': {'agent_id_status': 'verified', 'dataset': 'hid_bravura_monitor.log', 'ingested': '2022-11-22T08:13:24Z', 'original': '\x182021-01-16 00:35:25.258.7085 - [] pamlws.exe [44408,52004] Error: LWS [HID-TEST] foundcomputer record not found', 'timezone': 'UTC'}, 'hid_bravura_monitor': {'environment': 'PRODUCTION', 'instancename': 'default', 'instancetype': 'Privilege-Identity-Password', 'node': 'docker-fleet-agent'}, 'host': {'architecture': 'x86_64', 'containerized': False, 'hostname': 'docker-fleet-agent', 'ip': ['172.29.0.7'], 'mac': ['02:42:ac:1d:00:07'], 'name': 'docker-fleet-agent', 'os': {'codename': 'focal', 'family': 'debian', 'kernel': '5.10.104-linuxkit', 'name': 'Ubuntu', 'platform': 'ubuntu', 'type': 'linux', 'version': '20.04.3 LTS (Focal Fossa)'}}, 'input': {'type': 'filestream'}, 'log': {'file': {'path': '/tmp/service_logs/hid_bravura_monitor.log'}, 'level': 'Error', 'logger': 'pamlws.exe', 'offset': 218}, 'message': 'LWS [HID-TEST] foundcomputer record not found', 'process': {'pid': 44408, 'thread': {'id': 52004}}, 'tags': ['preserve_original_event'], 'user': {'id': ''}}"
Bravura Monitor,"https://docs.elastic.co/integrations/hid_bravura_monitor
","{'@timestamp': '2021-01-16T00:35:25.258Z', 'agent': {'ephemeral_id': 'fa387b80-fca3-4488-ac1b-460792f3a8ea', 'id': '02ab444e-ca97-437b-85dc-d580f055047c', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.1.0'}, 'data_stream': {'dataset': 'hid_bravura_monitor.log', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '02ab444e-ca97-437b-85dc-d580f055047c', 'snapshot': False, 'version': '8.1.0'}, 'event': {'agent_id_status': 'verified', 'dataset': 'hid_bravura_monitor.log', 'ingested': '2022-11-22T08:13:24Z', 'original': '\x182021-01-16 00:35:25.258.7085 - [] pamlws.exe [44408,52004] Error: LWS [HID-TEST] foundcomputer record not found', 'timezone': 'UTC'}, 'hid_bravura_monitor': {'environment': 'PRODUCTION', 'instancename': 'default', 'instancetype': 'Privilege-Identity-Password', 'node': 'docker-fleet-agent'}, 'host': {'architecture': 'x86_64', 'containerized': False, 'hostname': 'docker-fleet-agent', 'ip': ['172.29.0.7'], 'mac': ['02:42:ac:1d:00:07'], 'name': 'docker-fleet-agent', 'os': {'codename': 'focal', 'family': 'debian', 'kernel': '5.10.104-linuxkit', 'name': 'Ubuntu', 'platform': 'ubuntu', 'type': 'linux', 'version': '20.04.3 LTS (Focal Fossa)'}}, 'input': {'type': 'filestream'}, 'log': {'file': {'path': '/tmp/service_logs/hid_bravura_monitor.log'}, 'level': 'Error', 'logger': 'pamlws.exe', 'offset': 218}, 'message': 'LWS [HID-TEST] foundcomputer record not found', 'process': {'pid': 44408, 'thread': {'id': 52004}}, 'tags': ['preserve_original_event'], 'user': {'id': ''}}"
Bravura Monitor,"https://docs.elastic.co/integrations/hid_bravura_monitor
","{'@timestamp': '2021-01-16T00:35:25.258Z', 'agent': {'ephemeral_id': 'fa387b80-fca3-4488-ac1b-460792f3a8ea', 'id': '02ab444e-ca97-437b-85dc-d580f055047c', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.1.0'}, 'data_stream': {'dataset': 'hid_bravura_monitor.log', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '02ab444e-ca97-437b-85dc-d580f055047c', 'snapshot': False, 'version': '8.1.0'}, 'event': {'agent_id_status': 'verified', 'dataset': 'hid_bravura_monitor.log', 'ingested': '2022-11-22T08:13:24Z', 'original': '\x182021-01-16 00:35:25.258.7085 - [] pamlws.exe [44408,52004] Error: LWS [HID-TEST] foundcomputer record not found', 'timezone': 'UTC'}, 'hid_bravura_monitor': {'environment': 'PRODUCTION', 'instancename': 'default', 'instancetype': 'Privilege-Identity-Password', 'node': 'docker-fleet-agent'}, 'host': {'architecture': 'x86_64', 'containerized': False, 'hostname': 'docker-fleet-agent', 'ip': ['172.29.0.7'], 'mac': ['02:42:ac:1d:00:07'], 'name': 'docker-fleet-agent', 'os': {'codename': 'focal', 'family': 'debian', 'kernel': '5.10.104-linuxkit', 'name': 'Ubuntu', 'platform': 'ubuntu', 'type': 'linux', 'version': '20.04.3 LTS (Focal Fossa)'}}, 'input': {'type': 'filestream'}, 'log': {'file': {'path': '/tmp/service_logs/hid_bravura_monitor.log'}, 'level': 'Error', 'logger': 'pamlws.exe', 'offset': 218}, 'message': 'LWS [HID-TEST] foundcomputer record not found', 'process': {'pid': 44408, 'thread': {'id': 52004}}, 'tags': ['preserve_original_event'], 'user': {'id': ''}}"
Bravura Monitor,"https://docs.elastic.co/integrations/hid_bravura_monitor
","{'@timestamp': '2021-01-16T00:35:25.258Z', 'agent': {'ephemeral_id': 'fa387b80-fca3-4488-ac1b-460792f3a8ea', 'id': '02ab444e-ca97-437b-85dc-d580f055047c', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.1.0'}, 'data_stream': {'dataset': 'hid_bravura_monitor.log', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '02ab444e-ca97-437b-85dc-d580f055047c', 'snapshot': False, 'version': '8.1.0'}, 'event': {'agent_id_status': 'verified', 'dataset': 'hid_bravura_monitor.log', 'ingested': '2022-11-22T08:13:24Z', 'original': '\x182021-01-16 00:35:25.258.7085 - [] pamlws.exe [44408,52004] Error: LWS [HID-TEST] foundcomputer record not found', 'timezone': 'UTC'}, 'hid_bravura_monitor': {'environment': 'PRODUCTION', 'instancename': 'default', 'instancetype': 'Privilege-Identity-Password', 'node': 'docker-fleet-agent'}, 'host': {'architecture': 'x86_64', 'containerized': False, 'hostname': 'docker-fleet-agent', 'ip': ['172.29.0.7'], 'mac': ['02:42:ac:1d:00:07'], 'name': 'docker-fleet-agent', 'os': {'codename': 'focal', 'family': 'debian', 'kernel': '5.10.104-linuxkit', 'name': 'Ubuntu', 'platform': 'ubuntu', 'type': 'linux', 'version': '20.04.3 LTS (Focal Fossa)'}}, 'input': {'type': 'filestream'}, 'log': {'file': {'path': '/tmp/service_logs/hid_bravura_monitor.log'}, 'level': 'Error', 'logger': 'pamlws.exe', 'offset': 218}, 'message': 'LWS [HID-TEST] foundcomputer record not found', 'process': {'pid': 44408, 'thread': {'id': 52004}}, 'tags': ['preserve_original_event'], 'user': {'id': ''}}"
Fortinet FortiGate Firewall Logs,"https://docs.elastic.co/integrations/fortinet_fortigate
","{'@timestamp': '2019-05-15T18:03:36.000Z', 'agent': {'ephemeral_id': '88645c33-21f7-47a1-a1e6-b4a53f32ec43', 'id': '94011a8e-8b26-4bce-a627-d54316798b52', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.6.0'}, 'data_stream': {'dataset': 'fortinet_fortigate.log', 'namespace': 'ep', 'type': 'logs'}, 'destination': {'as': {'number': 35908}, 'geo': {'continent_name': 'Asia', 'country_iso_code': 'BT', 'country_name': 'Bhutan', 'location': {'lat': 27.5, 'lon': 90.5}}, 'ip': '67.43.156.14', 'port': 443}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '94011a8e-8b26-4bce-a627-d54316798b52', 'snapshot': True, 'version': '8.6.0'}, 'event': {'action': 'app-ctrl-all', 'agent_id_status': 'verified', 'category': ['network'], 'code': '1059028704', 'dataset': 'fortinet_fortigate.log', 'ingested': '2023-01-13T12:22:04Z', 'kind': 'event', 'original': '<190>date=2019-05-15 time=18:03:36 logid=""1059028704"" type=""utm"" subtype=""app-ctrl"" eventtype=""app-ctrl-all"" level=""information"" vd=""root"" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=67.43.156.14 srcport=50798 dstport=443 srcintf=""port10"" srcintfrole=""lan"" dstintf=""port9"" dstintfrole=""wan"" proto=6 service=""HTTPS"" direction=""outgoing"" policyid=1 sessionid=4414 applist=""block-social.media"" appcat=""Web.Client"" app=""HTTPS.BROWSER"" action=""pass"" hostname=""www.dailymotion.com"" incidentserialno=1962906680 url=""/"" msg=""Web.Client: HTTPS.BROWSER,"" apprisk=""medium"" scertcname=""*.dailymotion.com"" scertissuer=""DigiCert SHA2 High Assurance Server CA""', 'outcome': 'success', 'start': '2019-05-16T01:03:35.000Z', 'type': ['allowed']}, 'fortinet': {'firewall': {'action': 'pass', 'appid': '40568', 'apprisk': 'medium', 'dstintfrole': 'wan', 'incidentserialno': '1962906680', 'sessionid': '4414', 'srcintfrole': 'lan', 'subtype': 'app-ctrl', 'type': 'utm', 'vd': 'root'}}, 'input': {'type': 'tcp'}, 'log': {'level': 'information', 'source': {'address': '172.27.0.4:39666'}, 'syslog': {'facility': {'code': 23}, 'priority': 190, 'severity': {'code': 6}}}, 'message': 'Web.Client: HTTPS.BROWSER,', 'network': {'application': 'HTTPS.BROWSER', 'direction': 'outbound', 'iana_number': '6', 'protocol': 'https', 'transport': 'tcp'}, 'observer': {'egress': {'interface': {'name': 'port9'}}, 'ingress': {'interface': {'name': 'port10'}}, 'product': 'Fortigate', 'type': 'firewall', 'vendor': 'Fortinet'}, 'related': {'ip': ['10.1.100.22', '67.43.156.14']}, 'rule': {'category': 'Web-Client', 'id': '1', 'ruleset': 'block-social.media'}, 'source': {'ip': '10.1.100.22', 'port': 50798}, 'tags': ['preserve_original_event', 'fortinet-fortigate', 'fortinet-firewall', 'forwarded'], 'tls': {'server': {'issuer': 'DigiCert SHA2 High Assurance Server CA', 'x509': {'issuer': {'common_name': 'DigiCert SHA2 High Assurance Server CA'}, 'subject': {'common_name': '*.dailymotion.com'}}}}, 'url': {'domain': 'www.dailymotion.com', 'path': '/'}}"
PingOne,"https://docs.elastic.co/integrations/ping_one
","{'@timestamp': '2022-06-10T17:04:25.518Z', 'agent': {'ephemeral_id': '3ec0008f-3b03-448a-8617-f9798d15e68d', 'hostname': 'docker-fleet-agent', 'id': '8e2910ec-3bb9-439a-90a1-acedb9847388', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '7.17.0'}, 'client': {'user': {'id': '830109c7-f8aa-491e-b2f2-8f7532ae85e9', 'name': 'RichardPatchetWorker'}}, 'data_stream': {'dataset': 'ping_one.audit', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '8e2910ec-3bb9-439a-90a1-acedb9847388', 'snapshot': False, 'version': '7.17.0'}, 'event': {'action': 'group.created', 'agent_id_status': 'verified', 'category': ['iam', 'configuration'], 'created': '2022-10-03T07:21:04.317Z', 'dataset': 'ping_one.audit', 'id': '2076da4e-81ae-4cf4-803a-4ccc16419bc9', 'ingested': '2022-10-03T07:21:05Z', 'kind': 'event', 'original': '{""_links"":{""self"":{""href"":""https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/activities/2076da4e-81ae-4cf4-803a-4ccc16419bc9""}},""action"":{""description"":""Group Created"",""type"":""GROUP.CREATED""},""actors"":{""client"":{""environment"":{""id"":""bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa""},""href"":""https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/applications/830109c7-f8aa-491e-b2f2-8f7532ae85e9"",""id"":""830109c7-f8aa-491e-b2f2-8f7532ae85e9"",""name"":""RichardPatchetWorker"",""type"":""CLIENT""}},""correlationId"":""28b1f3ca-2ab6-4cc0-b33f-50153c7c9c14"",""createdAt"":""2022-06-10T17:04:25.534Z"",""id"":""2076da4e-81ae-4cf4-803a-4ccc16419bc9"",""recordedAt"":""2022-06-10T17:04:25.518Z"",""resources"":[{""environment"":{""id"":""bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa""},""href"":""https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/groups/ac05e3ff-60e2-4e03-bbac-f9455e6a6d51"",""id"":""ac05e3ff-60e2-4e03-bbac-f9455e6a6d51"",""name"":""Managers"",""type"":""GROUP""}],""result"":{""description"":""Created Group Managers"",""status"":""SUCCESS""}}', 'outcome': 'success', 'type': ['creation', 'group']}, 'input': {'type': 'httpjson'}, 'ping_one': {'audit': {'action': {'description': 'Group Created', 'type': 'GROUP.CREATED'}, 'actors': {'client': {'environment': {'id': 'bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa'}, 'href': 'https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/applications/830109c7-f8aa-491e-b2f2-8f7532ae85e9', 'id': '830109c7-f8aa-491e-b2f2-8f7532ae85e9', 'name': 'RichardPatchetWorker', 'type': 'CLIENT'}}, 'correlation': {'id': '28b1f3ca-2ab6-4cc0-b33f-50153c7c9c14'}, 'created_at': '2022-06-10T17:04:25.534Z', 'id': '2076da4e-81ae-4cf4-803a-4ccc16419bc9', 'recorded_at': '2022-06-10T17:04:25.518Z', 'resources': [{'environment': {'id': 'bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa'}, 'href': 'https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/groups/ac05e3ff-60e2-4e03-bbac-f9455e6a6d51', 'id': 'ac05e3ff-60e2-4e03-bbac-f9455e6a6d51', 'name': 'Managers', 'type': 'GROUP'}], 'result': {'description': 'Created Group Managers', 'status': 'SUCCESS'}}}, 'related': {'user': ['830109c7-f8aa-491e-b2f2-8f7532ae85e9', 'RichardPatchetWorker']}, 'tags': ['preserve_original_event', 'preserve_duplicate_custom_fields', 'forwarded', 'ping_one-audit'], 'url': {'domain': 'api.pingone.com', 'original': 'https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/groups/ac05e3ff-60e2-4e03-bbac-f9455e6a6d51', 'path': '/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/groups/ac05e3ff-60e2-4e03-bbac-f9455e6a6d51', 'scheme': 'https'}}"
Sysmon for Linux,"https://docs.elastic.co/integrations/sysmon_linux
","{'@timestamp': '2022-10-24T17:05:31.000Z', 'agent': {'ephemeral_id': '0ccb5087-29e5-4a64-a028-e51e06c2d944', 'id': 'af423af4-492e-4074-bae6-f31a40d3fd91', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.5.0'}, 'data_stream': {'dataset': 'sysmon_linux.log', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.5.0'}, 'elastic_agent': {'id': 'af423af4-492e-4074-bae6-f31a40d3fd91', 'snapshot': False, 'version': '8.5.0'}, 'event': {'action': 'log', 'agent_id_status': 'verified', 'dataset': 'sysmon_linux.log', 'ingested': '2022-12-08T10:33:50Z', 'kind': 'event', 'timezone': '+00:00'}, 'host': {'architecture': 'x86_64', 'containerized': False, 'hostname': 'docker-fleet-agent', 'id': '66392b0697b84641af8006d87aeb89f1', 'ip': ['192.168.48.7'], 'mac': ['02-42-C0-A8-30-07'], 'name': 'docker-fleet-agent', 'os': {'codename': 'focal', 'family': 'debian', 'kernel': '5.10.104-linuxkit', 'name': 'Ubuntu', 'platform': 'ubuntu', 'type': 'linux', 'version': '20.04.5 LTS (Focal Fossa)'}}, 'input': {'type': 'filestream'}, 'log': {'file': {'path': '/tmp/service_logs/sysmon.log'}, 'offset': 0}, 'message': 'Sysmon v1.0.0 - Monitors system events', 'process': {'name': 'sysmon', 'pid': 3041}}"
Auditd Manager,"https://docs.elastic.co/integrations/auditd_manager
","{'@timestamp': '2022-05-12T13:10:13.230Z', 'agent': {'ephemeral_id': 'cfe4170e-f9b4-435f-b19c-a0e75b573b3a', 'id': '753ce520-4f32-45b1-9212-c4dcc9d575a1', 'name': 'custom-agent', 'type': 'auditbeat', 'version': '8.2.0'}, 'auditd': {'data': {'a0': 'a', 'a1': 'c00024e8c0', 'a2': '38', 'a3': '0', 'arch': 'x86_64', 'audit_pid': '22501', 'auid': 'unset', 'exit': '56', 'old': '0', 'op': 'set', 'result': 'success', 'ses': 'unset', 'socket': {'family': 'netlink', 'saddr': '100000000000000000000000'}, 'syscall': 'sendto', 'tty': '(none)'}, 'message_type': 'config_change', 'messages': ['type=CONFIG_CHANGE msg=audit(1652361013.230:94471): op=set audit_pid=22501 old=0 auid=4294967295 ses=4294967295 res=1', 'type=SYSCALL msg=audit(1652361013.230:94471): arch=c000003e syscall=44 success=yes exit=56 a0=a a1=c00024e8c0 a2=38 a3=0 items=0 ppid=9509 pid=22501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=""auditbeat"" exe=""/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat"" key=(null)', 'type=SOCKADDR msg=audit(1652361013.230:94471): saddr=100000000000000000000000', 'type=PROCTITLE msg=audit(1652361013.230:94471): proctitle=2F7573722F73686172652F656C61737469632D6167656E742F646174612F656C61737469632D6167656E742D6239613238612F696E7374616C6C2F6175646974626561742D382E322E302D6C696E75782D7838365F36342F617564697462656174002D63006175646974626561742E656C61737469632D6167656E742E796D6C'], 'result': 'success', 'summary': {'actor': {'primary': 'unset', 'secondary': 'root'}, 'how': '/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat', 'object': {'primary': 'set', 'type': 'audit-config'}}, 'user': {'filesystem': {'group': {'id': '0', 'name': 'root'}, 'id': '0', 'name': 'root'}, 'saved': {'group': {'id': '0', 'name': 'root'}, 'id': '0', 'name': 'root'}}}, 'data_stream': {'dataset': 'auditd_manager.auditd', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '753ce520-4f32-45b1-9212-c4dcc9d575a1', 'snapshot': False, 'version': '8.2.0'}, 'event': {'action': 'changed-audit-configuration', 'agent_id_status': 'verified', 'category': ['process', 'configuration', 'network'], 'dataset': 'auditd_manager.auditd', 'ingested': '2022-05-12T13:10:16Z', 'kind': 'event', 'module': 'auditd', 'original': 'type=CONFIG_CHANGE msg=audit(1652361013.230:94471): op=set audit_pid=22501 old=0 auid=4294967295 ses=4294967295 res=1\ntype=SYSCALL msg=audit(1652361013.230:94471): arch=c000003e syscall=44 success=yes exit=56 a0=a a1=c00024e8c0 a2=38 a3=0 items=0 ppid=9509 pid=22501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=""auditbeat"" exe=""/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat"" key=(null)\ntype=SOCKADDR msg=audit(1652361013.230:94471): saddr=100000000000000000000000\ntype=PROCTITLE msg=audit(1652361013.230:94471): proctitle=2F7573722F73686172652F656C61737469632D6167656E742F646174612F656C61737469632D6167656E742D6239613238612F696E7374616C6C2F6175646974626561742D382E322E302D6C696E75782D7838365F36342F617564697462656174002D63006175646974626561742E656C61737469632D6167656E742E796D6C', 'outcome': 'success', 'sequence': 94471, 'type': ['change', 'connection', 'info']}, 'host': {'name': 'custom-agent'}, 'network': {'direction': 'egress'}, 'process': {'executable': '/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat', 'name': 'auditbeat', 'parent': {'pid': 9509}, 'pid': 22501, 'title': '/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat -c auditbeat.elastic-agent.yml'}, 'service': {'type': 'auditd'}, 'tags': ['preserve_original_event', 'auditd_manager-auditd'], 'user': {'group': {'id': '0', 'name': 'root'}, 'id': '0', 'name': 'root'}}"
Pulse Connect Secure,"https://docs.elastic.co/integrations/pulse_connect_secure
","{'@timestamp': '2021-10-19T09:10:35.000+02:00', 'agent': {'ephemeral_id': '48b94170-8de9-42a4-8608-50484a347a6a', 'id': '584f3aea-648c-4e58-aba4-32b8f88d4396', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.0.0-beta1'}, 'client': {'address': '89.160.20.156', 'as': {'number': 29518, 'organization': {'name': 'Bredband2 AB'}}, 'geo': {'city_name': 'Linköping', 'continent_name': 'Europe', 'country_iso_code': 'SE', 'country_name': 'Sweden', 'location': {'lat': 58.4167, 'lon': 15.6167}, 'region_iso_code': 'SE-E', 'region_name': 'Östergötland County'}, 'ip': '89.160.20.156'}, 'data_stream': {'dataset': 'pulse_connect_secure.log', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '584f3aea-648c-4e58-aba4-32b8f88d4396', 'snapshot': False, 'version': '8.0.0-beta1'}, 'event': {'agent_id_status': 'verified', 'category': 'network', 'created': '2021-10-19T09:10:35.000+02:00', 'dataset': 'pulse_connect_secure.log', 'ingested': '2022-02-03T09:39:02Z', 'kind': 'event', 'original': 'Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [89.160.20.156] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.\n', 'outcome': 'success', 'timezone': '+02:00'}, 'host': {'hostname': 'pcs-node1'}, 'input': {'type': 'udp'}, 'log': {'source': {'address': '172.19.0.7:51695'}}, 'message': 'Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 89.160.20.156 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.', 'observer': {'ip': '10.5.2.3', 'name': 'pcs-node1', 'product': 'Pulse Secure Connect', 'type': 'vpn', 'vendor': 'Pulse Secure'}, 'pulse_secure': {'realm': 'REALM', 'role': 'REALM_ROLES', 'session': {'id': 'sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75'}}, 'source': {'address': '89.160.20.156', 'as': {'number': 29518, 'organization': {'name': 'Bredband2 AB'}}, 'geo': {'city_name': 'Linköping', 'continent_name': 'Europe', 'country_iso_code': 'SE', 'country_name': 'Sweden', 'location': {'lat': 58.4167, 'lon': 15.6167}, 'region_iso_code': 'SE-E', 'region_name': 'Östergötland County'}, 'ip': '89.160.20.156'}, 'tags': ['preserve_original_event', 'forwarded', 'pulse_connect_secure-log'], 'user': {'name': 'user.name'}, 'user_agent': {'device': {'name': 'Other'}, 'name': 'Other', 'original': 'Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723', 'os': {'full': 'Windows 10', 'name': 'Windows', 'version': '10'}}}"
Zscaler Private Access,"https://docs.elastic.co/integrations/zscaler_zpa
","{'@timestamp': '2019-07-03T05:17:22.000Z', 'agent': {'ephemeral_id': '3822f64e-da38-4bc8-ba94-142dfb616687', 'hostname': 'docker-fleet-agent', 'id': 'bd852834-2771-4c96-b2b6-2b6de67a2c01', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '7.16.2'}, 'client': {'nat': {'ip': '10.0.0.1'}}, 'data_stream': {'dataset': 'zscaler_zpa.app_connector_status', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': 'bd852834-2771-4c96-b2b6-2b6de67a2c01', 'snapshot': False, 'version': '7.16.2'}, 'event': {'agent_id_status': 'verified', 'category': ['package'], 'dataset': 'zscaler_zpa.app_connector_status', 'ingested': '2022-11-10T07:09:35Z', 'kind': 'event', 'original': '{""LogTimestamp"":""Wed Jul 3 05:17:22 2019"",""Customer"":""Customer Name"",""SessionID"":""8A64Qwj9zCkfYDGJVoUZ"",""SessionType"":""ZPN_ASSISTANT_BROKER_CONTROL"",""SessionStatus"":""ZPN_STATUS_AUTHENTICATED"",""Version"":""19.20.3"",""Platform"":""el7"",""ZEN"":""US-NY-8179"",""Connector"":""Some App Connector"",""ConnectorGroup"":""Some App Connector Group"",""PrivateIP"":""10.0.0.4"",""PublicIP"":""0.0.0.0"",""Latitude"":47,""Longitude"":-122,""CountryCode"":"""",""TimestampAuthentication"":""2019-06-27T05:05:23.348Z"",""TimestampUnAuthentication"":"""",""CPUUtilization"":1,""MemUtilization"":20,""ServiceCount"":2,""InterfaceDefRoute"":""eth0"",""DefRouteGW"":""10.0.0.1"",""PrimaryDNSResolver"":""168.63.129.16"",""HostStartTime"":""1513229995"",""HostUpTime"":""1513229995"",""ConnectorUpTime"":""1555920005"",""ConnectorStartTime"":""1555920005"",""NumOfInterfaces"":2,""BytesRxInterface"":319831966346,""PacketsRxInterface"":1617569938,""ErrorsRxInterface"":0,""DiscardsRxInterface"":0,""BytesTxInterface"":192958782635,""PacketsTxInterface"":1797471190,""ErrorsTxInterface"":0,""DiscardsTxInterface"":0,""TotalBytesRx"":10902554,""TotalBytesTx"":48931771}', 'type': ['info']}, 'host': {'cpu': {'usage': 1}, 'network': {'egress': {'bytes': 48931771}, 'ingress': {'bytes': 10902554}}}, 'input': {'type': 'tcp'}, 'log': {'source': {'address': '192.168.64.5:34894'}}, 'observer': {'geo': {'location': {'lat': 47, 'lon': -122}}, 'ip': '0.0.0.0', 'os': {'platform': 'el7'}, 'type': 'forwarder', 'version': '19.20.3'}, 'organization': {'name': 'Customer Name'}, 'related': {'ip': ['10.0.0.1', '0.0.0.0', '10.0.0.4', '168.63.129.16']}, 'tags': ['forwarded', 'zscaler_zpa-app_connectors_status'], 'zscaler_zpa': {'app_connector_status': {'connector': {'group': 'Some App Connector Group', 'name': 'Some App Connector'}, 'connector_start_time': '2019-04-22T08:00:05.000Z', 'connector_up_time': '2019-04-22T08:00:05.000Z', 'host_start_time': '2017-12-14T05:39:55.000Z', 'host_up_time': '2017-12-14T05:39:55.000Z', 'interface': {'name': 'eth0', 'received': {'bytes': 319831966346, 'discards': 0, 'errors': 0, 'packets': 1617569938}, 'transmitted': {'bytes': 192958782635, 'discards': 0, 'errors': 0, 'packets': 1797471190}}, 'memory': {'utilization': 20}, 'num_of_interfaces': 2, 'primary_dns_resolver': '168.63.129.16', 'private_ip': '10.0.0.4', 'service': {'count': 2}, 'session': {'id': '8A64Qwj9zCkfYDGJVoUZ', 'status': 'ZPN_STATUS_AUTHENTICATED', 'type': 'ZPN_ASSISTANT_BROKER_CONTROL'}, 'timestamp': {'authentication': '2019-06-27T05:05:23.348Z'}, 'zen': 'US-NY-8179'}}}"
Nagios XI,"https://docs.elastic.co/integrations/nagios_xi
","{'@timestamp': '2022-03-16T07:02:41.000Z', 'agent': {'ephemeral_id': '51b119f6-cf3c-4fe1-ba07-4f8194106cda', 'id': '98cccf9b-3d95-4b93-b4dc-472035898e0f', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.1.0'}, 'data_stream': {'dataset': 'nagios_xi.events', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.5.1'}, 'elastic_agent': {'id': '98cccf9b-3d95-4b93-b4dc-472035898e0f', 'snapshot': False, 'version': '8.1.0'}, 'event': {'agent_id_status': 'verified', 'created': '2022-05-09T07:14:09.873Z', 'dataset': 'nagios_xi.events', 'ingested': '2022-05-09T07:14:10Z', 'kind': 'event', 'module': 'nagios_xi', 'original': '{""entry_time"":""2022-03-16 07:02:41"",""instance_id"":""1"",""logentry_data"":""Event broker module \'/usr/local/nagios/bin/ndo.so\' initialized successfully."",""logentry_id"":""211261"",""logentry_type"":""262144""}', 'type': 'info'}, 'input': {'type': 'httpjson'}, 'message': ""Event broker module '/usr/local/nagios/bin/ndo.so' initialized successfully."", 'nagios_xi': {'event': {'entry_time': '2022-03-16T07:02:41.000Z', 'instance_id': 1, 'logentry': {'id': 211261, 'type': 262144}}}, 'tags': ['preserve_original_event', 'forwarded', 'nagios_xi-events']}"
Azure Billing Metrics,"https://docs.elastic.co/integrations/azure_billing
","{'agent': {'hostname': 'docker-fleet-agent', 'name': 'docker-fleet-agent', 'id': 'ac0aba17-80ba-472c-a850-25b8eee31b4a', 'type': 'metricbeat', 'ephemeral_id': '00acbc2a-2f96-4c8a-99fe-790f724e9b9e', 'version': '7.15.3'}, 'elastic_agent': {'id': 'ac0aba17-80ba-472c-a850-25b8eee31b4a', 'version': '7.15.3', 'snapshot': True}, 'cloud': {'instance': {'name': 'alextest223', 'id': '/subscriptions/7657426d-c4c3-44ac-88a2-3b2cd59e6dba/resourceGroups/alex-test-resources/providers/Microsoft.Storage/storageAccounts/testthis'}, 'provider': 'azure', 'region': 'CentralUS'}, '@timestamp': '2021-11-16T14:53:50.309Z', 'ecs': {'version': '1.11.0'}, 'service': {'type': 'azure'}, 'data_stream': {'namespace': 'default', 'type': 'metrics', 'dataset': 'azure.billing'}, 'host': {'hostname': 'docker-fleet-agent', 'os': {'kernel': '4.19.128-microsoft-standard', 'codename': 'Core', 'name': 'CentOS Linux', 'type': 'linux', 'family': 'redhat', 'version': '7 (Core)', 'platform': 'centos'}, 'containerized': True, 'ip': ['192.168.16.7'], 'name': 'docker-fleet-agent', 'id': '0e45dc0f765dee79aa8992abcd05b189', 'mac': ['02:42:c0:a8:10:07'], 'architecture': 'x86_64'}, 'metricset': {'period': 86400000, 'name': 'billing'}, 'event': {'duration': 37147626300, 'agent_id_status': 'verified', 'ingested': '2021-11-16T14:53:51Z', 'module': 'azure', 'dataset': 'azure.billing'}, 'azure': {'subscription_id': '7657426d-c4c3-44ac-88a2-3b2cd59e6dba', 'resource': {'name': 'testthis', 'type': 'Microsoft.Storage', 'group': 'alex-test-resources'}, 'billing': {'product': 'Bandwidth Inter-Region - Data Transfer Out - North America', 'pretax_cost': 2.327970961e-06, 'usage_start': '2021-11-15T00:00:00.000Z', 'usage_end': '2021-11-15T23:59:59.000Z', 'department_name': 'DEpartment', 'account_name': 'R&D', 'currency': 'USD', 'billing_period_id': '/subscriptions/7657426d-c4c3-44ac-88a2-3b2cd59e6dba/providers/Microsoft.Billing/billingPeriods/20211101'}}}"
ForgeRock,"https://docs.elastic.co/integrations/forgerock
","{'@timestamp': '2022-10-05T18:21:48.248Z', 'client': {'ip': '1.128.0.0'}, 'ecs': {'version': '8.5.2'}, 'event': {'action': 'AM-ACCESS-ATTEMPT', 'id': '45463f84-ff1b-499f-aa84-8d4bd93150de-256203', 'type': 'access'}, 'forgerock': {'eventName': 'AM-ACCESS-ATTEMPT', 'http': {'request': {'headers': {'accept': ['text/plain,*/*'], 'content-type': ['application/x-www-form-urlencoded'], 'host': ['openam-chico-poc.forgeblocks.com'], 'user-agent': ['Jersey/2.34 (HttpUrlConnection 11.0.9)'], 'x-forwarded-for': ['34.94.38.177, 34.149.144.150, 10.168.0.8'], 'x-forwarded-proto': ['https']}, 'secure': True}}, 'level': 'INFO', 'realm': '/', 'request': {'detail': {'grant_type': 'client_credentials', 'scope': 'fr:idm:*'}}, 'source': 'audit', 'topic': 'access'}, 'http': {'request': {'Path': 'https://openam-chico-poc.forgeblocks.com/am/oauth2/access_token', 'method': 'POST'}}, 'observer': {'vendor': 'ForgeRock Identity Platform'}, 'service': {'name': 'OAuth'}, 'transaction': {'id': '1664994108247-9f138d8fc9f59d23164c-26466/0'}}"
Lyve Cloud,"https://docs.elastic.co/integrations/lyve_cloud
","{'@timestamp': '2022-10-20T12:52:42.974Z', 'cloud': {'provider': 'lyvecloud'}, 'ecs': {'version': '8.5.1'}, 'event': {'original': '{""auditEntry"": {""api"": {""name"": ""GetBucketLocation"", ""bucket"": ""user-name-t10"", ""status"": ""OK"", ""statusCode"": 200, ""timeToResponse"": ""27121602ns"", ""timeToFirstByte"": ""27072750ns""}, ""time"": ""2022-10-20T12:52:42.974686686Z"", ""version"": ""1"", ""requestID"": ""171FC8111B3F560B"", ""userAgent"": ""MinIO (linux; amd64) minio-go/v7.0.15"", ""deploymentid"": ""8fe8887f-d1e2-4918-9e33-52bfba3b0de8"", ""requestQuery"": {""location"": """"}, ""requestHeader"": {""X-Real-Ip"": ""10.213.135.144:28911"", ""User-Agent"": ""aws-cli/2.7.7 Python/3.9.11 Linux/5.15.0-52-generic exe/x86_64.ubuntu.20 prompt/off command/s3api.head-object"", ""X-Amz-Date"": ""20221024T083808Z"", ""Authorization"": ""AWS4-HMAC-SHA256 Credential=<redacted>/20221024/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=<redacted>"", ""Accept-Encoding"": ""identity"", ""X-Forwarded-For"": ""1.128.0.0, 10.213.135.144"", ""X-Forwarded-Host"": ""s3.us-east-1.lyvecloud.seagate.com"", ""X-Forwarded-Proto"": ""https"", ""X-Amz-Content-Sha256"": ""e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855""}, ""responseHeader"": {""ETag"": ""b1946ac92492d2347c6235b4d2611184"", ""Vary"": ""Origin"", ""Content-Type"": ""application/octet-stream"", ""Accept-Ranges"": ""bytes"", ""Last-Modified"": ""Sun, 23 Oct 2022 12:51:23 GMT"", ""Content-Length"": ""6"", ""X-Amz-Request-Id"": ""1720F4788755136D"", ""X-Xss-Protection"": ""1; mode=block"", ""x-amz-version-id"": ""ab44978d-0929-4c3a-8d52-17157c1fb6ad"", ""X-Amz-Bucket-Region"": ""us-east-1"", ""X-Amz-Object-Lock-Mode"": ""COMPLIANCE"", ""Content-Security-Policy"": ""block-all-mixed-content"", ""X-Amz-Server-Side-Encryption"": ""AES256"", ""X-Amz-Object-Lock-Retain-Until-Date"": ""2022-10-27T12:51:23.250Z""}}, ""serviceAccountName"": ""user-name-terraform"", ""serviceAccountCreatorId"": ""name.last@company.com""}'}, 'http': {'response': {'body': {'bytes': 6}, 'mime_type': 'application/octet-stream', 'status_code': 200}}, 'log': {'file': {'path': 'https://s3.us-east-1.lyvecloud.seagate.com/logss001/October-2022/S3-2022-20-10-14-09-31.gz'}}, 'lyve_cloud': {'audit': {'auditEntry': {'api': {'bucket': 'user-name-t10', 'name': 'GetBucketLocation', 'status': 'OK', 'timeToFirstByte': 27072750, 'timeToResponse': 27121602}, 'requestHeader': {'X-Forwarded-For': '1.128.0.0, 10.213.135.144', 'X-Forwarded-Host': 's3.us-east-1.lyvecloud.seagate.com', 'X-Real-Ip': '10.213.135.144:28911'}, 'responseHeader': {'Accept-Ranges': 'bytes', 'Last-Modified': 'Sun, 23 Oct 2022 12:51:23 GMT', 'X-Amz-Bucket-Region': 'us-east-1', 'X-Amz-Object-Lock-Mode': 'COMPLIANCE', 'X-Amz-Server-Side-Encryption': 'AES256', 'object_lock_retain_until_date': '2022-10-27T12:51:23.250Z', 'x-amz-version-id': 'ab44978d-0929-4c3a-8d52-17157c1fb6ad'}, 'version': '1'}}}, 'os': {'name': 'Linux'}, 'related': {'ip': ['1.128.0.0', '10.213.135.144'], 'user': 'user-name-terraform'}, 'tags': ['preserve_original_event'], 'user': {'email': 'name.last@company.com', 'id': 'name.last@company.com', 'name': 'user-name-terraform'}, 'user_agent': {'device': {'name': 'Other'}, 'name': 'Other', 'original': 'MinIO (linux; amd64) minio-go/v7.0.15'}}"
Couchbase,"https://docs.elastic.co/integrations/couchbase
","{'@timestamp': '2022-09-22T09:52:54.159Z', 'agent': {'ephemeral_id': '7a05dbed-39c2-48ba-a54c-9c08ad6d571a', 'id': 'e9b62dba-64d7-428d-8d75-88f57c77d423', 'name': 'docker-fleet-agent', 'type': 'metricbeat', 'version': '8.4.1'}, 'couchbase': {'bucket': {'data': {'used': {'bytes': 103804}}, 'disk': {'fetches': 0, 'used': {'bytes': 2005443}}, 'item': {'count': 0}, 'memory': {'used': {'bytes': 28202560}}, 'name': 'beer-sample', 'operations_per_sec': 0, 'ram': {'quota': {'bytes': 209715200, 'used': {'pct': 13.44802856445312}}}, 'type': 'membase'}}, 'data_stream': {'dataset': 'couchbase.bucket', 'namespace': 'ep', 'type': 'metrics'}, 'ecs': {'version': '8.5.1'}, 'elastic_agent': {'id': 'e9b62dba-64d7-428d-8d75-88f57c77d423', 'snapshot': False, 'version': '8.4.1'}, 'event': {'agent_id_status': 'verified', 'category': ['database'], 'dataset': 'couchbase.bucket', 'duration': 205027230, 'ingested': '2022-09-22T09:52:57Z', 'kind': 'metric', 'module': 'couchbase', 'type': ['info']}, 'host': {'architecture': 'x86_64', 'containerized': True, 'hostname': 'docker-fleet-agent', 'id': '51511c1493f34922b559a964798246ec', 'ip': ['192.168.128.7'], 'mac': ['02:42:c0:a8:80:07'], 'name': 'docker-fleet-agent', 'os': {'codename': 'focal', 'family': 'debian', 'kernel': '5.4.0-126-generic', 'name': 'Ubuntu', 'platform': 'ubuntu', 'type': 'linux', 'version': '20.04.4 LTS (Focal Fossa)'}}, 'metricset': {'name': 'json', 'period': 10000}, 'service': {'address': 'http://elastic-package-service_couchbase_1:8091/pools/default/buckets', 'type': 'http'}, 'tags': ['forwarded', 'couchbase-bucket']}"
Trend Micro Vision One,"https://docs.elastic.co/integrations/trend_micro_vision_one
","{'@timestamp': '2030-04-30T00:01:16.000Z', 'agent': {'ephemeral_id': '866cfa51-4f51-436a-8e64-6075e4fc5940', 'id': '6d1daf8c-cf74-431d-829c-3dedd9bd2ced', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.4.0'}, 'data_stream': {'dataset': 'trend_micro_vision_one.alert', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '6d1daf8c-cf74-431d-829c-3dedd9bd2ced', 'snapshot': False, 'version': '8.4.0'}, 'event': {'agent_id_status': 'verified', 'category': ['email'], 'created': '2022-12-05T12:05:45.098Z', 'dataset': 'trend_micro_vision_one.alert', 'id': 'WB-9002-20200427-0002', 'ingested': '2022-12-05T12:05:48Z', 'kind': 'alert', 'original': '{""alertProvider"":""SAE"",""createdDateTime"":""2020-04-30T00:01:15Z"",""description"":""A backdoor was possibly implanted after a user received a possible spear phishing email message."",""id"":""WB-9002-20200427-0002"",""impactScope"":{""accountCount"":0,""desktopCount"":0,""emailAddressCount"":0,""entities"":[{""entityId"":""5257b401-2fd7-469c-94fa-39a4f11eb925"",""entityType"":""host"",""entityValue"":""user@email.com"",""provenance"":[""Alert""],""relatedEntities"":[""CODERED\\\\\\\\user""],""relatedIndicatorIds"":[1]}],""serverCount"":0},""indicators"":[{""field"":""request url"",""filterIds"":[""f862df72-7f5e-4b2b-9f7f-9148e875f908""],""id"":1,""provenance"":[""Alert""],""relatedEntities"":[""user@example.com""],""type"":""url"",""value"":""http://www.example.com/ab001.zip""}],""investigationStatus"":""New"",""matchedRules"":[{""id"":""5f52d1f1-53e7-411a-b74f-745ee81fa30b"",""matchedFilters"":[{""id"":""ccf86fc1-688f-4131-a46f-1d7a6ee2f88e"",""matchedDateTime"":""2019-08-02T04:00:01Z"",""matchedEvents"":[{""matchedDateTime"":""2019-08-02T04:00:01Z"",""type"":""TELEMETRY_REGISTRY"",""uuid"":""fa9ff47c-e1b8-459e-a3d0-a5b104b854a5""}],""mitreTechniqueIds"":[""T1192""],""name"":""(T1192) Spearphishing Link""}],""name"":""Possible SpearPhishing Email""}],""model"":""Possible APT Attack"",""schemaVersion"":""1.0"",""score"":63,""severity"":""critical"",""updatedDateTime"":""2030-04-30T00:01:16Z"",""workbenchLink"":""https://THE_WORKBENCH_URL""}', 'severity': 63, 'type': ['info']}, 'input': {'type': 'httpjson'}, 'log': {'level': 'critical'}, 'tags': ['preserve_original_event', 'preserve_duplicate_custom_fields', 'forwarded', 'trend_micro_vision_one-alert'], 'trend_micro_vision_one': {'alert': {'alert_provider': 'SAE', 'created_date': '2020-04-30T00:01:15.000Z', 'description': 'A backdoor was possibly implanted after a user received a possible spear phishing email message.', 'id': 'WB-9002-20200427-0002', 'impact_scope': {'account_count': 0, 'desktop_count': 0, 'email_address_count': 0, 'entities': [{'id': '5257b401-2fd7-469c-94fa-39a4f11eb925', 'provenance': ['Alert'], 'related_entities': ['CODERED\\\\user'], 'related_indicator_id': [1], 'type': 'host', 'value': {'account_value': 'user@email.com'}}], 'server_count': 0}, 'indicators': [{'field': 'request url', 'filter_id': ['f862df72-7f5e-4b2b-9f7f-9148e875f908'], 'id': 1, 'provenance': ['Alert'], 'related_entities': ['user@example.com'], 'type': 'url', 'value': 'http://www.example.com/ab001.zip'}], 'investigation_status': 'New', 'matched_rule': [{'filter': [{'date': '2019-08-02T04:00:01.000Z', 'events': [{'date': '2019-08-02T04:00:01.000Z', 'type': 'TELEMETRY_REGISTRY', 'uuid': 'fa9ff47c-e1b8-459e-a3d0-a5b104b854a5'}], 'id': 'ccf86fc1-688f-4131-a46f-1d7a6ee2f88e', 'mitre_technique_id': ['T1192'], 'name': '(T1192) Spearphishing Link'}], 'id': '5f52d1f1-53e7-411a-b74f-745ee81fa30b', 'name': 'Possible SpearPhishing Email'}], 'model': 'Possible APT Attack', 'schema_version': '1.0', 'score': 63, 'severity': 'critical', 'workbench_link': 'https://THE_WORKBENCH_URL'}}, 'url': {'original': 'https://THE_WORKBENCH_URL', 'scheme': 'https'}}"
CockroachDB Metrics,"https://docs.elastic.co/integrations/cockroachdb
","{'@timestamp': '2022-09-06T09:50:54.422Z', 'agent': {'ephemeral_id': '4002fdcf-5421-491e-90b0-4b0229592d88', 'id': '19de6249-945f-46da-9464-383664c3adaf', 'name': 'docker-fleet-agent', 'type': 'metricbeat', 'version': '8.4.0'}, 'cockroachdb': {'status': {'abortspanbytes': {'value': 0}, 'addsstable_applications': {'counter': 0}, 'addsstable_aswrites': {'counter': 0}, 'addsstable_copies': {'counter': 0}, 'addsstable_delay_enginebackpressure': {'counter': 0}, 'addsstable_delay_total': {'counter': 0}, 'addsstable_proposals': {'counter': 0}, 'capacity': {'value': 0}, 'capacity_available': {'value': 0}, 'capacity_reserved': {'value': 0}, 'capacity_used': {'value': 0}, 'exportrequest_delay_total': {'counter': 0}, 'follower_reads_success_count': {'counter': 0}, 'gcbytesage': {'value': 0}, 'intentage': {'value': 0}, 'intentbytes': {'value': 0}, 'intentcount': {'value': 0}, 'intentresolver_async_throttled': {'counter': 0}, 'intentresolver_finalized_txns_failed': {'counter': 0}, 'intentresolver_intents_failed': {'counter': 0}, 'intents_abort_attempts': {'counter': 0}, 'intents_poison_attempts': {'counter': 0}, 'intents_resolve_attempts': {'counter': 54}, 'keybytes': {'value': 82632}, 'keycount': {'value': 1680}, 'kv_allocator_load_based_lease_transfers_cannot_find_better_candidate': {'counter': 0}, 'kv_allocator_load_based_lease_transfers_delta_not_significant': {'counter': 0}, 'kv_allocator_load_based_lease_transfers_existing_not_overfull': {'counter': 0}, 'kv_allocator_load_based_lease_transfers_missing_stats_for_existing_stores': {'counter': 0}, 'kv_allocator_load_based_lease_transfers_should_transfer': {'counter': 0}, 'kv_allocator_load_based_lease_transfers_significantly_switches_relative_disposition': {'counter': 0}, 'kv_allocator_load_based_replica_rebalancing_cannot_find_better_candidate': {'counter': 0}, 'kv_allocator_load_based_replica_rebalancing_delta_not_significant': {'counter': 0}, 'kv_allocator_load_based_replica_rebalancing_existing_not_overfull': {'counter': 0}, 'kv_allocator_load_based_replica_rebalancing_missing_stats_for_existing_store': {'counter': 0}, 'kv_allocator_load_based_replica_rebalancing_should_transfer': {'counter': 0}, 'kv_allocator_load_based_replica_rebalancing_significantly_switches_relative_disposition': {'counter': 0}, 'kv_closed_timestamp_max_behind_nanos': {'value': 0}, 'kv_concurrency_avg_lock_hold_duration_nanos': {'value': 0}, 'kv_concurrency_avg_lock_wait_duration_nanos': {'value': 0}, 'kv_concurrency_lock_wait_queue_waiters': {'value': 0}, 'kv_concurrency_locks': {'value': 0}, 'kv_concurrency_locks_with_wait_queues': {'value': 0}, 'kv_concurrency_max_lock_hold_duration_nanos': {'value': 0}, 'kv_concurrency_max_lock_wait_duration_nanos': {'value': 0}, 'kv_concurrency_max_lock_wait_queue_waiters_for_lock': {'value': 0}, 'kv_rangefeed_budget_allocation_blocked': {'counter': 0}, 'kv_rangefeed_budget_allocation_failed': {'counter': 0}, 'kv_rangefeed_catchup_scan_nanos': {'counter': 4840834}, 'kv_replica_circuit_breaker_num_tripped_events': {'counter': 0}, 'kv_replica_circuit_breaker_num_tripped_replicas': {'value': 0}, 'kv_tenant_rate_limit_current_blocked': {'value': 0}, 'kv_tenant_rate_limit_num_tenants': {'value': 0}, 'kv_tenant_rate_limit_read_bytes_admitted': {'counter': 0}, 'kv_tenant_rate_limit_read_requests_admitted': {'counter': 0}, 'kv_tenant_rate_limit_write_bytes_admitted': {'counter': 0}, 'kv_tenant_rate_limit_write_requests_admitted': {'counter': 0}, 'labels': {'instance': 'elastic-package-service_cockroachdb_1:8080', 'job': 'prometheus', 'store': '1'}, 'leases_epoch': {'value': 0}, 'leases_error': {'counter': 0}, 'leases_expiration': {'value': 0}, 'leases_success': {'counter': 28}, 'leases_transfers_error': {'counter': 0}, 'leases_transfers_success': {'counter': 0}, 'livebytes': {'value': 248040}, 'livecount': {'value': 1679}, 'queue_consistency_pending': {'value': 0}, 'queue_consistency_process_failure': {'counter': 0}, 'queue_consistency_process_success': {'counter': 9}, 'queue_consistency_processingnanos': {'counter': 490621584}, 'queue_gc_info_abortspanconsidered': {'counter': 0}, 'queue_gc_info_abortspangcnum': {'counter': 0}, 'queue_gc_info_abortspanscanned': {'counter': 0}, 'queue_gc_info_intentsconsidered': {'counter': 0}, 'queue_gc_info_intenttxns': {'counter': 0}, 'queue_gc_info_numkeysaffected': {'counter': 0}, 'queue_gc_info_pushtxn': {'counter': 0}, 'queue_gc_info_resolvefailed': {'counter': 0}, 'queue_gc_info_resolvesuccess': {'counter': 0}, 'queue_gc_info_resolvetotal': {'counter': 0}, 'queue_gc_info_transactionresolvefailed': {'counter': 0}, 'queue_gc_info_transactionspangcaborted': {'counter': 0}, 'queue_gc_info_transactionspangccommitted': {'counter': 0}, 'queue_gc_info_transactionspangcpending': {'counter': 0}, 'queue_gc_info_transactionspangcstaging': {'counter': 0}, 'queue_gc_info_transactionspanscanned': {'counter': 0}, 'queue_gc_pending': {'value': 0}, 'queue_gc_process_failure': {'counter': 0}, 'queue_gc_process_success': {'counter': 0}, 'queue_gc_processingnanos': {'counter': 0}, 'queue_merge_pending': {'value': 41}, 'queue_merge_process_failure': {'counter': 0}, 'queue_merge_process_success': {'counter': 0}, 'queue_merge_processingnanos': {'counter': 21611042}, 'queue_merge_purgatory': {'value': 0}, 'queue_raftlog_pending': {'value': 0}, 'queue_raftlog_process_failure': {'counter': 0}, 'queue_raftlog_process_success': {'counter': 3}, 'queue_raftlog_processingnanos': {'counter': 48402543}, 'queue_raftsnapshot_pending': {'value': 0}, 'queue_raftsnapshot_process_failure': {'counter': 0}, 'queue_raftsnapshot_process_success': {'counter': 0}, 'queue_raftsnapshot_processingnanos': {'counter': 0}, 'queue_replicagc_pending': {'value': 0}, 'queue_replicagc_process_failure': {'counter': 0}, 'queue_replicagc_process_success': {'counter': 0}, 'queue_replicagc_processingnanos': {'counter': 0}, 'queue_replicagc_removereplica': {'counter': 0}, 'queue_replicate_addnonvoterreplica': {'counter': 0}, 'queue_replicate_addreplica': {'counter': 0}, 'queue_replicate_addvoterreplica': {'counter': 0}, 'queue_replicate_nonvoterpromotions': {'counter': 0}, 'queue_replicate_pending': {'value': 0}, 'queue_replicate_process_failure': {'counter': 26}, 'queue_replicate_process_success': {'counter': 0}, 'queue_replicate_processingnanos': {'counter': 157329207}, 'queue_replicate_purgatory': {'value': 24}, 'queue_replicate_rebalancenonvoterreplica': {'counter': 0}, 'queue_replicate_rebalancereplica': {'counter': 0}, 'queue_replicate_rebalancevoterreplica': {'counter': 0}, 'queue_replicate_removedeadnonvoterreplica': {'counter': 0}, 'queue_replicate_removedeadreplica': {'counter': 0}, 'queue_replicate_removedeadvoterreplica': {'counter': 0}, 'queue_replicate_removedecommissioningnonvoterreplica': {'counter': 0}, 'queue_replicate_removedecommissioningreplica': {'counter': 0}, 'queue_replicate_removedecommissioningvoterreplica': {'counter': 0}, 'queue_replicate_removelearnerreplica': {'counter': 0}, 'queue_replicate_removenonvoterreplica': {'counter': 0}, 'queue_replicate_removereplica': {'counter': 0}, 'queue_replicate_removevoterreplica': {'counter': 0}, 'queue_replicate_transferlease': {'counter': 0}, 'queue_replicate_voterdemotions': {'counter': 0}, 'queue_split_pending': {'value': 0}, 'queue_split_process_failure': {'counter': 0}, 'queue_split_process_success': {'counter': 0}, 'queue_split_processingnanos': {'counter': 0}, 'queue_split_purgatory': {'value': 0}, 'queue_tsmaintenance_pending': {'value': 0}, 'queue_tsmaintenance_process_failure': {'counter': 0}, 'queue_tsmaintenance_process_success': {'counter': 1}, 'queue_tsmaintenance_processingnanos': {'counter': 33299709}, 'raft_commandsapplied': {'counter': 330}, 'raft_enqueued_pending': {'value': 0}, 'raft_entrycache_accesses': {'counter': 55}, 'raft_entrycache_bytes': {'value': 131713}, 'raft_entrycache_hits': {'counter': 3}, 'raft_entrycache_size': {'value': 300}, 'raft_heartbeats_pending': {'value': 0}, 'raft_process_applycommitted_latency': {'histogram': {'counts': [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 'values': [27647.5, 78847, 106495, 112639, 116735, 122879, 133119, 143359, 151551, 159743, 167935, 176127, 184319, 192511, 200703, 208895, 217087, 225279, 233471, 241663, 249855, 258047, 270335, 286719, 303103, 319487, 335871, 352255, 368639, 385023, 401407, 417791, 434175, 450559, 466943, 483327, 499711, 516095, 540671, 573439, 606207, 655359, 704511, 753663, 802815, 835583, 868351, 901119, 933887, 966655, 1015807, 1081343, 1146879, 1212415, 1277951, 1441791, 1638399, 1769471, 1933311, 2129919, 2293759, 2490367, 2818047, 3080191, 3407871, 3932159, 4456447, 4980735, 5373951, 5898239, 7077887, 11010047, 14417919, 16252927, 18350079, 21495807, 25690111, 27787263, 28835839, 30408703]}}, 'raft_process_commandcommit_latency': {'histogram': {'counts': [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 'values': [21503.5, 48127, 63487, 75775, 79871, 83967, 88063, 92159, 96255, 100351, 104447, 108543, 112639, 116735, 120831, 124927, 129023, 135167, 143359, 151551, 159743, 167935, 176127, 184319, 192511, 200703, 208895, 217087, 225279, 233471, 241663, 249855, 258047, 270335, 286719, 303103, 319487, 335871, 352255, 368639, 385023, 401407, 417791, 434175, 450559, 466943, 483327, 507903, 540671, 573439, 622591, 671743, 704511, 737279, 802815, 868351, 901119, 933887, 983039, 1097727, 1245183, 1507327, 2097151, 3014655, 3670015, 4259839, 4980735, 5373951, 5636095, 8912895, 13369343, 15728639, 17825791, 23068671, 28311551, 31457279]}}, 'raft_process_handleready_latency': {'histogram': {'counts': [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 'values': [376831.5, 999423, 1277951, 1343487, 1409023, 1474559, 1540095, 1605631, 1671167, 1736703, 1802239, 1867775, 1933311, 1998847, 2064383, 2162687, 2293759, 2424831, 2555903, 2686975, 2818047, 2949119, 3080191, 3211263, 3342335, 3473407, 3604479, 3735551, 3866623, 3997695, 4128767, 4325375, 4587519, 4849663, 5111807, 5373951, 5636095, 5898239, 6160383, 6422527, 6815743, 7208959, 7602175, 7995391, 8257535, 8650751, 9175039, 9699327, 11534335, 13369343, 14155775, 15728639, 17301503, 20447231, 24117247, 28835839, 37224447, 42991615, 48234495, 66060287, 90177535, 117440511, 155189247, 218103807]}}, 'raft_process_logcommit_latency': {'histogram': {'counts': [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 'values': [376831.5, 819199, 901119, 933887, 966655, 999423, 1032191, 1081343, 1146879, 1212415, 1277951, 1343487, 1409023, 1474559, 1540095, 1605631, 1671167, 1736703, 1802239, 1867775, 1933311, 1998847, 2064383, 2162687, 2293759, 2424831, 2555903, 2686975, 2818047, 2949119, 3080191, 3211263, 3342335, 3473407, 3604479, 3735551, 3866623, 3997695, 4128767, 4325375, 4587519, 4849663, 5111807, 5373951, 5898239, 6422527, 6684671, 6946815, 7471103, 8650751, 9699327, 11010047, 12320767, 13631487, 14942207, 15466495, 19398655, 36700159, 75497471, 117440511, 138412031, 150994943]}}, 'raft_process_tickingnanos': {'counter': 18037084}, 'raft_process_workingnanos': {'counter': 1726085499}, 'raft_rcvd_app': {'counter': 0}, 'raft_rcvd_appresp': {'counter': 0}, 'raft_rcvd_dropped': {'counter': 0}, 'raft_rcvd_heartbeat': {'counter': 0}, 'raft_rcvd_heartbeatresp': {'counter': 0}, 'raft_rcvd_prevote': {'counter': 0}, 'raft_rcvd_prevoteresp': {'counter': 0}, 'raft_rcvd_prop': {'counter': 0}, 'raft_rcvd_snap': {'counter': 0}, 'raft_rcvd_timeoutnow': {'counter': 0}, 'raft_rcvd_transferleader': {'counter': 0}, 'raft_rcvd_vote': {'counter': 0}, 'raft_rcvd_voteresp': {'counter': 0}, 'raft_scheduler_latency': {'histogram': {'counts': [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], 'values': [4095.5, 11519, 17151, 19967, 20991, 22015, 23039, 24575, 26111, 27135, 28159, 29183, 30207, 31231, 32255, 33791, 35839, 37887, 39935, 41983, 44031, 46079, 48127, 50175, 52223, 54271, 56319, 58367, 60415, 62463, 64511, 67583, 71679, 75775, 79871, 83967, 88063, 92159, 96255, 104447, 112639, 116735, 120831, 124927, 129023, 135167, 143359, 151551, 159743, 167935, 176127, 184319, 192511, 200703, 208895, 217087, 225279, 233471, 241663, 249855, 266239, 286719, 303103, 319487, 335871, 352255, 368639, 393215, 425983, 450559, 466943, 483327, 540671, 606207, 655359, 704511, 737279, 770047, 819199, 868351, 933887, 1015807, 1081343, 1179647, 1277951, 1343487, 1409023, 1474559, 1540095, 1605631, 1671167, 1736703, 1802239, 1867775, 1933311, 1998847, 2064383, 2162687, 2293759, 2424831, 2555903, 2686975, 2818047, 2949119, 3342335, 3735551, 3932159, 4259839, 4849663, 5373951, 5636095, 5898239, 6160383, 6553599, 7077887, 9437183, 14155775, 71303167, 146800639, 209715199]}}, 'raft_ticks': {'counter': 45}, 'raft_timeoutcampaign': {'counter': 0}, 'raftlog_behind': {'value': 0}, 'raftlog_truncated': {'counter': 30}, 'range_adds': {'counter': 0}, 'range_merges': {'counter': 0}, 'range_raftleadertransfers': {'counter': 0}, 'range_recoveries': {'counter': 0}, 'range_removes': {'counter': 0}, 'range_snapshots_applied_initial': {'counter': 0}, 'range_snapshots_applied_non_voter': {'counter': 0}, 'range_snapshots_applied_voter': {'counter': 0}, 'range_snapshots_generated': {'counter': 0}, 'range_snapshots_rcvd_bytes': {'counter': 0}, 'range_snapshots_sent_bytes': {'counter': 0}, 'range_splits': {'counter': 0}, 'ranges': {'value': 0}, 'ranges_overreplicated': {'value': 0}, 'ranges_unavailable': {'value': 0}, 'ranges_underreplicated': {'value': 0}, 'rebalancing_lease_transfers': {'counter': 0}, 'rebalancing_queriespersecond': {'value': 0}, 'rebalancing_range_rebalances': {'counter': 0}, 'rebalancing_writespersecond': {'value': 0}, 'replicas': {'value': 44}, 'replicas_leaders': {'value': 0}, 'replicas_leaders_not_leaseholders': {'value': 0}, 'replicas_leaseholders': {'value': 0}, 'replicas_quiescent': {'value': 0}, 'replicas_reserved': {'value': 0}, 'replicas_uninitialized': {'value': 0}, 'requests_backpressure_split': {'value': 0}, 'requests_slow_latch': {'value': 0}, 'requests_slow_lease': {'value': 0}, 'requests_slow_raft': {'value': 0}, 'rocksdb_block_cache_hits': {'value': 0}, 'rocksdb_block_cache_misses': {'value': 0}, 'rocksdb_block_cache_pinned_usage': {'value': 0}, 'rocksdb_block_cache_usage': {'value': 0}, 'rocksdb_bloom_filter_prefix_checked': {'value': 0}, 'rocksdb_bloom_filter_prefix_useful': {'value': 0}, 'rocksdb_compacted_bytes_read': {'value': 0}, 'rocksdb_compacted_bytes_written': {'value': 0}, 'rocksdb_compactions': {'value': 0}, 'rocksdb_encryption_algorithm': {'value': 0}, 'rocksdb_estimated_pending_compaction': {'value': 0}, 'rocksdb_flushed_bytes': {'value': 0}, 'rocksdb_flushes': {'value': 0}, 'rocksdb_ingested_bytes': {'value': 0}, 'rocksdb_memtable_total_size': {'value': 0}, 'rocksdb_num_sstables': {'value': 0}, 'rocksdb_read_amplification': {'value': 0}, 'rocksdb_table_readers_mem_estimate': {'value': 0}, 'storage_disk_slow': {'value': 0}, 'storage_disk_stalled': {'value': 0}, 'storage_l0_num_files': {'value': 0}, 'storage_l0_sublevels': {'value': 0}, 'storage_marked_for_compaction_files': {'value': 0}, 'storage_write_stalls': {'value': 0}, 'sysbytes': {'value': 8716}, 'syscount': {'value': 212}, 'totalbytes': {'value': 250992}, 'tscache_skl_pages': {'value': 1}, 'tscache_skl_rotations': {'counter': 0}, 'txn_commit_waits_before_commit_trigger': {'counter': 0}, 'txnrecovery_attempts_pending': {'value': 0}, 'txnrecovery_attempts_total': {'counter': 0}, 'txnrecovery_failures': {'counter': 0}, 'txnrecovery_successes_aborted': {'counter': 0}, 'txnrecovery_successes_committed': {'counter': 0}, 'txnrecovery_successes_pending': {'counter': 0}, 'txnwaitqueue_deadlocks_total': {'counter': 0}, 'txnwaitqueue_pushee_waiting': {'value': 0}, 'txnwaitqueue_pusher_slow': {'value': 0}, 'txnwaitqueue_pusher_wait_time': {'histogram': {'counts': [0], 'values': [0]}}, 'txnwaitqueue_pusher_waiting': {'value': 0}, 'txnwaitqueue_query_wait_time': {'histogram': {'counts': [0], 'values': [0]}}, 'txnwaitqueue_query_waiting': {'value': 0}, 'valbytes': {'value': 168360}, 'valcount': {'value': 1750}}}, 'data_stream': {'dataset': 'cockroachdb.status', 'namespace': 'ep', 'type': 'metrics'}, 'ecs': {'version': '8.5.1'}, 'elastic_agent': {'id': '19de6249-945f-46da-9464-383664c3adaf', 'snapshot': False, 'version': '8.4.0'}, 'event': {'agent_id_status': 'verified', 'dataset': 'cockroachdb.status', 'duration': 248296459, 'ingested': '2022-09-06T09:50:55Z', 'module': 'prometheus'}, 'host': {'architecture': 'x86_64', 'containerized': False, 'hostname': 'docker-fleet-agent', 'id': '5016511f0829451ea244f458eebf2212', 'ip': ['172.18.0.7'], 'mac': ['02:42:ac:12:00:07'], 'name': 'docker-fleet-agent', 'os': {'codename': 'focal', 'family': 'debian', 'kernel': '5.10.104-linuxkit', 'name': 'Ubuntu', 'platform': 'ubuntu', 'type': 'linux', 'version': '20.04.4 LTS (Focal Fossa)'}}, 'metricset': {'name': 'collector', 'period': 10000}, 'service': {'address': 'http://elastic-package-service_cockroachdb_1:8080/_status/vars', 'type': 'prometheus'}}"
IBM MQ,"https://docs.elastic.co/integrations/ibmmq
","{'@timestamp': '2022-07-04T07:29:32.808Z', 'agent': {'ephemeral_id': 'b74cf2bf-29aa-46f0-8eec-ed48244675f2', 'id': '0402a600-6a5e-443e-a57e-10f6f91ff35e', 'name': 'docker-fleet-agent', 'type': 'metricbeat', 'version': '8.2.0'}, 'data_stream': {'dataset': 'ibmmq.qmgr', 'namespace': 'ep', 'type': 'metrics'}, 'ecs': {'version': '8.5.1'}, 'elastic_agent': {'id': '0402a600-6a5e-443e-a57e-10f6f91ff35e', 'snapshot': False, 'version': '8.2.0'}, 'event': {'agent_id_status': 'verified', 'category': 'web', 'dataset': 'ibmmq.qmgr', 'duration': 4639837, 'ingested': '2022-07-04T07:29:36Z', 'kind': 'metric', 'module': 'ibmmq', 'type': 'info'}, 'host': {'architecture': 'x86_64', 'containerized': True, 'hostname': 'docker-fleet-agent', 'ip': ['172.18.0.7'], 'mac': ['02:42:ac:12:00:07'], 'name': 'docker-fleet-agent', 'os': {'codename': 'focal', 'family': 'debian', 'kernel': '3.10.0-1160.59.1.el7.x86_64', 'name': 'Ubuntu', 'platform': 'ubuntu', 'type': 'linux', 'version': '20.04.4 LTS (Focal Fossa)'}}, 'ibmmq': {'labels': {'job': 'ibmmq', 'qmgr': 'QM1'}, 'qmgr': {'calls': {'failed': {'callback': {'count': 0}, 'close': {'count': 0}, 'connections': {'count': 0}, 'get': {'count': 2}, 'inquire': {'count': 0}, 'open': {'count': 0}, 'set': {'count': 0}, 'subscription_request': {'count': 0}}, 'succeeded': {'callback': {'count': 0}, 'close': {'count': 0}, 'connections': {'count': 0}, 'control': {'count': 0}, 'disconnect': {'count': 0}, 'inquire': {'count': 4}, 'open': {'count': 0}, 'set': {'count': 0}, 'status': {'count': 0}, 'subscription_request': {'count': 0}}}, 'destructive': {'get': {'bytes': 4868, 'count': 13}}, 'log': {'written': {'bytes': {'logical': 0, 'physical': 0}}}, 'messages': {'commit': {'count': 0}, 'expired': {'count': 0}, 'failed': {'browse': {'count': 0}, 'mq': {'put': {'count': 0}, 'put1': {'count': 0}}}, 'mq': {'put': {'bytes': 4868, 'count': 13}}, 'non_persistent': {'browse': {'bytes': 0, 'count': 0}, 'destructive': {'get': {'count': 13}}, 'get': {'bytes': 4868}, 'mq': {'put': {'count': 13}, 'put1': {'count': 0}}, 'put': {'bytes': 4868}}, 'persistent': {'browse': {'bytes': 0, 'count': 0}, 'destructive': {'get': {'count': 0}}, 'get': {'bytes': 0}, 'mq': {'put': {'count': 0}, 'put1': {'count': 0}}, 'put': {'bytes': 0}}, 'published': {'subscribers': {'bytes': 3500, 'count': 13}}, 'purged': {'queue': {'count': 0}}}, 'rollback': {'count': 0}, 'subscription': {'durable': {'alter': {'count': 0}, 'create': {'count': 0}, 'delete': {'count': 0}, 'resume': {'count': 0}}, 'failed': {'create_alter_resume': {'count': 0}, 'delete': {'count': 0}}, 'non_durable': {'create': {'count': 0}, 'delete': {'count': 0}}}, 'topic': {'mq': {'put': {'count': 13, 'failed': {'count': 0}, 'non_persistent': {'count': 13}, 'persistent': {'count': 0}}}, 'put': {'bytes': 3500}}}}, 'metricset': {'name': 'collector', 'period': 10000}, 'service': {'address': 'http://elastic-package-service_ibmmq_1:9157/metrics', 'type': 'ibmmq'}, 'tags': ['forwarded', 'ibmmq-qmgr']}"
Istio,"https://docs.elastic.co/integrations/istio
","{'@timestamp': '2022-07-20T09:52:24.955Z', 'data_stream': {'namespace': 'default', 'type': 'logs', 'dataset': 'istio.access_logs'}, 'destination': {'address': '10.68.2.10:9080', 'ip': '10.68.2.10', 'port': 9080}, 'ecs': {'version': '8.3.0'}, 'event': {'category': ['web'], 'created': '2020-04-28T11:07:58.223Z', 'duration': 1000000, 'id': '785918d6-06b6-9312-bf77-6d9bd968dc21', 'ingested': '2022-07-20T11:05:15.804584205Z', 'kind': 'event', 'module': 'istio', 'original': '[2022-07-20T09:52:24.955Z] ""GET /details/0 HTTP/1.1"" 200 - via_upstream - ""-"" 0 178 2 1 ""-"" ""Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36"" ""785918d6-06b6-9312-bf77-6d9bd968dc21"" ""details:9080"" ""10.68.2.10:9080"" inbound|9080|| 127.0.0.6:47889 10.68.2.10:9080 89.160.20.156:39696 outbound_.9080_._.details.default.svc.cluster.local default', 'outcome': 'success', 'type': ['access']}, 'http': {'request': {'body': {'bytes': 178}, 'id': '785918d6-06b6-9312-bf77-6d9bd968dc21', 'method': 'GET'}, 'response': {'body': {'bytes': 0}, 'status_code': 200}, 'version': '1.1'}, 'istio': {'access': {'authority': 'details:9080', 'bytes': {'received': 0, 'sent': 178}, 'downstream': {'local_address': '10.68.2.10:9080', 'remote_address': '89.160.20.156:39696'}, 'duration': 2, 'requested_server_name': 'outbound_.9080_._.details.default.svc.cluster.local', 'response': {'code_details': 'via_upstream'}, 'route_name': 'default', 'upstream': {'local_address': '127.0.0.6:47889', 'cluster': 'inbound|9080||', 'host': '10.68.2.10:9080', 'service_time': 1}}}, 'network': {'community_id': '1:Kd61jBZsKdDUbZUBs5s/VI08qc0=', 'protocol': 'http', 'transport': 'tcp'}, 'related': {'ip': ['89.160.20.156', '10.68.2.10']}, 'source': {'address': '89.160.20.156:39696', 'as': {'number': 29518, 'organization': {'name': 'Bredband2 AB'}}, 'geo': {'city_name': 'Linköping', 'continent_name': 'Europe', 'country_iso_code': 'SE', 'country_name': 'Sweden', 'location': {'lat': 58.4167, 'lon': 15.6167}, 'region_iso_code': 'SE-E', 'region_name': 'Östergötland County'}, 'ip': '89.160.20.156', 'port': 39696}, 'tags': ['preserve_original_event'], 'url': {'original': '/details/0'}, 'user_agent': {'device': {'name': 'Mac'}, 'name': 'Chrome', 'original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36', 'os': {'full': 'Mac OS X 10.15.7', 'name': 'Mac OS X', 'version': '10.15.7'}, 'version': '103.0.5060.114'}}"
File Integrity Monitoring,"https://docs.elastic.co/integrations/fim
","{'@timestamp': '2022-12-26T05:20:54.547Z', 'agent': {'ephemeral_id': '7bc73d63-724e-4502-95c1-ff11478b89ec', 'id': '8921fb55-4463-4944-8dea-074038035111', 'name': 'docker-fleet-agent', 'type': 'auditbeat', 'version': '8.3.0'}, 'ecs': {'version': '8.6.0'}, 'data_stream': {'dataset': 'fim.event', 'namespace': 'ep', 'type': 'logs'}, 'elastic_agent': {'id': '8921fb55-4463-4944-8dea-074038035111', 'snapshot': False, 'version': '8.5.0'}, 'event': {'action': ['created'], 'agent_id_status': 'verified', 'category': ['file'], 'dataset': 'fim.event', 'ingested': '2022-12-26T05:20:55Z', 'kind': 'event', 'module': 'file_integrity', 'type': ['creation']}, 'file': {'ctime': '2022-12-26T05:20:54.531Z', 'gid': '1000', 'group': 'elastic-agent', 'hash': {'sha1': '22596363b3de40b06f981fb85d82312e8c0ed511'}, 'inode': '11794491', 'mode': '0644', 'mtime': '2022-12-26T05:20:54.531Z', 'owner': 'elastic-agent', 'path': '/tmp/service_logs/hello', 'size': 12, 'type': 'file', 'uid': '1000'}, 'host': {'architecture': 'x86_64', 'containerized': False, 'hostname': 'docker-fleet-agent', 'id': '66392b0697b84641af8006d87aeb89f1', 'ip': ['192.168.128.7'], 'mac': ['02-42-C0-A8-80-07'], 'name': 'docker-fleet-agent', 'os': {'codename': 'focal', 'family': 'debian', 'kernel': '5.10.104-linuxkit', 'name': 'Ubuntu', 'platform': 'ubuntu', 'type': 'linux', 'version': '20.04.5 LTS (Focal Fossa)'}}, 'service': {'type': 'file_integrity'}, 'tags': ['fim-event']}"
Microsoft M365 Defender,"https://docs.elastic.co/integrations/m365_defender
","{'@timestamp': '2021-09-30T09:35:45.113Z', 'agent': {'ephemeral_id': '680ecfc9-79a0-47ae-b6a5-7b8a1546433c', 'id': 'e77dcfd5-f1ee-46d9-8fcf-08ad9ace0457', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.6.0'}, 'cloud': {'account': {'id': 'b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c'}, 'provider': ['azure']}, 'data_stream': {'dataset': 'm365_defender.incident', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.5.0'}, 'elastic_agent': {'id': 'e77dcfd5-f1ee-46d9-8fcf-08ad9ace0457', 'snapshot': False, 'version': '8.6.0'}, 'event': {'action': ['detected'], 'agent_id_status': 'verified', 'created': '2021-08-13T08:43:35.553Z', 'dataset': 'm365_defender.incident', 'id': '2972395', 'ingested': '2023-02-01T07:32:54Z', 'kind': 'event', 'original': '{""@odata.type"":""#microsoft.graph.security.incident"",""alerts"":{""@odata.type"":""#microsoft.graph.security.alert"",""actorDisplayName"":null,""alertWebUrl"":""https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c"",""assignedTo"":null,""category"":""DefenseEvasion"",""classification"":""unknown"",""comments"":[],""createdDateTime"":""2021-04-27T12:19:27.7211305Z"",""description"":""A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses."",""detectionSource"":""antivirus"",""detectorId"":""e0da400f-affd-43ef-b1d5-afc2eb6f2756"",""determination"":""unknown"",""evidence"":[{""@odata.type"":""#microsoft.graph.security.deviceEvidence"",""azureAdDeviceId"":null,""createdDateTime"":""2021-04-27T12:19:27.7211305Z"",""defenderAvStatus"":""unknown"",""deviceDnsName"":""tempDns"",""firstSeenDateTime"":""2020-09-12T07:28:32.4321753Z"",""healthStatus"":""active"",""loggedOnUsers"":[],""mdeDeviceId"":""73e7e2de709dff64ef64b1d0c30e67fab63279db"",""onboardingStatus"":""onboarded"",""osBuild"":22424,""osPlatform"":""Windows10"",""rbacGroupId"":75,""rbacGroupName"":""UnassignedGroup"",""remediationStatus"":""none"",""remediationStatusDetails"":null,""riskScore"":""medium"",""roles"":[""compromised""],""tags"":[""Test Machine""],""verdict"":""unknown"",""version"":""Other"",""vmMetadata"":{""cloudProvider"":""azure"",""resourceId"":""/subscriptions/8700d3a3-3bb7-4fbe-a090-488a1ad04161/resourceGroups/WdatpApi-EUS-STG/providers/Microsoft.Compute/virtualMachines/NirLaviTests"",""subscriptionId"":""8700d3a3-3bb7-4fbe-a090-488a1ad04161"",""vmId"":""ca1b0d41-5a3b-4d95-b48b-f220aed11d78""}},{""@odata.type"":""#microsoft.graph.security.fileEvidence"",""createdDateTime"":""2021-04-27T12:19:27.7211305Z"",""detectionStatus"":""detected"",""fileDetails"":{""fileName"":""MsSense.exe"",""filePath"":""C:\\\\Program Files\\\\temp"",""filePublisher"":""Microsoft Corporation"",""fileSize"":6136392,""issuer"":null,""sha1"":""5f1e8acedc065031aad553b710838eb366cfee9a"",""sha256"":""8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec"",""signer"":null},""mdeDeviceId"":""73e7e2de709dff64ef64b1d0c30e67fab63279db"",""remediationStatus"":""none"",""remediationStatusDetails"":null,""roles"":[],""tags"":[],""verdict"":""unknown""},{""@odata.type"":""#microsoft.graph.security.processEvidence"",""createdDateTime"":""2021-04-27T12:19:27.7211305Z"",""detectionStatus"":""detected"",""imageFile"":{""fileName"":""MsSense.exe"",""filePath"":""C:\\\\Program Files\\\\temp"",""filePublisher"":""Microsoft Corporation"",""fileSize"":6136392,""issuer"":null,""sha1"":""5f1e8acedc065031aad553b710838eb366cfee9a"",""sha256"":""8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec"",""signer"":null},""mdeDeviceId"":""73e7e2de709dff64ef64b1d0c30e67fab63279db"",""parentProcessCreationDateTime"":""2021-08-12T07:39:09.0909239Z"",""parentProcessId"":668,""parentProcessImageFile"":{""fileName"":""services.exe"",""filePath"":""C:\\\\Windows\\\\System32"",""filePublisher"":""Microsoft Corporation"",""fileSize"":731744,""issuer"":null,""sha1"":null,""sha256"":null,""signer"":null},""processCommandLine"":""\\""MsSense.exe\\"""",""processCreationDateTime"":""2021-08-12T12:43:19.0772577Z"",""processId"":4780,""remediationStatus"":""none"",""remediationStatusDetails"":null,""roles"":[],""tags"":[],""userAccount"":{""accountName"":""SYSTEM"",""azureAdUserId"":null,""domainName"":""NT AUTHORITY"",""userPrincipalName"":null,""userSid"":""S-1-5-18""},""verdict"":""unknown""},{""@odata.type"":""#microsoft.graph.security.registryKeyEvidence"",""createdDateTime"":""2021-04-27T12:19:27.7211305Z"",""registryHive"":""HKEY_LOCAL_MACHINE"",""registryKey"":""SYSTEM\\\\CONTROLSET001\\\\CONTROL\\\\WMI\\\\AUTOLOGGER\\\\SENSEAUDITLOGGER"",""remediationStatus"":""none"",""remediationStatusDetails"":null,""roles"":[],""tags"":[],""verdict"":""unknown""}],""firstActivityDateTime"":""2021-04-26T07:45:50.116Z"",""id"":""da637551227677560813_-961444813"",""incidentId"":""28282"",""incidentWebUrl"":""https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c"",""lastActivityDateTime"":""2021-05-02T07:56:58.222Z"",""lastUpdateDateTime"":""2021-05-02T14:19:01.3266667Z"",""mitreTechniques"":[""T1564.001""],""providerAlertId"":""da637551227677560813_-961444813"",""recommendedActions"":""Collect artifacts and determine scope\\n�\\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \\n�\\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\\n�\\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\\n�\\tSubmit undetected files to the MMPC malware portal\\n\\nInitiate containment \\u0026 mitigation \\n�\\tContact the user to verify intent and initiate local remediation actions as needed.\\n�\\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\\n�\\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\\n�\\tIf credential theft is suspected, reset all relevant users passwords.\\n�\\tBlock communication with relevant URLs or IPs at the organization�s perimeter."",""resolvedDateTime"":null,""serviceSource"":""microsoftDefenderForEndpoint"",""severity"":""low"",""status"":""new"",""tenantId"":""b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c"",""threatDisplayName"":null,""threatFamilyName"":null,""title"":""Suspicious execution of hidden file""},""assignedTo"":""KaiC@contoso.onmicrosoft.com"",""classification"":""truePositive"",""comments"":[{""comment"":""Demo incident"",""createdBy"":""DavidS@contoso.onmicrosoft.com"",""createdTime"":""2021-09-30T12:07:37.2756993Z""}],""createdDateTime"":""2021-08-13T08:43:35.5533333Z"",""determination"":""multiStagedAttack"",""displayName"":""Multi-stage incident involving Initial access \\u0026 Command and control on multiple endpoints reported by multiple sources"",""id"":""2972395"",""incidentWebUrl"":""https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47"",""lastUpdateDateTime"":""2021-09-30T09:35:45.1133333Z"",""redirectIncidentId"":null,""severity"":""medium"",""status"":""active"",""tags"":[""Demo""],""tenantId"":""b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c""}', 'provider': 'microsoftDefenderForEndpoint', 'severity': 3, 'url': 'https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47'}, 'file': {'hash': {'sha1': ['5f1e8acedc065031aad553b710838eb366cfee9a'], 'sha256': ['8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec']}, 'name': ['MsSense.exe'], 'path': ['C:\\Program Files\\temp'], 'size': [6136392]}, 'host': {'id': ['73e7e2de709dff64ef64b1d0c30e67fab63279db'], 'os': {'name': ['Windows10'], 'version': ['Other']}}, 'input': {'type': 'httpjson'}, 'm365_defender': {'incident': {'alert': {'alert_web_url': {'domain': 'security.microsoft.com', 'original': 'https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c', 'path': '/alerts/da637551227677560813_-961444813', 'query': 'tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c', 'scheme': 'https'}, 'category': 'DefenseEvasion', 'classification': 'unknown', 'created_datetime': '2021-04-27T12:19:27.721Z', 'description': 'A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.', 'detection_source': 'antivirus', 'detector_id': 'e0da400f-affd-43ef-b1d5-afc2eb6f2756', 'determination': 'unknown', 'evidence': [{'created_datetime': '2021-04-27T12:19:27.721Z', 'defender_av_status': 'unknown', 'device_dns_name': 'tempDns', 'first_seen_datetime': '2020-09-12T07:28:32.432Z', 'health_status': 'active', 'mde_device_id': '73e7e2de709dff64ef64b1d0c30e67fab63279db', 'odata_type': '#microsoft.graph.security.deviceEvidence', 'onboarding_status': 'onboarded', 'os_build': '22424', 'os_platform': 'Windows10', 'rbac_group': {'id': '75', 'name': 'UnassignedGroup'}, 'remediation_status': 'none', 'risk_score': 'medium', 'roles': ['compromised'], 'tags': ['Test Machine'], 'verdict': 'unknown', 'version': 'Other', 'vm_metadata': {'cloud_provider': 'azure', 'resource_id': '/subscriptions/8700d3a3-3bb7-4fbe-a090-488a1ad04161/resourceGroups/WdatpApi-EUS-STG/providers/Microsoft.Compute/virtualMachines/NirLaviTests', 'subscription_id': '8700d3a3-3bb7-4fbe-a090-488a1ad04161', 'vm_id': 'ca1b0d41-5a3b-4d95-b48b-f220aed11d78'}}, {'created_datetime': '2021-04-27T12:19:27.721Z', 'detection_status': 'detected', 'file_details': {'name': 'MsSense.exe', 'path': 'C:\\Program Files\\temp', 'publisher': 'Microsoft Corporation', 'sha1': '5f1e8acedc065031aad553b710838eb366cfee9a', 'sha256': '8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec', 'size': 6136392}, 'mde_device_id': '73e7e2de709dff64ef64b1d0c30e67fab63279db', 'odata_type': '#microsoft.graph.security.fileEvidence', 'remediation_status': 'none', 'verdict': 'unknown'}, {'created_datetime': '2021-04-27T12:19:27.721Z', 'detection_status': 'detected', 'image_file': {'name': 'MsSense.exe', 'path': 'C:\\Program Files\\temp', 'publisher': 'Microsoft Corporation', 'sha1': '5f1e8acedc065031aad553b710838eb366cfee9a', 'sha256': '8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec', 'size': 6136392}, 'mde_device_id': '73e7e2de709dff64ef64b1d0c30e67fab63279db', 'odata_type': '#microsoft.graph.security.processEvidence', 'parent_process': {'creation_datetime': '2021-08-12T07:39:09.090Z', 'id': 668, 'image_file': {'name': 'services.exe', 'path': 'C:\\Windows\\System32', 'publisher': 'Microsoft Corporation', 'size': 731744}}, 'process': {'command_line': '""MsSense.exe""', 'creation_datetime': '2021-08-12T12:43:19.077Z', 'id': 4780}, 'remediation_status': 'none', 'user_account': {'account_name': 'SYSTEM', 'domain_name': 'NT AUTHORITY', 'user_sid': 'S-1-5-18'}, 'verdict': 'unknown'}, {'created_datetime': '2021-04-27T12:19:27.721Z', 'odata_type': '#microsoft.graph.security.registryKeyEvidence', 'registry_hive': 'HKEY_LOCAL_MACHINE', 'registry_key': 'SYSTEM\\CONTROLSET001\\CONTROL\\WMI\\AUTOLOGGER\\SENSEAUDITLOGGER', 'remediation_status': 'none', 'verdict': 'unknown'}], 'first_activity_datetime': '2021-04-26T07:45:50.116Z', 'id': 'da637551227677560813_-961444813', 'incident_id': '28282', 'incident_web_url': {'domain': 'security.microsoft.com', 'original': 'https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c', 'path': '/incidents/28282', 'query': 'tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c', 'scheme': 'https'}, 'last_activity_datetime': '2021-05-02T07:56:58.222Z', 'last_update_datetime': '2021-05-02T14:19:01.326Z', 'mitre_techniques': ['T1564.001'], 'provider_alert_id': 'da637551227677560813_-961444813', 'recommended_actions': 'Collect artifacts and determine scope\n�\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n�\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n�\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n�\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n�\tContact the user to verify intent and initiate local remediation actions as needed.\n�\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n�\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n�\tIf credential theft is suspected, reset all relevant users passwords.\n�\tBlock communication with relevant URLs or IPs at the organization�s perimeter.', 'service_source': 'microsoftDefenderForEndpoint', 'severity': 'low', 'status': 'new', 'tenant_id': 'b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c', 'title': 'Suspicious execution of hidden file'}, 'assigned_to': 'KaiC@contoso.onmicrosoft.com', 'classification': 'truePositive', 'comments': [{'comment': 'Demo incident', 'createdBy': 'DavidS@contoso.onmicrosoft.com', 'createdTime': '2021-09-30T12:07:37.2756993Z'}], 'created_datetime': '2021-08-13T08:43:35.553Z', 'determination': 'multiStagedAttack', 'display_name': 'Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources', 'id': '2972395', 'last_update_datetime': '2021-09-30T09:35:45.113Z', 'odata_type': '#microsoft.graph.security.incident', 'severity': 'medium', 'status': 'active', 'tags': ['Demo'], 'tenant_id': 'b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c', 'web_url': {'domain': 'security.microsoft.com', 'original': 'https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47', 'path': '/incidents/2972395', 'query': 'tid=12f988bf-16f1-11af-11ab-1d7cd011db47', 'scheme': 'https'}}}, 'message': 'Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources', 'process': {'command_line': ['""MsSense.exe""'], 'hash': {'sha1': ['5f1e8acedc065031aad553b710838eb366cfee9a'], 'sha256': ['8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec']}, 'parent': {'pid': [668], 'start': ['2021-08-12T07:39:09.090Z']}, 'pid': [4780], 'start': ['2021-08-12T12:43:19.077Z'], 'user': {'name': ['SYSTEM']}}, 'registry': {'hive': ['HKEY_LOCAL_MACHINE'], 'key': ['SYSTEM\\CONTROLSET001\\CONTROL\\WMI\\AUTOLOGGER\\SENSEAUDITLOGGER']}, 'related': {'hash': ['5f1e8acedc065031aad553b710838eb366cfee9a', '8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec'], 'hosts': ['tempDns', 'NT AUTHORITY'], 'user': ['KaiC@contoso.onmicrosoft.com', 'DavidS@contoso.onmicrosoft.com', 'SYSTEM', 'S-1-5-18']}, 'source': {'user': {'name': 'KaiC@contoso.onmicrosoft.com'}}, 'tags': ['preserve_original_event', 'preserve_duplicate_custom_fields', 'forwarded', 'm365_defender-incident'], 'threat': {'tactic': {'name': ['DefenseEvasion']}, 'technique': {'subtechnique': {'id': ['T1564.001']}}}}"
VMware Carbon Black Cloud,"https://docs.elastic.co/integrations/carbon_black_cloud
","{'@timestamp': '2022-02-10T16:04:30.263Z', 'agent': {'ephemeral_id': '6e44cfec-4990-4784-a5c5-5d5954dd12e3', 'id': 'd25950db-7f14-44a1-8b37-581c2fe716ba', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.4.1'}, 'carbon_black_cloud': {'audit': {'flagged': False, 'verbose': False}}, 'client': {'ip': '10.10.10.10', 'user': {'id': 'abc@demo.com'}}, 'data_stream': {'dataset': 'carbon_black_cloud.audit', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': 'd25950db-7f14-44a1-8b37-581c2fe716ba', 'snapshot': False, 'version': '8.4.1'}, 'event': {'agent_id_status': 'verified', 'created': '2022-11-16T09:32:58.943Z', 'dataset': 'carbon_black_cloud.audit', 'id': '2122f8ce8xxxxxxxxxxxxx', 'ingested': '2022-11-16T09:33:02Z', 'kind': 'event', 'original': '{""clientIp"":""10.10.10.10"",""description"":""Logged in successfully"",""eventId"":""2122f8ce8xxxxxxxxxxxxx"",""eventTime"":1644509070263,""flagged"":false,""loginName"":""abc@demo.com"",""orgName"":""cb-xxxx-xxxx.com"",""requestUrl"":null,""verbose"":false}', 'outcome': 'success', 'reason': 'Logged in successfully'}, 'input': {'type': 'httpjson'}, 'organization': {'name': 'cb-xxxx-xxxx.com'}, 'related': {'ip': ['10.10.10.10']}, 'tags': ['preserve_original_event', 'forwarded', 'carbon_black_cloud-audit']}"
Platform Observability,"https://docs.elastic.co/integrations/platform_observability
","{'event': {'action': 'http_request', 'category': ['web'], 'outcome': 'unknown'}, 'http': {'request': {'method': 'get'}}, 'url': {'domain': 'localhost', 'path': '/internal/security/session', 'port': 5601, 'scheme': 'http'}, 'user': {'name': 'elastic', 'roles': ['superuser']}, 'kibana': {'space_id': 'default', 'session_id': 'ccZ0sbxrmmJwo+/y2Mn1tmGIrKOuZYaF8voUh0SkA/k='}, 'trace': {'id': '1c8c5808-d2d6-41fc-8cb7-998aa8996be9'}, 'ecs': {'version': '8.0.0'}, '@timestamp': '2022-06-29T12:05:03.742+00:00', 'message': 'User is requesting [/internal/security/session] endpoint', 'log': {'level': 'INFO', 'logger': 'plugins.security.audit.ecs'}, 'process': {'pid': 7}, 'transaction': {'id': 'f8863d86567119e6'}}"
Barracuda CloudGen Firewall Logs,"https://docs.elastic.co/integrations/barracuda_cloudgen_firewall
","{'@timestamp': '2020-11-24T15:02:21.000Z', 'agent': {'ephemeral_id': 'b620e757-d3b2-4b59-8c2b-cce4d2f17081', 'id': '70e82165-776e-4b35-98b8-b0c9491f4b6e', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.5.0'}, 'barracuda_cloudgen_firewall': {'log': {'app_rule': '<App>:ALL-APPS', 'fw_info': 2007}}, 'data_stream': {'dataset': 'barracuda_cloudgen_firewall.log', 'namespace': 'ep', 'type': 'logs'}, 'destination': {'address': '67.43.156.78', 'as': {'number': 35908}, 'bytes': 561503, 'geo': {'continent_name': 'Asia', 'country_iso_code': 'BT', 'country_name': 'Bhutan', 'location': {'lat': 27.5, 'lon': 90.5}}, 'ip': '67.43.156.78', 'mac': '00-0C-29-00-D6-00', 'nat': {'ip': '67.43.156.100'}, 'packets': 439, 'port': 443}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '70e82165-776e-4b35-98b8-b0c9491f4b6e', 'snapshot': True, 'version': '8.5.0'}, 'event': {'action': 'End', 'agent_id_status': 'verified', 'category': ['network'], 'dataset': 'barracuda_cloudgen_firewall.log', 'duration': -153934592, 'ingested': '2022-09-21T13:30:52Z', 'kind': 'event', 'type': ['end']}, 'input': {'type': 'lumberjack'}, 'labels': {'origin_address': '172.20.0.4:34752'}, 'network': {'community_id': '1:HGU1tX9W2VUF5ND2ey3X6Niv/AQ=', 'iana_number': '6', 'transport': 'tcp', 'type': 'ipv4'}, 'observer': {'egress': {'interface': {'name': 'eth0'}}, 'hostname': 'cgf-scout-int', 'ingress': {'interface': {'name': 'eth0'}}, 'product': 'ngfw', 'serial_number': '4f94abdf7a8c465fa2cd76f680ecafd1', 'type': 'firewall', 'vendor': 'Barracuda'}, 'related': {'ip': ['10.17.35.171', '67.43.156.78']}, 'rule': {'name': 'BOX-LAN-2-INTERNET'}, 'source': {'address': '10.17.35.171', 'bytes': 7450, 'ip': '10.17.35.171', 'mac': '00-0C-29-9A-0A-78', 'nat': {'ip': '10.17.35.175'}, 'packets': 129, 'port': 40532}, 'tags': ['barracuda_cloudgen_firewall-log', 'forwarded']}"
Logstash,"https://docs.elastic.co/integrations/logstash
","{'agent': {'hostname': 'docker-fleet-agent', 'name': 'docker-fleet-agent', 'id': '0c223a58-fac1-457d-84d2-13b4cc188cd8', 'type': 'metricbeat', 'ephemeral_id': '14484f41-a26f-44c9-adf0-fc0f1495b4f3', 'version': '7.15.0'}, 'elastic_agent': {'id': '0c223a58-fac1-457d-84d2-13b4cc188cd8', 'version': '7.15.0', 'snapshot': True}, 'logstash': {'node': {'stats': {'events': {'filtered': 0, 'in': 0, 'out': 0}}}}, '@timestamp': '2021-09-02T17:29:14.596Z', 'ecs': {'version': '1.10.0'}, 'data_stream': {'namespace': 'default', 'type': 'metrics', 'dataset': 'logstash.node_stats'}, 'service': {'hostname': '45943bf17069', 'address': 'http://logstash:9600/_node/stats', 'name': 'logstash', 'id': '8cfe1a39-ac50-439d-8bf2-93198aa26c0d', 'type': 'logstash', 'version': '8.0.0'}, 'host': {'hostname': 'docker-fleet-agent', 'os': {'kernel': '5.11.10-arch1-1', 'codename': 'Core', 'name': 'CentOS Linux', 'type': 'linux', 'family': 'redhat', 'version': '7 (Core)', 'platform': 'centos'}, 'containerized': True, 'ip': ['172.25.0.4'], 'name': 'docker-fleet-agent', 'id': '1292624d19b2cee1a317ad634c9a8358', 'mac': ['02:42:ac:19:00:04'], 'architecture': 'x86_64'}, 'metricset': {'period': 10000, 'name': 'node_stats'}, 'event': {'duration': 18621194, 'agent_id_status': 'verified', 'ingested': '2021-09-02T17:29:15.608149964Z', 'module': 'logstash', 'dataset': 'logstash.node_stats'}}"
Cyberark Privileged Threat Analytics,"https://docs.elastic.co/integrations/cyberark_pta
","{ ""cef"": { ""device"": { ""event_class_id"": ""1"", ""product"": ""PTA"", ""vendor"": ""CyberArk"", ""version"": ""12.6"" }, ""extensions"": { ""destinationAddress"": ""175.16.199.0"", ""destinationHostName"": ""dev1.domain.com"", ""destinationUserName"": ""andy@dev1.domain.com"", ""deviceCustomDate1"": ""2014-01-01T12:05:00.000Z"", ""deviceCustomDate1Label"": ""detectionDate"", ""deviceCustomString1"": ""None"", ""deviceCustomString1Label"": ""ExtraData"", ""deviceCustomString2"": ""52b06812ec3500ed864c461e"", ""deviceCustomString2Label"": ""EventID"", ""deviceCustomString3"": ""https://1.128.0.0/incidents/52b06812ec3500ed864c461e"", ""deviceCustomString3Label"": ""PTAlink"", ""deviceCustomString4"": ""https://myexternallink.com"", ""deviceCustomString4Label"": ""ExternalLink"", ""sourceAddress"": ""1.128.0.0"", ""sourceHostName"": ""prod1.domain.com"", ""sourceUserName"": ""mike2@prod1.domain.com"" }, ""name"": ""Suspected credentials theft"", ""severity"": ""8"", ""version"": ""0"" }, ""destination"": { ""domain"": ""dev1.domain.com"", ""ip"": ""175.16.199.0"", ""user"": { ""name"": ""andy@dev1.domain.com"" } }, ""ecs"": { ""version"": ""8.3.0"" }, ""event"": { ""code"": ""1"", ""created"": [ ""2014-01-01T12:05:00.000Z"" ], ""id"": [ ""52b06812ec3500ed864c461e"" ], ""ingested"": ""2022-07-28T14:05:49Z"", ""original"": ""CEF:0|CyberArk|PTA|12.6|1|Suspected credentials theft|8|suser=mike2@prod1.domain.com shost=prod1.domain.com src=1.128.0.0 duser=andy@dev1.domain.com dhost=dev1.domain.com dst=175.16.199.0 cs1Label=ExtraData cs1=None cs2Label=EventID cs2=52b06812ec3500ed864c461e deviceCustomDate1Label=detectionDate deviceCustomDate1=1388577900000 cs3Label=PTAlink cs3=https://1.128.0.0/incidents/52b06812ec3500ed864c461e cs4Label=ExternalLink cs4=https://myexternallink.com"", ""reference"": [ ""https://1.128.0.0/incidents/52b06812ec3500ed864c461e"" ], ""severity"": 8, ""url"": [ ""https://myexternallink.com"" ] }, ""message"": ""Suspected credentials theft"", ""observer"": { ""product"": ""PTA"", ""vendor"": ""CyberArk"", ""version"": ""12.6"" }, ""source"": { ""domain"": ""prod1.domain.com"", ""ip"": ""1.128.0.0"", ""user"": { ""name"": ""mike2@prod1.domain.com"" } }, ""tags"": [ ""cyberark_pta"", ""forwarded"" ] }"
WebSphere Application Server,"https://docs.elastic.co/integrations/websphere_application_server
","{'@timestamp': '2022-05-19T13:33:01.029Z', 'agent': {'ephemeral_id': '7fca7599-6641-4340-ab44-e026d1b4935a', 'id': 'a0386d69-0749-44b4-8487-9b92e66852a1', 'name': 'docker-fleet-agent', 'type': 'metricbeat', 'version': '8.2.0'}, 'data_stream': {'dataset': 'websphere_application_server.jdbc', 'namespace': 'ep', 'type': 'metrics'}, 'ecs': {'version': '8.5.1'}, 'elastic_agent': {'id': 'a0386d69-0749-44b4-8487-9b92e66852a1', 'snapshot': False, 'version': '8.2.0'}, 'event': {'agent_id_status': 'verified', 'category': 'web', 'dataset': 'websphere_application_server.jdbc', 'duration': 364066933, 'ingested': '2022-05-19T13:33:04Z', 'kind': 'metric', 'module': 'websphere_application_server', 'type': 'info'}, 'host': {'architecture': 'x86_64', 'containerized': True, 'hostname': 'docker-fleet-agent', 'ip': ['172.31.0.5'], 'mac': ['02:42:ac:1f:00:05'], 'name': 'docker-fleet-agent', 'os': {'codename': 'focal', 'family': 'debian', 'kernel': '3.10.0-1160.45.1.el7.x86_64', 'name': 'Ubuntu', 'platform': 'ubuntu', 'type': 'linux', 'version': '20.04.4 LTS (Focal Fossa)'}}, 'metricset': {'name': 'collector', 'period': 60000}, 'server': {'address': 'elastic-package-service_websphere_application_server_1:9080'}, 'service': {'address': 'http://elastic-package-service_websphere_application_server_1:9080/metrics', 'type': 'prometheus'}, 'tags': ['forwarded', 'websphere_application_server-jdbc', 'prometheus'], 'websphere_application_server': {'jdbc': {'connection': {'allocated': 0, 'closed': 0, 'created': 0, 'free': 0, 'handles': 0, 'managed': 0, 'returned': 0, 'total': {'fault': 0, 'in_use': 0, 'seconds_in_use': 0, 'wait': 0, 'wait_seconds': 0}, 'waiting_threads': 0}, 'data_source': 'jms/built-in-jms-connectionfactory', 'percent_used': 0, 'pool_size': 0}}}"
Kibana,"https://docs.elastic.co/integrations/kibana
","{'agent': {'name': 'docker-fleet-agent', 'id': '44d99b67-3ac6-44a7-aa72-63367a8c2f8b', 'type': 'metricbeat', 'ephemeral_id': 'ab3cdd2a-3336-4682-a038-6844197893f4', 'version': '8.5.0'}, 'process': {'pid': 7}, '@timestamp': '2022-08-06T22:34:12.983Z', 'ecs': {'version': '8.0.0'}, 'data_stream': {'namespace': 'default', 'type': 'metrics', 'dataset': 'kibana.stats'}, 'service': {'address': 'https://kibana:5601/api/stats?extended=true', 'id': '79307ef1-725a-4f29-992a-446bcbedf380', 'type': 'kibana', 'version': '8.5.0'}, 'elastic_agent': {'id': '44d99b67-3ac6-44a7-aa72-63367a8c2f8b', 'version': '8.5.0', 'snapshot': True}, 'host': {'hostname': 'docker-fleet-agent', 'os': {'kernel': '5.10.47-linuxkit', 'codename': 'focal', 'name': 'Ubuntu', 'type': 'linux', 'family': 'debian', 'version': '20.04.4 LTS (Focal Fossa)', 'platform': 'ubuntu'}, 'containerized': True, 'ip': ['172.21.0.7'], 'name': 'docker-fleet-agent', 'mac': ['02:42:ac:15:00:07'], 'architecture': 'x86_64'}, 'metricset': {'period': 10000, 'name': 'stats'}, 'event': {'duration': 22471757, 'agent_id_status': 'verified', 'ingested': '2022-08-06T22:34:13Z', 'module': 'kibana', 'dataset': 'kibana.stats'}, 'kibana': {'elasticsearch': {'cluster': {'id': 'wMZ6Mw1nR1ydMG25AiiOLw'}}, 'stats': {'request': {'total': 4, 'disconnects': 0}, 'process': {'memory': {'resident_set_size': {'bytes': 510763008}, 'heap': {'total': {'bytes': 354033664}, 'used': {'bytes': 280320136}, 'size_limit': {'bytes': 4345298944}}}, 'event_loop_delay': {'ms': 10.395972266666668}, 'uptime': {'ms': 64365}}, 'os': {'distroRelease': 'Ubuntu-20.04', 'distro': 'Ubuntu', 'memory': {'used_in_bytes': 4305055744, 'total_in_bytes': 35739144192, 'free_in_bytes': 31434088448}, 'load': {'5m': 0.66, '15m': 0.25, '1m': 1.66}, 'platformRelease': 'linux-5.10.47-linuxkit', 'platform': 'linux'}, 'name': 'kibana', 'host': {'name': '0.0.0.0'}, 'index': '.kibana', 'response_time': {'avg': {'ms': 8}, 'max': {'ms': 11}}, 'concurrent_connections': 10, 'snapshot': True, 'status': 'green'}}}"
Apache Spark,"https://docs.elastic.co/integrations/apache_spark
","{'@timestamp': '2022-04-11T09:45:08.887Z', 'agent': {'ephemeral_id': 'fd3ce7d1-e237-45c7-88f9-875edafec41e', 'id': 'e7990c69-6909-48d1-be06-89dbe36d302c', 'name': 'docker-fleet-agent', 'type': 'metricbeat', 'version': '8.1.0'}, 'apache_spark': {'application': {'name': 'PythonWordCount.1649670292906', 'runtime': {'ms': 16007}}}, 'data_stream': {'dataset': 'apache_spark.application', 'namespace': 'ep', 'type': 'metrics'}, 'ecs': {'version': '8.5.1'}, 'elastic_agent': {'id': 'e7990c69-6909-48d1-be06-89dbe36d302c', 'snapshot': False, 'version': '8.1.0'}, 'event': {'agent_id_status': 'verified', 'dataset': 'apache_spark.application', 'duration': 21401735, 'ingested': '2022-04-11T09:45:12Z', 'kind': 'metric', 'module': 'apache_spark', 'type': 'info'}, 'host': {'architecture': 'x86_64', 'containerized': True, 'hostname': 'docker-fleet-agent', 'ip': ['192.168.0.5'], 'mac': ['02:42:c0:a8:00:05'], 'name': 'docker-fleet-agent', 'os': {'codename': 'focal', 'family': 'debian', 'kernel': '5.4.0-107-generic', 'name': 'Ubuntu', 'platform': 'ubuntu', 'type': 'linux', 'version': '20.04.3 LTS (Focal Fossa)'}}, 'metricset': {'name': 'jmx', 'period': 60000}, 'service': {'address': 'http://apache-spark-main:7777/jolokia/%3FignoreErrors=true&canonicalNaming=false', 'type': 'jolokia'}}"
Fortinet FortiClient Logs,"https://docs.elastic.co/integrations/fortinet_forticlient
","{'@timestamp': '2021-01-29T06:09:59.000Z', 'agent': {'ephemeral_id': 'e212d683-d4b4-42ac-ba98-c8414ff62188', 'id': '4e3f135a-d5f9-40b6-ae01-2c834ecbead0', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.0.0'}, 'data_stream': {'dataset': 'fortinet_forticlient.log', 'namespace': 'ep', 'type': 'logs'}, 'destination': {'ip': ['10.102.123.34'], 'port': 3994}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '4e3f135a-d5f9-40b6-ae01-2c834ecbead0', 'snapshot': True, 'version': '8.0.0'}, 'event': {'action': 'deny', 'agent_id_status': 'verified', 'code': 'http', 'dataset': 'fortinet_forticlient.log', 'ingested': '2022-01-25T12:25:45Z', 'original': 'January 29 06:09:59 boNemoe4402.www.invalid proto=udp service=http status=deny src=10.150.92.220 dst=10.102.123.34 src_port=7178 dst_port=3994 server_app=reeufugi pid=7880 app_name=enderitq traff_direct=external block_count=5286 logon_user=sumdo@litesse6379.api.domain msg=failure\n', 'outcome': 'failure', 'timezone': '+00:00'}, 'host': {'name': 'boNemoe4402.www.invalid'}, 'input': {'type': 'udp'}, 'log': {'source': {'address': '172.30.0.4:54478'}}, 'network': {'direction': 'external', 'protocol': 'udp'}, 'observer': {'product': 'FortiClient', 'type': 'Anti-Virus', 'vendor': 'Fortinet'}, 'process': {'pid': 7880}, 'related': {'hosts': ['litesse6379.api.domain', 'boNemoe4402.www.invalid'], 'ip': ['10.150.92.220', '10.102.123.34'], 'user': ['sumdo']}, 'rsa': {'counters': {'dclass_c1': 5286, 'dclass_c1_str': 'block_count'}, 'internal': {'messageid': 'http'}, 'investigations': {'ec_outcome': 'Failure', 'ec_subject': 'NetworkComm', 'ec_theme': 'ALM'}, 'misc': {'action': ['deny'], 'result': 'failure\n'}, 'network': {'alias_host': ['boNemoe4402.www.invalid'], 'domain': 'litesse6379.api.domain', 'network_service': 'http'}, 'time': {'event_time': '2021-01-29T06:09:59.000Z'}}, 'server': {'domain': 'litesse6379.api.domain', 'registered_domain': 'api.domain', 'subdomain': 'litesse6379', 'top_level_domain': 'domain'}, 'source': {'ip': ['10.150.92.220'], 'port': 7178}, 'tags': ['preserve_original_event', 'fortinet-clientendpoint', 'forwarded'], 'user': {'name': 'sumdo'}}"
Anomali,"https://docs.elastic.co/integrations/ti_anomali
","{'@timestamp': '2022-08-01T15:43:02.944Z', 'agent': {'ephemeral_id': '633e6483-2625-491c-9640-b4e480191a49', 'id': '83b444a9-8a29-4729-964a-a91e7b770094', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.3.2'}, 'anomali': {'threatstream': {'classification': 'public', 'confidence': 20, 'detail2': 'imported by user 184', 'id': '3135167627', 'import_session_id': '1400', 'itype': 'mal_domain', 'resource_uri': '/api/v1/intelligence/P46279656657/', 'severity': 'high', 'source_feed_id': '3143', 'state': 'active', 'trusted_circle_ids': ['122'], 'update_id': '3786618776', 'value_type': 'domain'}}, 'data_stream': {'dataset': 'ti_anomali.threatstream', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '83b444a9-8a29-4729-964a-a91e7b770094', 'snapshot': False, 'version': '8.3.2'}, 'event': {'agent_id_status': 'verified', 'category': 'threat', 'dataset': 'ti_anomali.threatstream', 'ingested': '2022-08-01T15:43:03Z', 'kind': 'enrichment', 'original': '{""classification"":""public"",""confidence"":20,""country"":""FR"",""date_first"":""2020-10-08T12:21:50"",""date_last"":""2020-10-08T12:24:42"",""detail2"":""imported by user 184"",""domain"":""d4xgfj.example.net"",""id"":3135167627,""import_session_id"":1400,""itype"":""mal_domain"",""lat"":-49.1,""lon"":94.4,""org"":""OVH Hosting"",""resource_uri"":""/api/v1/intelligence/P46279656657/"",""severity"":""high"",""source"":""Default Organization"",""source_feed_id"":3143,""srcip"":""89.160.20.156"",""state"":""active"",""trusted_circle_ids"":""122"",""update_id"":3786618776,""value_type"":""domain""}', 'severity': 7, 'type': 'indicator'}, 'input': {'type': 'http_endpoint'}, 'tags': ['preserve_original_event', 'forwarded', 'anomali-threatstream'], 'threat': {'indicator': {'as': {'organization': {'name': 'OVH Hosting'}}, 'confidence': 'Low', 'first_seen': '2020-10-08T12:21:50.000Z', 'geo': {'country_iso_code': 'FR', 'location': {'lat': -49.1, 'lon': 94.4}}, 'ip': '89.160.20.156', 'last_seen': '2020-10-08T12:24:42.000Z', 'marking': {'tlp': ['WHITE']}, 'provider': 'Default Organization', 'type': 'domain-name', 'url': {'domain': 'd4xgfj.example.net'}}}}"
Jamf Compliance Reporter,"https://docs.elastic.co/integrations/jamf_compliance_reporter
","{'@timestamp': '2019-10-02T16:17:08.000Z', 'agent': {'ephemeral_id': 'd5ffc842-05cf-43da-96fe-905f95ab2e41', 'id': '4f9748a6-cc5b-4160-bfdb-b533f9ba576a', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.4.0'}, 'data_stream': {'dataset': 'jamf_compliance_reporter.log', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '4f9748a6-cc5b-4160-bfdb-b533f9ba576a', 'snapshot': False, 'version': '8.4.0'}, 'event': {'action': 'preference_list_event', 'agent_id_status': 'verified', 'category': ['process'], 'dataset': 'jamf_compliance_reporter.log', 'ingested': '2022-11-04T11:01:45Z', 'kind': 'event', 'type': ['info']}, 'host': {'hostname': 'macbook_pro', 'id': 'X03XX889XXX3', 'mac': ['38-F9-E8-15-5A-82'], 'os': {'type': 'macos', 'version': 'Version 10.14.6 (Build 18G95)'}}, 'input': {'type': 'tcp'}, 'jamf_compliance_reporter': {'log': {'dataset': 'event', 'event_attributes': {'audit_event': {'excluded_processes': ['/usr/bin/log', '/usr/sbin/syslogd'], 'excluded_users': ['_spotlight', '_windowserver']}, 'audit_event_log_verbose_messages': '1', 'audit_level': 3, 'file_event': {'exclusion_paths': ['/Users/.*/Library/.*'], 'inclusion_paths': ['/Users/.*'], 'use_fuzzy_match': 0}, 'file_license_info': {'license_expiration_date': '2020-01-01T00:00:00.000Z', 'license_key': '43cafc3da47e792939ea82c70...', 'license_type': 'Annual', 'license_version': '1'}, 'log': {'file': {'location': '/var/log/JamfComplianceReporter.log', 'max_number_backups': 10, 'max_size_mega_bytes': 10, 'ownership': 'root:wheel', 'permission': '640'}, 'remote_endpoint_enabled': 1, 'remote_endpoint_type': 'AWSKinesis', 'remote_endpoint_type_awskinesis': {'access_key_id': 'AKIAQFE...', 'region': 'us-east-1', 'secret_key': 'JAdcoRIo4zsPz...', 'stream_name': 'compliancereporter_testing'}}, 'unified_log_predicates': ['\'(subsystem == ""com.example.networkstatistics"")\'', '\'(subsystem == ""com.apple.CryptoTokenKit"" AND category == ""AHP"")\''], 'version': '3.1b43'}, 'event_score': 0, 'host_info': {'host': {'uuid': '3X6E4X3X-9285-4X7X-9X0X-X3X62XX379XX'}}}}, 'log': {'source': {'address': '192.168.224.7:58764'}}, 'related': {'hosts': ['macbook_pro'], 'user': ['dan@email.com']}, 'tags': ['forwarded', 'jamf_compliance_reporter-log'], 'user': {'email': 'dan@email.com'}}"
AlienVault OTX,"https://docs.elastic.co/integrations/ti_otx
","{'@timestamp': '2022-12-21T09:24:01.501Z', 'agent': {'ephemeral_id': '32ac7970-c892-46ef-baf2-d8a0ce377748', 'id': 'a7d83bcb-0b6d-41f4-8edf-aa29923f67ec', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.3.3'}, 'data_stream': {'dataset': 'ti_otx.threat', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': 'a7d83bcb-0b6d-41f4-8edf-aa29923f67ec', 'snapshot': False, 'version': '8.3.3'}, 'event': {'agent_id_status': 'verified', 'category': 'threat', 'created': '2022-12-21T09:24:01.501Z', 'dataset': 'ti_otx.threat', 'ingested': '2022-12-21T09:24:02Z', 'kind': 'enrichment', 'original': '{""count"":40359,""next"":""https://otx.alienvault.com/api/v1/indicators/export?types=domain%2CIPv4%2Chostname%2Curl%2CFileHash-SHA256\\u0026modified_since=2020-11-29T01%3A10%3A00+00%3A00\\u0026page=2"",""previous"":null,""results"":{""content"":"""",""description"":null,""id"":1251,""indicator"":""info.3000uc.com"",""title"":null,""type"":""hostname""}}', 'type': 'indicator'}, 'input': {'type': 'httpjson'}, 'otx': {}, 'tags': ['preserve_original_event', 'forwarded', 'otx-threat'], 'threat': {'indicator': {'type': 'domain-name', 'url': {'domain': 'info.3000uc.com'}}}}"
Infoblox BloxOne DDI,"https://docs.elastic.co/integrations/infoblox_bloxone_ddi
","{'@timestamp': '2022-07-11T11:51:15.417Z', 'agent': {'ephemeral_id': '2012f3f7-49dc-4448-bb3b-60ba7ba8a293', 'hostname': 'docker-fleet-agent', 'id': 'e0bb9c9c-c3ad-47d7-882c-5fff0f458160', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '7.17.0'}, 'client': {'user': {'id': 'abc3212abc'}}, 'data_stream': {'dataset': 'infoblox_bloxone_ddi.dhcp_lease', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': 'e0bb9c9c-c3ad-47d7-882c-5fff0f458160', 'snapshot': False, 'version': '7.17.0'}, 'event': {'agent_id_status': 'verified', 'category': ['network'], 'created': '2022-11-21T10:35:16.397Z', 'dataset': 'infoblox_bloxone_ddi.dhcp_lease', 'end': '2022-07-11T11:51:15.417Z', 'ingested': '2022-11-21T10:35:19Z', 'kind': 'event', 'original': '{""address"":""81.2.69.192"",""client_id"":""abc3212abc"",""ends"":""2022-07-11T11:51:15.417Z"",""fingerprint"":""ab3213cbabab/abc23bca"",""fingerprint_processed"":""12abca32bca32abcd"",""ha_group"":""abc321cdcbda321"",""hardware"":""00:00:5E:00:53:00"",""host"":""admin"",""hostname"":""Host1"",""iaid"":0,""last_updated"":""2022-07-11T11:51:15.417Z"",""options"":{""message"":""Hello""},""preferred_lifetime"":""2022-07-11T11:51:15.417Z"",""protocol"":""ip4"",""space"":""DHCP lease Space"",""starts"":""2022-07-14T11:51:15.417Z"",""state"":""used"",""type"":""DHCP lease Type""}', 'start': '2022-07-14T11:51:15.417Z', 'type': ['protocol']}, 'host': {'hostname': 'Host1', 'name': 'admin'}, 'infoblox_bloxone_ddi': {'dhcp_lease': {'address': '81.2.69.192', 'client_id': 'abc3212abc', 'ends': '2022-07-11T11:51:15.417Z', 'fingerprint': {'processed': '12abca32bca32abcd', 'value': 'ab3213cbabab/abc23bca'}, 'ha_group': 'abc321cdcbda321', 'hardware': '00-00-5E-00-53-00', 'host': 'admin', 'hostname': 'Host1', 'iaid': 0, 'last_updated': '2022-07-11T11:51:15.417Z', 'options': {'message': 'Hello'}, 'preferred_lifetime': '2022-07-11T11:51:15.417Z', 'protocol': 'ipv4', 'space': 'DHCP lease Space', 'starts': '2022-07-14T11:51:15.417Z', 'state': 'used', 'type': 'DHCP lease Type'}}, 'input': {'type': 'httpjson'}, 'network': {'type': 'ipv4'}, 'related': {'hosts': ['admin', 'Host1'], 'ip': ['81.2.69.192']}, 'tags': ['preserve_original_event', 'preserve_duplicate_custom_fields', 'forwarded', 'infoblox_bloxone_ddi-dhcp_lease']}"
F5 BIG-IP,"https://docs.elastic.co/integrations/f5_bigip
","{'@timestamp': '2018-11-19T22:34:40.000Z', 'agent': {'ephemeral_id': 'e53fc33d-3e0e-4f88-a338-d65c29e5d7de', 'hostname': 'docker-fleet-agent', 'id': '121c9eba-d12d-4405-9bf4-83bc92e8c764', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '7.17.0'}, 'client': {'ip': '81.2.69.142'}, 'data_stream': {'dataset': 'f5_bigip.log', 'namespace': 'ep', 'type': 'logs'}, 'destination': {'ip': '81.2.69.142', 'port': 80}, 'ecs': {'version': '8.4.0'}, 'elastic_agent': {'id': '121c9eba-d12d-4405-9bf4-83bc92e8c764', 'snapshot': False, 'version': '7.17.0'}, 'event': {'agent_id_status': 'verified', 'category': ['network'], 'dataset': 'f5_bigip.log', 'ingested': '2022-10-21T06:12:02Z', 'kind': 'event', 'original': '{""application"":""app.app"",""attack_type"":""Detection Evasion"",""blocking_exception_reason"":""test"",""captcha_result"":""not_received"",""date_time"":""2018-11-19 22:34:40"",""dest_ip"":""81.2.69.142"",""dest_port"":""80"",""device_id"":""12bdca32"",""fragment"":""test_Fragment"",""geo_location"":""US"",""hostname"":""hostname"",""http_class_name"":""/Common/abc/test"",""ip_address_intelligence"":""host1"",""ip_client"":""81.2.69.142"",""management_ip_address"":""81.2.69.142"",""management_ip_address_2"":""81.2.69.144"",""method"":""GET"",""policy_apply_date"":""2018-11-19 22:17:57"",""policy_name"":""/Common/abc"",""protocol"":""HTTP"",""query_string"":""name=abc"",""request"":""GET /admin/."",""request_status"":""blocked"",""response_code"":""0"",""route_domain"":""example.com"",""session_id"":""abc123abcd"",""severity"":""Critical"",""sig_ids"":""abc12bcd"",""sig_names"":""Sig_Name"",""src_port"":""49804"",""staged_sig_ids"":""abc23121bc"",""staged_sig_names"":""test_name"",""staged_threat_campaign_names"":""test"",""sub_violations"":""Evasion technique detected:Directory traversals"",""support_id"":""123456789"",""telemetryEventCategory"":""ASM"",""tenant"":""Common"",""threat_campaign_names"":""threat"",""uri"":""/directory/file"",""username"":""test User"",""violation_rating"":""3"",""violations"":""Evasion technique detected"",""virus_name"":""test Virus"",""web_application_name"":""/Common/abc"",""websocket_direction"":""test"",""websocket_message_type"":""test"",""x_forwarded_for_header_value"":""81.2.69.144""}', 'type': ['info']}, 'f5_bigip': {'log': {'application': {'name': 'app.app'}, 'attack': {'type': 'Detection Evasion'}, 'blocking_exception_reason': 'test', 'captcha_result': 'not_received', 'client': {'ip': '81.2.69.142'}, 'date_time': '2018-11-19T22:34:40.000Z', 'dest': {'ip': '81.2.69.142', 'port': 80}, 'device': {'id': '12bdca32'}, 'fragment': 'test_Fragment', 'geo': {'location': 'US'}, 'hostname': 'hostname', 'http': {'class_name': '/Common/abc/test'}, 'ip_address_intelligence': 'host1', 'management': {'ip_address': '81.2.69.142', 'ip_address_2': '81.2.69.144'}, 'method': 'GET', 'policy': {'apply_date': '2018-11-19T22:17:57.000Z', 'name': '/Common/abc'}, 'protocol': 'HTTP', 'query': {'string': 'name=abc'}, 'request': {'detail': 'GET /admin/.', 'status': 'blocked'}, 'response': {'code': 0}, 'route_domain': 'example.com', 'session': {'id': 'abc123abcd'}, 'severity': {'name': 'Critical'}, 'sig': {'ids': 'abc12bcd', 'names': 'Sig_Name'}, 'src': {'port': 49804}, 'staged': {'sig': {'ids': 'abc23121bc', 'names': 'test_name'}, 'threat_campaign_names': 'test'}, 'sub_violations': 'Evasion technique detected:Directory traversals', 'support': {'id': '123456789'}, 'telemetry': {'event': {'category': 'ASM'}}, 'tenant': 'Common', 'threat_campaign_names': 'threat', 'uri': '/directory/file', 'username': 'test User', 'violation': {'rating': 3}, 'violations': 'Evasion technique detected', 'virus_name': 'test Virus', 'web_application_name': '/Common/abc', 'websocket': {'direction': 'test', 'message_type': 'test'}, 'x_forwarded_for_header_value': '81.2.69.144'}}, 'host': {'geo': {'country_iso_code': 'US'}, 'id': '12bdca32', 'name': 'hostname'}, 'http': {'request': {'method': 'GET'}}, 'input': {'type': 'http_endpoint'}, 'log': {'level': 'critical'}, 'network': {'application': 'app.app', 'protocol': 'http'}, 'related': {'hosts': ['hostname', '12bdca32', 'example.com'], 'ip': ['81.2.69.142', '81.2.69.144'], 'user': ['test User']}, 'source': {'port': 49804}, 'tags': ['preserve_original_event', 'preserve_duplicate_custom_fields', 'forwarded', 'f5_bigip-log'], 'user': {'name': 'test User'}}"
Atlassian Bitbucket,"https://docs.elastic.co/integrations/atlassian_bitbucket
","{'@timestamp': '2021-11-27T18:10:57.316Z', 'agent': {'ephemeral_id': 'c1c6859f-88f5-4ae8-ad40-5c0c9fe933d1', 'id': '82d0dfd8-3946-4ac0-a092-a9146a71e3f7', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.0.0-beta1'}, 'bitbucket': {'audit': {'affected_objects': [{'id': '3', 'name': 'AT', 'type': 'PROJECT'}], 'extra_attributes': [{'name': 'target', 'nameI18nKey': 'bitbucket.audit.attribute.legacy.target', 'value': 'AT'}], 'method': 'Browser', 'type': {'action': 'Project created', 'actionI18nKey': 'bitbucket.service.project.audit.action.projectcreated', 'category': 'Projects', 'categoryI18nKey': 'bitbucket.service.audit.category.projects'}}}, 'data_stream': {'dataset': 'atlassian_bitbucket.audit', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '82d0dfd8-3946-4ac0-a092-a9146a71e3f7', 'snapshot': False, 'version': '8.0.0-beta1'}, 'event': {'action': 'bitbucket.service.project.audit.action.projectcreated', 'agent_id_status': 'verified', 'category': ['configuration'], 'created': '2021-12-24T00:39:23.076Z', 'dataset': 'atlassian_bitbucket.audit', 'ingested': '2021-12-24T00:39:24Z', 'kind': 'event', 'original': '{""affectedObjects"":[{""id"":""3"",""name"":""AT"",""type"":""PROJECT""}],""author"":{""avatarUri"":"""",""id"":""2"",""name"":""admin"",""type"":""NORMAL"",""uri"":""http://bitbucket.internal:7990/users/admin""},""changedValues"":[],""extraAttributes"":[{""name"":""target"",""nameI18nKey"":""bitbucket.audit.attribute.legacy.target"",""value"":""AT""}],""method"":""Browser"",""node"":""8767044c-1b98-4d64-82db-ef29af8c3792"",""source"":""10.100.100.2"",""system"":""http://bitbucket.internal:7990"",""timestamp"":""2021-11-27T18:10:57.316Z"",""type"":{""action"":""Project created"",""actionI18nKey"":""bitbucket.service.project.audit.action.projectcreated"",""category"":""Projects"",""categoryI18nKey"":""bitbucket.service.audit.category.projects""}}', 'type': ['creation']}, 'input': {'type': 'httpjson'}, 'related': {'hosts': ['bitbucket.internal'], 'ip': ['10.100.100.2'], 'user': ['admin']}, 'service': {'address': 'http://bitbucket.internal:7990'}, 'source': {'address': '10.100.100.2', 'ip': '10.100.100.2'}, 'tags': ['preserve_original_event', 'forwarded', 'bitbucket-audit'], 'user': {'id': '2', 'name': 'admin'}}"
Custom Journald logs,"https://docs.elastic.co/integrations/journald
","{'@timestamp': '2020-07-22T13:17:10.012Z', 'agent': {'ephemeral_id': '27e2a00a-dab2-4790-8d45-29ad272d0392', 'id': 'bef8099b-68f6-4621-8089-2229b35a669d', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.3.2'}, 'data_stream': {'dataset': 'journald.log', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.0.0'}, 'elastic_agent': {'id': 'bef8099b-68f6-4621-8089-2229b35a669d', 'snapshot': False, 'version': '8.3.2'}, 'event': {'agent_id_status': 'verified', 'code': 'ec387f577b844b8fa948f33cad9a75e6', 'created': '2022-08-18T18:14:11.588Z', 'dataset': 'journald.log', 'ingested': '2022-08-18T18:14:15Z', 'kind': 'event'}, 'host': {'hostname': 'sleipnir', 'id': '505afdafda3b4f33a63749ae39284742'}, 'input': {'type': 'journald'}, 'journald': {'custom': {'available': '0', 'available_pretty': '0B', 'current_use': '1023455232', 'current_use_pretty': '976.0M', 'disk_available': '6866636800', 'disk_available_pretty': '6.3G', 'disk_keep_free': '1466253312', 'disk_keep_free_pretty': '1.3G', 'journal_name': 'System journal', 'journal_path': '/var/log/journal/505afdafda3b4f33a63749ae39284742', 'limit': '977502208', 'limit_pretty': '932.2M', 'max_use': '977502208', 'max_use_pretty': '932.2M'}, 'gid': 0, 'host': {'boot_id': 'fa3c2e3080dc4cd5be5cb5a43e140d51'}, 'pid': 19317, 'process': {'capabilities': '25402800cf', 'command_line': '/lib/systemd/systemd-journald', 'executable': '/lib/systemd/systemd-journald', 'name': 'systemd-journal'}, 'uid': 0}, 'log': {'syslog': {'facility': {'code': 3}, 'identifier': 'systemd-journald', 'priority': 6}}, 'message': 'System journal (/var/log/journal/505afdafda3b4f33a63749ae39284742) is 976.0M, max 932.2M, 0B free.', 'process': {'args': ['/lib/systemd/systemd-journald'], 'args_count': 1, 'command_line': '/lib/systemd/systemd-journald', 'pid': 19317}, 'systemd': {'cgroup': '/system.slice/systemd-journald.service', 'invocation_id': '7c11cda63635437bafe21c92851618a8', 'slice': 'system.slice', 'transport': 'driver', 'unit': 'systemd-journald.service'}, 'tags': ['forwarded'], 'user': {'group': {'id': '0'}, 'id': '0'}}"
Spring Boot,"https://docs.elastic.co/integrations/spring_boot
","{'@timestamp': '2022-08-05T09:30:10.644Z', 'agent': {'ephemeral_id': '575ffec5-bd74-4689-8baa-8486735193f3', 'id': '3ab22ca1-4caf-465f-8789-2a45a81ed9b1', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.1.0'}, 'data_stream': {'dataset': 'spring_boot.audit_events', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.5.1'}, 'elastic_agent': {'id': '3ab22ca1-4caf-465f-8789-2a45a81ed9b1', 'snapshot': False, 'version': '8.1.0'}, 'event': {'agent_id_status': 'verified', 'category': 'web', 'created': '2022-08-05T09:30:10.644Z', 'dataset': 'spring_boot.audit_events', 'ingested': '2022-08-05T09:30:14Z', 'kind': 'event', 'module': 'spring_boot', 'type': 'info'}, 'host': {'architecture': 'x86_64', 'containerized': True, 'hostname': 'docker-fleet-agent', 'ip': ['192.168.112.5'], 'mac': ['02:42:c0:a8:70:05'], 'name': 'docker-fleet-agent', 'os': {'codename': 'focal', 'family': 'debian', 'kernel': '3.10.0-1160.71.1.el7.x86_64', 'name': 'Ubuntu', 'platform': 'ubuntu', 'type': 'linux', 'version': '20.04.4 LTS (Focal Fossa)'}}, 'spring_boot': {'audit_events': {'data': {'remote_address': '192.168.144.2'}, 'principal': 'actuator', 'type': 'AUTHENTICATION_SUCCESS'}}, 'tags': ['spring_boot.audit_events.metrics']}"
Fortinet FortiManager Logs,"https://docs.elastic.co/integrations/fortinet_fortimanager
","{'@timestamp': '2016-01-29T06:09:59.000Z', 'agent': {'ephemeral_id': '607e3bda-a938-4637-8dd4-02613e9144ac', 'id': '4e3f135a-d5f9-40b6-ae01-2c834ecbead0', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.0.0'}, 'data_stream': {'dataset': 'fortinet_fortimanager.log', 'namespace': 'ep', 'type': 'logs'}, 'destination': {'bytes': 449, 'geo': {'country_name': 'sequa'}, 'ip': ['10.44.173.44'], 'nat': {'ip': '10.189.58.145', 'port': 5273}, 'port': 6125}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '4e3f135a-d5f9-40b6-ae01-2c834ecbead0', 'snapshot': True, 'version': '8.0.0'}, 'event': {'action': 'allow', 'agent_id_status': 'verified', 'code': 'sse', 'dataset': 'fortinet_fortimanager.log', 'ingested': '2022-01-25T12:33:50Z', 'original': 'logver=iusm devname=""modtempo"" devid=""olab"" vd=nto date=2016-1-29 time=6:09:59 logid=sse type=exercita subtype=der level=very-high eventtime=odoco logtime=ria srcip=10.20.234.169 srcport=1001 srcintf=eth5722 srcintfrole=vol dstip=10.44.173.44 dstport=6125 dstintf=enp0s3068 dstintfrole=nseq poluuid=itinvol sessionid=psa proto=21 action=allow policyid=ntium policytype=psaq crscore=13.800000 craction=eab crlevel=aliqu appcat=Ute service=lupt srccountry=dolore dstcountry=sequa trandisp=abo tranip=10.189.58.145 tranport=5273 duration=14.119000 sentbyte=7880 rcvdbyte=449 sentpkt=mqui app=nci\n', 'timezone': '+00:00'}, 'input': {'type': 'udp'}, 'log': {'level': 'very-high', 'source': {'address': '172.30.0.4:60997'}}, 'network': {'bytes': 8329}, 'observer': {'egress': {'interface': {'name': 'enp0s3068'}}, 'ingress': {'interface': {'name': 'eth5722'}}, 'product': 'FortiManager', 'type': 'Configuration', 'vendor': 'Fortinet'}, 'related': {'hosts': ['modtempo'], 'ip': ['10.189.58.145', '10.20.234.169', '10.44.173.44']}, 'rsa': {'internal': {'messageid': 'generic_fortinetmgr_1'}, 'misc': {'action': ['allow'], 'category': 'der', 'context': 'abo', 'event_source': 'modtempo', 'event_type': 'exercita', 'hardware_id': 'olab', 'log_session_id': 'psa', 'policy_id': 'ntium', 'reference_id': 'sse', 'severity': 'very-high', 'vsys': 'nto'}, 'network': {'dinterface': 'enp0s3068', 'network_service': 'lupt', 'sinterface': 'eth5722'}, 'time': {'duration_time': 14.119, 'event_time': '2016-01-29T06:09:59.000Z', 'event_time_str': 'odoco'}, 'web': {'reputation_num': 13.8}}, 'source': {'bytes': 7880, 'geo': {'country_name': 'dolore'}, 'ip': ['10.20.234.169'], 'port': 1001}, 'tags': ['preserve_original_event', 'fortinet-fortimanager', 'forwarded']}"
Fortinet FortiMail Logs,"https://docs.elastic.co/integrations/fortinet_fortimail
","{'@timestamp': '2016-01-29T06:09:59.000Z', 'agent': {'ephemeral_id': '821504b9-6e80-4572-aae7-c5bb3cf38906', 'id': '4e3f135a-d5f9-40b6-ae01-2c834ecbead0', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.0.0'}, 'data_stream': {'dataset': 'fortinet_fortimail.log', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '4e3f135a-d5f9-40b6-ae01-2c834ecbead0', 'snapshot': True, 'version': '8.0.0'}, 'event': {'action': 'event', 'agent_id_status': 'verified', 'code': 'nes', 'dataset': 'fortinet_fortimail.log', 'ingested': '2022-01-25T12:29:32Z', 'original': 'date=2016-1-29 time=06:09:59 device_id=pexe log_id=nes log_part=eab type=event subtype=update pri=high msg=""boNemoe""\n', 'timezone': '+00:00'}, 'input': {'type': 'udp'}, 'log': {'level': 'high', 'source': {'address': '172.30.0.4:44540'}}, 'observer': {'product': 'FortiMail', 'type': 'Firewall', 'vendor': 'Fortinet'}, 'rsa': {'internal': {'event_desc': 'boNemoe', 'messageid': 'event_update'}, 'misc': {'category': 'update', 'event_type': 'event', 'hardware_id': 'pexe', 'msgIdPart1': 'event', 'msgIdPart2': 'update', 'reference_id': 'nes', 'reference_id1': 'eab', 'severity': 'high'}, 'time': {'event_time': '2016-01-29T06:09:59.000Z'}}, 'tags': ['preserve_original_event', 'fortinet-fortimail', 'forwarded']}"
Proofpoint TAP,"https://docs.elastic.co/integrations/proofpoint_tap
","{'@timestamp': '2022-03-30T10:11:12.000Z', 'agent': {'ephemeral_id': 'e1f6ec70-06b8-4d4b-829f-03000950c530', 'id': '19f05486-b68d-449a-9bdd-1493d2f3b55d', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.4.0'}, 'data_stream': {'dataset': 'proofpoint_tap.clicks_blocked', 'namespace': 'ep', 'type': 'logs'}, 'destination': {'as': {'number': 29518, 'organization': {'name': 'Bredband2 AB'}}, 'geo': {'city_name': 'Linköping', 'continent_name': 'Europe', 'country_iso_code': 'SE', 'country_name': 'Sweden', 'location': {'lat': 58.4167, 'lon': 15.6167}, 'region_iso_code': 'SE-E', 'region_name': 'Östergötland County'}, 'ip': '89.160.20.112'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '19f05486-b68d-449a-9bdd-1493d2f3b55d', 'snapshot': False, 'version': '8.4.0'}, 'email': {'from': {'address': 'abc123@example.com'}, 'message_id': '12345678912345.12345.mail@example.com', 'to': {'address': '9c52aa64228824247c48df69b066e5a7@example.com'}}, 'event': {'agent_id_status': 'verified', 'category': ['email'], 'created': '2022-11-04T13:46:30.114Z', 'dataset': 'proofpoint_tap.clicks_blocked', 'id': 'a5c9f8bb-1234-1234-1234-dx9xxx2xx9xxx', 'ingested': '2022-11-04T13:46:33Z', 'kind': 'event', 'original': '{""GUID"":""ZcxxxxVxyxFxyxLxxxDxVxx4xxxxx"",""campaignId"":""46x01x8x-x899-404x-xxx9-111xx393d1x7"",""classification"":""malware"",""clickIP"":""89.160.20.112"",""clickTime"":""2022-03-30T10:11:12.000Z"",""id"":""a5c9f8bb-1234-1234-1234-dx9xxx2xx9xxx"",""messageID"":""12345678912345.12345.mail@example.com"",""recipient"":""9c52aa64228824247c48df69b066e5a7@example.com"",""sender"":""abc123@example.com"",""senderIP"":""81.2.69.143"",""threatID"":""502b7xxxx0x5x1x3xb6xcxexbxxxxxxxcxxexc6xbxxxxxxdx7fxcx6x9xxxx9xdxxxxxxxx5f"",""threatStatus"":""active"",""threatTime"":""2022-03-21T14:40:31.000Z"",""threatURL"":""https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/502xxxxxxxxxcebxxxxxxxxxxa04277xxxxx5dxc6xxxxxxxxx5f"",""url"":""https://www.example.com/abcdabcd123?query=0"",""userAgent"":""Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/199.0.427504638 Mobile/15E148 Safari/604.1""}', 'type': ['denied']}, 'input': {'type': 'httpjson'}, 'proofpoint_tap': {'clicks_blocked': {'campaign_id': '46x01x8x-x899-404x-xxx9-111xx393d1x7', 'classification': 'malware', 'threat': {'id': '502b7xxxx0x5x1x3xb6xcxexbxxxxxxxcxxexc6xbxxxxxxdx7fxcx6x9xxxx9xdxxxxxxxx5f', 'status': 'active', 'time': '2022-03-21T14:40:31.000Z', 'url': 'https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/502xxxxxxxxxcebxxxxxxxxxxa04277xxxxx5dxc6xxxxxxxxx5f'}}, 'guid': 'ZcxxxxVxyxFxyxLxxxDxVxx4xxxxx'}, 'related': {'ip': ['81.2.69.143', '89.160.20.112']}, 'source': {'ip': '81.2.69.143'}, 'tags': ['preserve_original_event', 'forwarded', 'proofpoint_tap-clicks_blocked'], 'url': {'domain': 'www.example.com', 'full': 'https://www.example.com/abcdabcd123?query=0', 'path': '/abcdabcd123', 'query': 'query=0', 'scheme': 'https'}, 'user_agent': {'device': {'name': 'iPhone'}, 'name': 'Google', 'original': 'Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/199.0.427504638 Mobile/15E148 Safari/604.1', 'os': {'full': 'iOS 14.6', 'name': 'iOS', 'version': '14.6'}, 'version': '199.0.427504638'}}"
AWS Fargate,"https://docs.elastic.co/integrations/awsfargate
","{'@timestamp': '2017-10-12T08:05:34.853Z', 'awsfargate': {'task_stats': {'cluster_name': 'default', 'task_known_status': 'RUNNING', 'task_desired_status': 'RUNNING', 'cpu': {'core': None, 'kernel': {'norm': {'pct': 0}, 'pct': 0, 'ticks': 1520000000}, 'system': {'norm': {'pct': 1}, 'pct': 2, 'ticks': 1420180000000}, 'total': {'norm': {'pct': 0.2}, 'pct': 0.4}, 'user': {'norm': {'pct': 0}, 'pct': 0, 'ticks': 490000000}}, 'diskio': {'read': {'bytes': 3452928, 'ops': 118, 'queued': 0, 'rate': 0, 'service_time': 0, 'wait_time': 0}, 'reads': 0, 'summary': {'bytes': 3452928, 'ops': 118, 'queued': 0, 'rate': 0, 'service_time': 0, 'wait_time': 0}, 'total': 0, 'write': {'bytes': 0, 'ops': 0, 'queued': 0, 'rate': 0, 'service_time': 0, 'wait_time': 0}, 'writes': 0}, 'identifier': 'query-metadata/1234', 'memory': {'fail': {'count': 0}, 'limit': 0, 'rss': {'pct': 0.0010557805807105247, 'total': 4157440}, 'stats': {'active_anon': 4157440, 'active_file': 4497408, 'cache': 6000640, 'dirty': 16384, 'hierarchical_memory_limit': 2147483648, 'hierarchical_memsw_limit': 9223372036854772000, 'inactive_anon': 0, 'inactive_file': 1503232, 'mapped_file': 2183168, 'pgfault': 6668, 'pgmajfault': 52, 'pgpgin': 5925, 'pgpgout': 3445, 'rss': 4157440, 'rss_huge': 0, 'total_active_anon': 4157440, 'total_active_file': 4497408, 'total_cache': 600064, 'total_dirty': 16384, 'total_inactive_anon': 0, 'total_inactive_file': 4497408, 'total_mapped_file': 2183168, 'total_pgfault': 6668, 'total_pgmajfault': 52, 'total_pgpgin': 5925, 'total_pgpgout': 3445, 'total_rss': 4157440, 'total_rss_huge': 0, 'total_unevictable': 0, 'total_writeback': 0, 'unevictable': 0, 'writeback': 0}, 'usage': {'max': 15294464, 'pct': 0.003136136404770672, 'total': 12349440}}, 'network': {'eth0': {'inbound': {'bytes': 137315578, 'dropped': 0, 'errors': 0, 'packets': 94338}, 'outbound': {'bytes': 1086811, 'dropped': 0, 'errors': 0, 'packets': 25857}}}, 'task_name': 'query-metadata'}}, 'cloud': {'region': 'us-west-2'}, 'container': {'id': '1234', 'image': {'name': 'mreferre/eksutils'}, 'labels': {'com_amazonaws_ecs_cluster': 'arn:aws:ecs:us-west-2:111122223333:cluster/default', 'com_amazonaws_ecs_container-name': 'query-metadata', 'com_amazonaws_ecs_task-arn': 'arn:aws:ecs:us-west-2:111122223333:task/default/febee046097849aba589d4435207c04a', 'com_amazonaws_ecs_task-definition-family': 'query-metadata', 'com_amazonaws_ecs_task-definition-version': '7'}, 'name': 'query-metadata'}, 'service': {'type': 'awsfargate'}}"
Cisco ISE,"https://docs.elastic.co/integrations/cisco_ise
","{'@timestamp': '2020-02-21T19:13:08.328Z', 'agent': {'ephemeral_id': '88645c33-21f7-47a1-a1e6-b4a53f32ec43', 'id': '94011a8e-8b26-4bce-a627-d54316798b52', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.6.0'}, 'cisco_ise': {'log': {'acct': {'request': {'flags': 'Stop'}}, 'acs': {'session': {'id': 'ldnnacpsn1/359344348/952729'}}, 'authen_method': 'TacacsPlus', 'avpair': {'priv_lvl': 15, 'start_time': '2020-03-26T01:17:12.000Z', 'task_id': '2962', 'timezone': 'GMT'}, 'category': {'name': 'CISE_TACACS_Accounting'}, 'cmdset': '[ CmdAV=show mac-address-table <cr> ]', 'config_version': {'id': 1829}, 'cpm': {'session': {'id': '81.2.69.144Accounting306034364'}}, 'device': {'type': ['Device Type#All Device Types#Routers', 'Device Type#All Device Types#Routers']}, 'ipsec': ['IPSEC#Is IPSEC Device', 'IPSEC#Is IPSEC Device'], 'location': ['Location#All Locations#EMEA', 'Location#All Locations#EMEA'], 'message': {'code': '3300', 'description': 'Tacacs-Accounting: TACACS+ Accounting with Command', 'id': '0000000001'}, 'model': {'name': 'Unknown'}, 'network': {'device': {'groups': ['Location#All Locations#EMEA', 'Device Type#All Device Types#Routers', 'IPSEC#Is IPSEC Device'], 'name': 'wlnwan1', 'profile': ['Cisco', 'Cisco']}}, 'port': 'tty10', 'privilege': {'level': 15}, 'request': {'latency': 1}, 'response': {'AcctReply-Status': 'Success'}, 'segment': {'number': 0, 'total': 4}, 'selected': {'access': {'service': 'Device Admin - TACACS'}}, 'service': {'argument': 'shell', 'name': 'Login'}, 'software': {'version': 'Unknown'}, 'step': ['13006', '15049', '15008', '15048', '13035'], 'type': 'Accounting'}}, 'client': {'ip': '81.2.69.144'}, 'data_stream': {'dataset': 'cisco_ise.log', 'namespace': 'ep', 'type': 'logs'}, 'destination': {'ip': '81.2.69.144'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '94011a8e-8b26-4bce-a627-d54316798b52', 'snapshot': True, 'version': '8.6.0'}, 'event': {'action': 'tacacs-accounting', 'agent_id_status': 'verified', 'category': ['configuration'], 'dataset': 'cisco_ise.log', 'ingested': '2023-01-13T12:14:37Z', 'kind': 'event', 'sequence': 18415781, 'timezone': '+00:00', 'type': ['info']}, 'host': {'hostname': 'cisco-ise-host'}, 'input': {'type': 'udp'}, 'log': {'level': 'notice', 'source': {'address': '172.27.0.4:59237'}, 'syslog': {'priority': 182, 'severity': {'name': 'notice'}}}, 'message': '2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table <cr> ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }', 'related': {'hosts': ['cisco-ise-host'], 'ip': ['81.2.69.144'], 'user': ['psxvne']}, 'tags': ['forwarded', 'cisco_ise-log'], 'user': {'name': 'psxvne'}}"
Azure Application Insights Metrics Overview,"https://docs.elastic.co/integrations/azure_application_insights
","{'agent': {'hostname': 'docker-fleet-agent', 'name': 'docker-fleet-agent', 'id': 'd979a8cf-ddeb-458f-9019-389414e0ab47', 'ephemeral_id': '4162d5df-ab00-4c1b-b4f3-7db2e3b599d4', 'type': 'metricbeat', 'version': '7.15.0'}, 'elastic_agent': {'id': 'd979a8cf-ddeb-458f-9019-389414e0ab47', 'version': '7.15.0', 'snapshot': True}, 'cloud': {'provider': 'azure'}, '@timestamp': '2021-08-23T14:37:42.268Z', 'ecs': {'version': '1.12.0'}, 'service': {'type': 'azure'}, 'data_stream': {'namespace': 'default', 'type': 'metrics', 'dataset': 'azure.app_insights'}, 'host': {'hostname': 'docker-fleet-agent', 'os': {'kernel': '4.19.128-microsoft-standard', 'codename': 'Core', 'name': 'CentOS Linux', 'family': 'redhat', 'type': 'linux', 'version': '7 (Core)', 'platform': 'centos'}, 'containerized': True, 'ip': ['192.168.96.7'], 'name': 'docker-fleet-agent', 'id': '1642d255f9a32fc6926cddf21bb0d5d3', 'mac': ['02:42:c0:a8:60:07'], 'architecture': 'x86_64'}, 'metricset': {'period': 300000, 'name': 'app_insights'}, 'event': {'duration': 503187300, 'agent_id_status': 'verified', 'ingested': '2021-08-23T14:37:41Z', 'module': 'azure', 'dataset': 'azure.app_insights'}, 'azure': {'app_insights': {'end_date': '2021-08-23T14:37:42.268Z', 'start_date': '2021-08-23T14:32:42.268Z'}, 'metrics': {'requests_count': {'sum': 4}}, 'application_id': '42cb59a9-d5be-400b-a5c4-69b0a0026ac6', 'dimensions': {'request_name': 'GET Home/Index', 'request_url_host': 'demoappobs.azurewebsites.net'}}}"
Cisco Secure Email Gateway,"https://docs.elastic.co/integrations/cisco_secure_email_gateway
","{'@timestamp': '2023-03-17T18:24:37.000Z', 'agent': {'ephemeral_id': '4e9fd9b0-5de2-40cd-83b6-9f71ce5aa238', 'id': 'ffb5b53a-4f77-4103-afe1-2d02bcc1a0cb', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.6.0'}, 'cisco_secure_email_gateway': {'log': {'category': {'name': 'amp'}, 'message': ""File reputation query initiating. File Name = 'mod-6.exe', MID = 5, File Size = 1673216 bytes, File Type = application/x-dosexec""}}, 'data_stream': {'dataset': 'cisco_secure_email_gateway.log', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': 'ffb5b53a-4f77-4103-afe1-2d02bcc1a0cb', 'snapshot': False, 'version': '8.6.0'}, 'email': {'attachments': {'file': {'name': 'mod-6.exe', 'size': 1673216}}, 'content_type': 'application/x-dosexec', 'message_id': '5'}, 'event': {'agent_id_status': 'verified', 'dataset': 'cisco_secure_email_gateway.log', 'ingested': '2023-01-31T06:32:29Z', 'kind': 'event'}, 'input': {'type': 'udp'}, 'log': {'level': 'info', 'source': {'address': '192.168.144.1:59695'}, 'syslog': {'priority': 166}}, 'tags': ['forwarded', 'cisco_secure_email_gateway-log']}"
Google Cloud Platform (GCP) Billing metrics,"https://docs.elastic.co/integrations/gcp/billing
","{'@timestamp': '2017-10-12T08:05:34.853Z', 'cloud': {'account': {'id': '01475F-5B1080-1137E7'}, 'project': {'id': 'elastic-bi', 'name': 'elastic-containerlib-prod'}, 'provider': 'gcp'}, 'event': {'dataset': 'gcp.billing', 'duration': 115000, 'module': 'gcp'}, 'gcp': {'billing': {'billing_account_id': '01475F-5B1080-1137E7', 'cost_type': 'regular', 'invoice_month': '202106', 'project_id': 'containerlib-prod-12763', 'project_name': 'elastic-containerlib-prod', 'total': 4717.170681}}, 'metricset': {'name': 'billing', 'period': 10000}, 'service': {'type': 'gcp'}}"
Google Cloud Platform (GCP) Audit logs,"https://docs.elastic.co/integrations/gcp/audit
","{'@timestamp': '2019-12-19T00:44:25.051Z', 'agent': {'ephemeral_id': 'f4dde373-2ff7-464b-afdb-da94763f219b', 'id': '5d3eee86-91a9-4afa-af92-c6b79bd866c0', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.6.0'}, 'client': {'user': {'email': 'xxx@xxx.xxx'}}, 'cloud': {'project': {'id': 'elastic-beats'}, 'provider': 'gcp'}, 'data_stream': {'dataset': 'gcp.audit', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '5d3eee86-91a9-4afa-af92-c6b79bd866c0', 'snapshot': True, 'version': '8.6.0'}, 'event': {'action': 'beta.compute.instances.aggregatedList', 'agent_id_status': 'verified', 'category': ['network', 'configuration'], 'created': '2023-01-13T14:59:20.459Z', 'dataset': 'gcp.audit', 'id': 'yonau2dg2zi', 'ingested': '2023-01-13T14:59:21Z', 'kind': 'event', 'outcome': 'success', 'provider': 'data_access', 'type': ['access', 'allowed']}, 'gcp': {'audit': {'authorization_info': [{'granted': True, 'permission': 'compute.instances.list', 'resource_attributes': {'name': 'projects/elastic-beats', 'service': 'resourcemanager', 'type': 'resourcemanager.projects'}}], 'num_response_items': 61, 'request': {'@type': 'type.googleapis.com/compute.instances.aggregatedList'}, 'resource_location': {'current_locations': ['global']}, 'resource_name': 'projects/elastic-beats/global/instances', 'response': {'@type': 'core.k8s.io/v1.Status', 'apiVersion': 'v1', 'details': {'group': 'batch', 'kind': 'jobs', 'name': 'gsuite-exporter-1589294700', 'uid': '2beff34a-945f-11ea-bacf-42010a80007f'}, 'kind': 'Status', 'status_value': 'Success'}, 'type': 'type.googleapis.com/google.cloud.audit.AuditLog'}}, 'input': {'type': 'gcp-pubsub'}, 'log': {'level': 'INFO', 'logger': 'projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access'}, 'service': {'name': 'compute.googleapis.com'}, 'source': {'ip': '192.168.1.1'}, 'tags': ['forwarded', 'gcp-audit'], 'user_agent': {'device': {'name': 'Mac'}, 'name': 'Firefox', 'original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)', 'os': {'full': 'Mac OS X 10.15', 'name': 'Mac OS X', 'version': '10.15'}, 'version': '71.0.'}}"
Google Cloud Platform (GCP) Firewall logs,"https://docs.elastic.co/integrations/gcp/firewall
","{'@timestamp': '2019-10-30T13:52:42.191Z', 'agent': {'ephemeral_id': 'f4dde373-2ff7-464b-afdb-da94763f219b', 'id': '5d3eee86-91a9-4afa-af92-c6b79bd866c0', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.6.0'}, 'cloud': {'availability_zone': 'us-east1-b', 'project': {'id': 'test-beats'}, 'provider': 'gcp', 'region': 'us-east1'}, 'data_stream': {'dataset': 'gcp.firewall', 'namespace': 'ep', 'type': 'logs'}, 'destination': {'address': '10.42.0.2', 'domain': 'test-windows', 'ip': '10.42.0.2', 'port': 3389}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '5d3eee86-91a9-4afa-af92-c6b79bd866c0', 'snapshot': True, 'version': '8.6.0'}, 'event': {'action': 'firewall-rule', 'agent_id_status': 'verified', 'category': 'network', 'created': '2023-01-13T15:01:23.807Z', 'dataset': 'gcp.firewall', 'id': '1f21ciqfpfssuo', 'ingested': '2023-01-13T15:01:24Z', 'kind': 'event', 'type': 'connection'}, 'gcp': {'destination': {'instance': {'project_id': 'test-beats', 'region': 'us-east1', 'zone': 'us-east1-b'}, 'vpc': {'project_id': 'test-beats', 'subnetwork_name': 'windows-isolated', 'vpc_name': 'windows-isolated'}}, 'firewall': {'rule_details': {'action': 'ALLOW', 'direction': 'INGRESS', 'ip_port_info': [{'ip_protocol': 'TCP', 'port_range': ['3389']}], 'priority': 1000, 'source_range': ['0.0.0.0/0'], 'target_tag': ['allow-rdp']}}}, 'input': {'type': 'gcp-pubsub'}, 'log': {'logger': 'projects/test-beats/logs/compute.googleapis.com%2Ffirewall'}, 'network': {'community_id': '1:OdLB9eXsBDLz8m97ao4LepX6q+4=', 'direction': 'inbound', 'iana_number': '6', 'name': 'windows-isolated', 'transport': 'tcp', 'type': 'ipv4'}, 'related': {'ip': ['192.168.2.126', '10.42.0.2']}, 'rule': {'name': 'network:windows-isolated/firewall:windows-isolated-allow-rdp'}, 'source': {'address': '192.168.2.126', 'geo': {'continent_name': 'Asia', 'country_name': 'omn'}, 'ip': '192.168.2.126', 'port': 64853}, 'tags': ['forwarded', 'gcp-firewall']}"
Amazon Redshift,"https://docs.elastic.co/integrations/aws/redshift
","{'@timestamp': '2022-06-27T11:58:00.000Z', 'agent': {'ephemeral_id': 'a94b780f-b5b5-49b1-88cd-b7a7835f2996', 'id': 'd745bccd-73a3-41b4-9fd0-4d9bac14f77b', 'name': 'docker-fleet-agent', 'type': 'metricbeat', 'version': '8.2.0'}, 'aws': {'cloudwatch': {'namespace': 'AWS/Redshift'}, 'dimensions': {'ClusterIdentifier': 'test'}, 'redshift': {'metrics': {'CPUUtilization': {'avg': 2.43551912568288}, 'CommitQueueLength': {'avg': 0}, 'ConcurrencyScalingActiveClusters': {'avg': 0}, 'DatabaseConnections': {'avg': 0}, 'HealthStatus': {'avg': 1}, 'MaintenanceMode': {'avg': 0}, 'MaxConfiguredConcurrencyScalingClusters': {'avg': 1}, 'NetworkReceiveThroughput': {'avg': 2585.956001900078}, 'NetworkTransmitThroughput': {'avg': 23262.257531749852}, 'NumExceededSchemaQuotas': {'avg': 0}, 'PercentageDiskSpaceUsed': {'avg': 0.2197265625}, 'ReadIOPS': {'avg': 0}, 'ReadLatency': {'avg': 0}, 'ReadThroughput': {'avg': 0}, 'TotalTableCount': {'avg': 7}, 'WriteIOPS': {'avg': 0}, 'WriteLatency': {'avg': 0}, 'WriteThroughput': {'avg': 0}}}}, 'cloud': {'account': {'id': '627286350134', 'name': 'elastic-observability'}, 'provider': 'aws', 'region': 'us-east-1'}, 'data_stream': {'dataset': 'aws.redshift', 'namespace': 'ep', 'type': 'metrics'}, 'ecs': {'version': '8.0.0'}, 'elastic_agent': {'id': 'd745bccd-73a3-41b4-9fd0-4d9bac14f77b', 'snapshot': False, 'version': '8.2.0'}, 'event': {'agent_id_status': 'verified', 'dataset': 'aws.redshift', 'duration': 12571706173, 'ingested': '2022-06-27T12:13:13Z', 'module': 'aws'}, 'host': {'architecture': 'x86_64', 'containerized': False, 'hostname': 'docker-fleet-agent', 'ip': ['192.168.112.7'], 'mac': ['02:42:c0:a8:70:07'], 'name': 'docker-fleet-agent', 'os': {'codename': 'focal', 'family': 'debian', 'kernel': '5.10.104-linuxkit', 'name': 'Ubuntu', 'platform': 'ubuntu', 'type': 'linux', 'version': '20.04.4 LTS (Focal Fossa)'}}, 'metricset': {'name': 'cloudwatch', 'period': 300000}, 'service': {'type': 'aws'}}"
Google Cloud Platform (GCP) Compute metrics,"https://docs.elastic.co/integrations/gcp/compute
","{'@timestamp': '2017-10-12T08:05:34.853Z', 'cloud': {'account': {'id': 'elastic-obs-integrations-dev', 'name': 'elastic-obs-integrations-dev'}, 'instance': {'id': '4751091017865185079', 'name': 'gke-cluster-1-default-pool-6617a8aa-5clh'}, 'machine': {'type': 'e2-medium'}, 'provider': 'gcp', 'availability_zone': 'us-central1-c', 'region': 'us-central1'}, 'event': {'dataset': 'gcp.compute', 'duration': 115000, 'module': 'gcp'}, 'gcp': {'compute': {'firewall': {'dropped': {'bytes': 421}, 'dropped_packets_count': {'value': 4}}, 'instance': {'cpu': {'reserved_cores': {'value': 1}, 'usage': {'pct': 0.07259952346383708}, 'usage_time': {'sec': 4.355971407830225}}, 'memory': {'balloon': {'ram_size': {'value': 4128378880}, 'ram_used': {'value': 2190848000}, 'swap_in': {'bytes': 0}, 'swap_out': {'bytes': 0}}}, 'uptime': {'sec': 60.00000000000091}}}, 'labels': {'user': {'goog-gke-node': ''}}}, 'host': {'id': '4751091017865185079', 'name': 'gke-cluster-1-default-pool-6617a8aa-5clh'}, 'metricset': {'name': 'compute', 'period': 10000}, 'service': {'type': 'gcp'}}"
Google Cloud Platform (GCP) Firestore metrics,"https://docs.elastic.co/integrations/gcp/firestore
","{'@timestamp': '2017-10-12T08:05:34.853Z', 'cloud': {'account': {'id': 'elastic-obs-integrations-dev', 'name': 'elastic-obs-integrations-dev'}, 'instance': {'id': '4751091017865185079', 'name': 'gke-cluster-1-default-pool-6617a8aa-5clh'}, 'machine': {'type': 'e2-medium'}, 'provider': 'gcp', 'availability_zone': 'us-central1-c', 'region': 'us-central1'}, 'event': {'dataset': 'gcp.firestore', 'duration': 115000, 'module': 'gcp'}, 'gcp': {'firestore': {'document': {'delete': {'count': 3}, 'read': {'count': 10}, 'write': {'count': 1}}}, 'labels': {'user': {'goog-gke-node': ''}}}, 'host': {'id': '4751091017865185079', 'name': 'gke-cluster-1-default-pool-6617a8aa-5clh'}, 'metricset': {'name': 'firestore', 'period': 10000}, 'service': {'type': 'gcp'}}"
AWS Usage,"https://docs.elastic.co/integrations/aws/usage
","{'@timestamp': '2022-07-25T20:50:00.000Z', 'agent': {'name': 'docker-fleet-agent', 'id': '2d4b09d0-cdb6-445e-ac3f-6415f87b9864', 'type': 'metricbeat', 'ephemeral_id': '6bab70d4-84d9-411d-887c-f144d4244e78', 'version': '8.3.2'}, 'elastic_agent': {'id': '2d4b09d0-cdb6-445e-ac3f-6415f87b9864', 'version': '8.3.2', 'snapshot': False}, 'cloud': {'provider': 'aws', 'region': 'eu-north-1', 'account': {'name': 'elastic-beats', 'id': '428152502467'}}, 'ecs': {'version': '8.0.0'}, 'service': {'type': 'aws'}, 'data_stream': {'namespace': 'default', 'type': 'metrics', 'dataset': 'aws.usage'}, 'metricset': {'period': 60000, 'name': 'cloudwatch'}, 'aws': {'usage': {'metrics': {'CallCount': {'sum': 1}}}, 'cloudwatch': {'namespace': 'AWS/Usage'}, 'dimensions': {'Type': 'API', 'Resource': 'ListMetrics', 'Service': 'CloudWatch', 'Class': 'None'}}, 'event': {'duration': 1432082500, 'agent_id_status': 'verified', 'ingested': '2022-07-25T20:51:19Z', 'module': 'aws', 'dataset': 'aws.usage'}}"
AWS Route 53,"https://docs.elastic.co/integrations/aws/route53
","{'awscloudwatch': {'log_group': 'test', 'ingestion_time': '2021-12-06T02:18:20.000Z', 'log_stream': 'test'}, 'agent': {'name': 'docker-fleet-agent', 'id': 'c00f804f-7a02-441b-88f4-aeb9da6410d9', 'type': 'filebeat', 'ephemeral_id': '1cf87179-f6b3-44b0-a46f-3aa6bc0f995f', 'version': '8.0.0'}, 'elastic_agent': {'id': 'c00f804f-7a02-441b-88f4-aeb9da6410d9', 'version': '8.0.0', 'snapshot': True}, 'dns': {'response_code': 'NOERROR', 'question': {'registered_domain': 'example.com', 'top_level_domain': 'com', 'name': 'txt.example.com', 'subdomain': 'txt', 'type': 'TXT'}}, 'source': {'as': {'number': 721, 'organization': {'name': 'DoD Network Information Center'}}, 'address': '55.36.5.7', 'ip': '55.36.5.7'}, 'tags': ['preserve_original_event', 'forwarded', 'aws-route53-logs'], 'network': {'protocol': 'dns', 'transport': 'udp', 'type': 'ipv4', 'iana_number': '17'}, 'cloud': {'provider': 'aws', 'region': 'us-east-1'}, 'input': {'type': 'aws-cloudwatch'}, '@timestamp': '2017-12-13T08:16:05.744Z', 'ecs': {'version': '8.0.0'}, 'related': {'hosts': ['txt.example.com'], 'ip': ['55.36.5.7']}, 'data_stream': {'namespace': 'default', 'type': 'logs', 'dataset': 'aws.route53_public_logs'}, 'log.file.path': 'test/test', 'event': {'agent_id_status': 'verified', 'ingested': '2021-12-06T02:37:25Z', 'original': '1.0 2017-12-13T08:16:05.744Z Z123412341234 txt.example.com TXT NOERROR UDP JFK5 55.36.5.7 -', 'kind': 'event', 'id': '36545504503447201576705984279898091551471012413796646912', 'category': ['network'], 'type': ['protocol'], 'dataset': 'aws.route53_public_logs', 'outcome': 'success'}, 'aws': {'route53': {'hosted_zone_id': 'Z123412341234', 'edge_location': 'JFK5'}}}"
Google Cloud Platform (GCP) VPC Flow logs,"https://docs.elastic.co/integrations/gcp/vpcflow
","{'@timestamp': '2019-06-14T03:50:10.845Z', 'agent': {'ephemeral_id': 'f4dde373-2ff7-464b-afdb-da94763f219b', 'id': '5d3eee86-91a9-4afa-af92-c6b79bd866c0', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.6.0'}, 'cloud': {'provider': 'gcp'}, 'data_stream': {'dataset': 'gcp.vpcflow', 'namespace': 'ep', 'type': 'logs'}, 'destination': {'address': '10.87.40.76', 'domain': 'kibana', 'ip': '10.87.40.76', 'port': 5601}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '5d3eee86-91a9-4afa-af92-c6b79bd866c0', 'snapshot': True, 'version': '8.6.0'}, 'event': {'agent_id_status': 'verified', 'category': 'network', 'created': '2023-01-13T15:03:19.118Z', 'dataset': 'gcp.vpcflow', 'end': '2019-06-14T03:40:37.048196137Z', 'id': 'ut8lbrffooxzf', 'ingested': '2023-01-13T15:03:20Z', 'kind': 'event', 'start': '2019-06-14T03:40:36.895188084Z', 'type': 'connection'}, 'gcp': {'destination': {'instance': {'project_id': 'my-sample-project', 'region': 'us-east1', 'zone': 'us-east1-b'}, 'vpc': {'project_id': 'my-sample-project', 'subnetwork_name': 'default', 'vpc_name': 'default'}}, 'vpcflow': {'reporter': 'DEST', 'rtt': {'ms': 36}}}, 'input': {'type': 'gcp-pubsub'}, 'log': {'logger': 'projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows'}, 'network': {'bytes': 1464, 'community_id': '1:++9/JiESSUdwTGGcxwXk4RA0lY8=', 'direction': 'inbound', 'iana_number': '6', 'packets': 7, 'transport': 'tcp', 'type': 'ipv4'}, 'related': {'ip': ['192.168.2.117', '10.87.40.76']}, 'source': {'address': '192.168.2.117', 'as': {'number': 15169}, 'bytes': 1464, 'geo': {'continent_name': 'America', 'country_name': 'usa'}, 'ip': '192.168.2.117', 'packets': 7, 'port': 50646}, 'tags': ['forwarded', 'gcp-vpcflow']}"
Amazon S3 Storage Lens,"https://docs.elastic.co/integrations/aws/s3_storage_lens
","{'@timestamp': '2021-11-07T20:38:00.000Z', 'ecs': {'version': '8.0.0'}, 'data_stream': {'namespace': 'default', 'type': 'metrics', 'dataset': 'aws.s3_storage_lens'}, 'service': {'type': 'aws'}, 'cloud': {'provider': 'aws', 'region': 'us-east-1', 'account': {'name': 'elastic-beats', 'id': '428152502467'}}, 'metricset': {'period': 86400000, 'name': 'cloudwatch'}, 'event': {'duration': 22973251900, 'agent_id_status': 'verified', 'ingested': '2021-11-08T20:38:37Z', 'module': 'aws', 'dataset': 'aws.s3_storage_lens'}, 'aws': {'s3_storage_lens': {'metrics': {'NonCurrentVersionStorageBytes': {'avg': 0}, 'DeleteMarkerObjectCount': {'avg': 0}, 'GetRequests': {'avg': 0}, 'SelectReturnedBytes': {'avg': 0}, 'ObjectCount': {'avg': 164195}, 'HeadRequests': {'avg': 0}, 'ListRequests': {'avg': 0}, 'DeleteRequests': {'avg': 0}, 'SelectRequests': {'avg': 0}, '5xxErrors': {'avg': 0}, 'BytesDownloaded': {'avg': 0}, 'BytesUploaded': {'avg': 82537}, 'CurrentVersionStorageBytes': {'avg': 154238334}, 'StorageBytes': {'avg': 154238334}, 'ObjectLockEnabledStorageBytes': {'avg': 0}, '4xxErrors': {'avg': 0}, 'PutRequests': {'avg': 145}, 'ObjectLockEnabledObjectCount': {'avg': 0}, 'EncryptedObjectCount': {'avg': 164191}, 'CurrentVersionObjectCount': {'avg': 164195}, 'IncompleteMultipartUploadObjectCount': {'avg': 0}, 'ReplicatedObjectCount': {'avg': 0}, 'AllRequests': {'avg': 145}, 'PostRequests': {'avg': 0}, 'IncompleteMultipartUploadStorageBytes': {'avg': 0}, 'NonCurrentVersionObjectCount': {'avg': 0}, 'ReplicatedStorageBytes': {'avg': 0}, 'EncryptedStorageBytes': {'avg': 154237917}, 'SelectScannedBytes': {'avg': 0}}}, 'cloudwatch': {'namespace': 'AWS/S3/Storage-Lens'}, 'dimensions': {'metrics_version': '1.0', 'storage_class': 'STANDARD', 'aws_region': 'eu-central-1', 'bucket_name': 'filebeat-aws-elb-test', 'aws_account_number': '428152502467', 'configuration_id': 'default-account-dashboard', 'record_type': 'BUCKET'}}}"
Amazon SQS,"https://docs.elastic.co/integrations/aws/sqs
","{'@timestamp': '2022-07-26T21:43:00.000Z', 'agent': {'name': 'docker-fleet-agent', 'id': '2d4b09d0-cdb6-445e-ac3f-6415f87b9864', 'type': 'metricbeat', 'ephemeral_id': 'cdaaaabb-be7e-432f-816b-bda019fd7c15', 'version': '8.3.2'}, 'elastic_agent': {'id': '2d4b09d0-cdb6-445e-ac3f-6415f87b9864', 'version': '8.3.2', 'snapshot': False}, 'cloud': {'provider': 'aws', 'region': 'eu-central-1', 'account': {'name': 'elastic-beats', 'id': '428152502467'}}, 'ecs': {'version': '8.0.0'}, 'service': {'type': 'aws'}, 'data_stream': {'namespace': 'default', 'type': 'metrics', 'dataset': 'aws.sqs'}, 'metricset': {'period': 300000, 'name': 'cloudwatch'}, 'aws': {'sqs': {'messages': {'visible': 1518.4, 'deleted': 0, 'not_visible': 0, 'delayed': 0, 'received': 0, 'sent': 0.16666666666666666}, 'empty_receives': 0, 'sent_message_size': {'bytes': 1002}, 'oldest_message_age': {'sec': 345605.6}, 'queue': {'name': 'filebeat-aws-elb-test'}}, 'cloudwatch': {'namespace': 'AWS/SQS'}, 'dimensions': {'QueueName': 'filebeat-aws-elb-test'}, 'tags': {'created-by': 'kaiyan'}}, 'event': {'duration': 11576777300, 'agent_id_status': 'verified', 'ingested': '2022-07-26T21:47:48Z', 'module': 'aws', 'dataset': 'aws.sqs'}}"
AWS Security Hub,"https://docs.elastic.co/integrations/aws/securityhub
","{'@timestamp': '2017-03-22T13:22:13.933Z', 'agent': {'ephemeral_id': '01f4fdba-8670-479d-b54f-7d39403bb723', 'id': 'eea1c0db-3657-4195-add3-da25a54834e7', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.4.0'}, 'aws': {'securityhub_findings': {'action': {'port_probe': {'blocked': False, 'details': [{'local': {'ip': {'address_v4': '1.128.0.0'}, 'port': {'name': 'HTTP', 'number': 80}}, 'remote_ip': {'city': {'name': 'Example City'}, 'country': {'name': 'Example Country'}, 'geolocation': {'latitude': 0, 'longitude': 0}, 'organization': {'asn': '64496', 'asn_organization': 'ExampleASO', 'internet_provider': 'ExampleOrg', 'internet_service_provider': 'ExampleISP'}}}]}}, 'aws_account_id': '111111111111', 'company': {'name': 'AWS'}, 'compliance': {'related_requirements': ['Req1', 'Req2'], 'status': 'PASSED', 'status_reasons': [{'description': 'CloudWatch alarms do not exist in the account', 'reason_code': 'CLOUDWATCH_ALARMS_NOT_PRESENT'}]}, 'confidence': 42, 'criticality': 99, 'description': 'The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.', 'first_observed_at': '2017-03-22T13:22:13.933Z', 'generator': {'id': 'acme-vuln-9ab348'}, 'last_observed_at': '2017-03-23T13:22:13.933Z', 'malware': [{'name': 'Stringler', 'path': '/usr/sbin/stringler', 'state': 'OBSERVED', 'type': 'COIN_MINER'}], 'network': {'open_port_range': {'begin': 443, 'end': 443}}, 'network_path': [{'component': {'id': 'abc-01a234bc56d8901ee', 'type': 'AWS::EC2::InternetGateway'}, 'egress': {'destination': {'address': ['1.128.0.0/24'], 'port_ranges': [{'begin': 443, 'end': 443}]}, 'protocol': 'TCP', 'source': {'address': ['175.16.199.1/24']}}, 'ingress': {'destination': {'address': ['175.16.199.1/24'], 'port_ranges': [{'begin': 443, 'end': 443}]}, 'protocol': 'TCP', 'source': {'address': ['175.16.199.1/24']}}}], 'note': {'text': ""Don't forget to check under the mat."", 'updated_at': '2018-08-31T00:15:09.000Z', 'updated_by': 'jsmith'}, 'patch_summary': {'failed': {'count': 0}, 'id': 'pb-123456789098', 'installed': {'count': 100, 'other': {'count': 1023}, 'pending_reboot': 0, 'rejected': {'count': 0}}, 'missing': {'count': 100}, 'operation': {'end_time': '2018-09-27T23:39:31.000Z', 'start_time': '2018-09-27T23:37:31.000Z', 'type': 'Install'}, 'reboot_option': 'RebootIfNeeded'}, 'product': {'arn': 'arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default', 'fields': {'Service_Name': 'cloudtrail.amazonaws.com', 'aws/inspector/AssessmentTargetName': 'My prod env', 'aws/inspector/AssessmentTemplateName': 'My daily CVE assessment', 'aws/inspector/RulesPackageName': 'Common Vulnerabilities and Exposures', 'generico/secure-pro/Count': '6'}, 'name': 'Security Hub'}, 'provider_fields': {'confidence': 42, 'criticality': 99, 'related_findings': [{'id': '123e4567-e89b-12d3-a456-426655440000', 'product': {'arn': 'arn:aws:securityhub:us-west-2::product/aws/guardduty'}}], 'severity': {'label': 'MEDIUM', 'original': 'MEDIUM'}, 'types': ['Software and Configuration Checks/Vulnerabilities/CVE']}, 'record_state': 'ACTIVE', 'region': 'us-east-1', 'related_findings': [{'id': '123e4567-e89b-12d3-a456-426655440000', 'product': {'arn': 'arn:aws:securityhub:us-west-2::product/aws/guardduty'}}, {'id': 'AcmeNerfHerder-111111111111-x189dx7824', 'product': {'arn': 'arn:aws:securityhub:us-west-2::product/aws/guardduty'}}], 'remediation': {'recommendation': {'text': 'Run sudo yum update and cross your fingers and toes.', 'url': 'http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html'}}, 'resources': [{'Details': {'IamInstanceProfileArn': 'arn:aws:iam::123456789012:role/IamInstanceProfileArn', 'ImageId': 'ami-79fd7eee', 'IpV4Addresses': ['175.16.199.1'], 'IpV6Addresses': ['2a02:cf40::'], 'KeyName': 'testkey', 'LaunchedAt': '2018-09-29T01:25:54Z', 'MetadataOptions': {'HttpEndpoint': 'enabled', 'HttpProtocolIpv6': 'enabled', 'HttpPutResponseHopLimit': 1, 'HttpTokens': 'optional', 'InstanceMetadataTags': 'disabled'}, 'NetworkInterfaces': [{'NetworkInterfaceId': 'eni-e5aa89a3'}], 'SubnetId': 'PublicSubnet', 'Type': 'i3.xlarge', 'VirtualizationType': 'hvm', 'VpcId': 'TestVPCIpv6'}, 'Id': 'i-cafebabe', 'Partition': 'aws', 'Region': 'us-west-2', 'Tags': {'billingCode': 'Lotus-1-2-3', 'needsPatching': 'true'}, 'Type': 'AwsEc2Instance'}], 'sample': True, 'schema': {'version': '2018-10-08'}, 'severity': {'label': 'CRITICAL', 'original': '8.3'}, 'source_url': 'http://threatintelweekly.org/backdoors/8888', 'threat_intel_indicators': [{'category': 'BACKDOOR', 'source': 'Threat Intel Weekly', 'source_url': 'http://threatintelweekly.org/backdoors/8888', 'value': '175.16.199.1'}], 'title': 'EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up', 'types': ['Software and Configuration Checks/Vulnerabilities/CVE'], 'updated_at': '2018-08-31T00:15:09.000Z', 'user_defined_fields': {'comeBackToLater': 'Check this again on Monday', 'reviewedByCio': 'true'}, 'verification_state': 'UNKNOWN', 'vulnerabilities': [{'cvss': [{'base_score': 4.7, 'base_vector': 'AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N', 'version': 'V3'}, {'base_score': 4.7, 'base_vector': 'AV:L/AC:M/Au:N/C:C/I:N/A:N', 'version': 'V2'}], 'related_vulnerabilities': ['CVE-2020-12345'], 'vendor': {'created_at': '2020-01-16T00:01:43.000Z', 'severity': 'Medium', 'updated_at': '2020-01-16T00:01:43.000Z', 'url': 'https://alas.aws.amazon.com/ALAS-2020-1337.html'}, 'vulnerable_packages': [{'architecture': 'x86_64', 'epoch': '1', 'name': 'openssl', 'release': '16.amzn2.0.3', 'version': '1.0.2k'}]}], 'workflow': {'state': 'NEW', 'status': 'NEW'}}}, 'cloud': {'account': {'id': '111111111111'}}, 'data_stream': {'dataset': 'aws.securityhub_findings', 'namespace': 'ep', 'type': 'logs'}, 'destination': {'domain': 'example2.com', 'ip': ['1.128.0.0', '2a02:cf40::'], 'port': 80}, 'ecs': {'version': '8.2.0'}, 'elastic_agent': {'id': 'eea1c0db-3657-4195-add3-da25a54834e7', 'snapshot': True, 'version': '8.4.0'}, 'event': {'action': 'port_probe', 'agent_id_status': 'verified', 'created': '2022-07-27T12:47:41.799Z', 'dataset': 'aws.securityhub_findings', 'id': 'us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef', 'ingested': '2022-07-27T12:47:45Z', 'kind': 'event', 'original': '{""Action"":{""ActionType"":""PORT_PROBE"",""PortProbeAction"":{""Blocked"":false,""PortProbeDetails"":[{""LocalIpDetails"":{""IpAddressV4"":""1.128.0.0""},""LocalPortDetails"":{""Port"":80,""PortName"":""HTTP""},""RemoteIpDetails"":{""City"":{""CityName"":""Example City""},""Country"":{""CountryName"":""Example Country""},""GeoLocation"":{""Lat"":0,""Lon"":0},""Organization"":{""Asn"":64496,""AsnOrg"":""ExampleASO"",""Isp"":""ExampleISP"",""Org"":""ExampleOrg""}}}]}},""AwsAccountId"":""111111111111"",""CompanyName"":""AWS"",""Compliance"":{""RelatedRequirements"":[""Req1"",""Req2""],""Status"":""PASSED"",""StatusReasons"":[{""Description"":""CloudWatch alarms do not exist in the account"",""ReasonCode"":""CLOUDWATCH_ALARMS_NOT_PRESENT""}]},""Confidence"":42,""CreatedAt"":""2017-03-22T13:22:13.933Z"",""Criticality"":99,""Description"":""The version of openssl found on instance i-abcd1234 is known to contain a vulnerability."",""FindingProviderFields"":{""Confidence"":42,""Criticality"":99,""RelatedFindings"":[{""Id"":""123e4567-e89b-12d3-a456-426655440000"",""ProductArn"":""arn:aws:securityhub:us-west-2::product/aws/guardduty""}],""Severity"":{""Label"":""MEDIUM"",""Original"":""MEDIUM""},""Types"":[""Software and Configuration Checks/Vulnerabilities/CVE""]},""FirstObservedAt"":""2017-03-22T13:22:13.933Z"",""GeneratorId"":""acme-vuln-9ab348"",""Id"":""us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef"",""LastObservedAt"":""2017-03-23T13:22:13.933Z"",""Malware"":[{""Name"":""Stringler"",""Path"":""/usr/sbin/stringler"",""State"":""OBSERVED"",""Type"":""COIN_MINER""}],""Network"":{""DestinationDomain"":""example2.com"",""DestinationIpV4"":""1.128.0.0"",""DestinationIpV6"":""2a02:cf40::"",""DestinationPort"":""80"",""Direction"":""IN"",""OpenPortRange"":{""Begin"":443,""End"":443},""Protocol"":""TCP"",""SourceDomain"":""example1.com"",""SourceIpV4"":""1.128.0.0"",""SourceIpV6"":""2a02:cf40::"",""SourceMac"":""00:0d:83:b1:c0:8e"",""SourcePort"":""42""},""NetworkPath"":[{""ComponentId"":""abc-01a234bc56d8901ee"",""ComponentType"":""AWS::EC2::InternetGateway"",""Egress"":{""Destination"":{""Address"":[""1.128.0.0/24""],""PortRanges"":[{""Begin"":443,""End"":443}]},""Protocol"":""TCP"",""Source"":{""Address"":[""175.16.199.1/24""]}},""Ingress"":{""Destination"":{""Address"":[""175.16.199.1/24""],""PortRanges"":[{""Begin"":443,""End"":443}]},""Protocol"":""TCP"",""Source"":{""Address"":[""175.16.199.1/24""]}}}],""Note"":{""Text"":""Don\'t forget to check under the mat."",""UpdatedAt"":""2018-08-31T00:15:09Z"",""UpdatedBy"":""jsmith""},""PatchSummary"":{""FailedCount"":""0"",""Id"":""pb-123456789098"",""InstalledCount"":""100"",""InstalledOtherCount"":""1023"",""InstalledPendingReboot"":""0"",""InstalledRejectedCount"":""0"",""MissingCount"":""100"",""Operation"":""Install"",""OperationEndTime"":""2018-09-27T23:39:31Z"",""OperationStartTime"":""2018-09-27T23:37:31Z"",""RebootOption"":""RebootIfNeeded""},""Process"":{""LaunchedAt"":""2018-09-27T22:37:31Z"",""Name"":""syslogd"",""ParentPid"":56789,""Path"":""/usr/sbin/syslogd"",""Pid"":12345,""TerminatedAt"":""2018-09-27T23:37:31Z""},""ProductArn"":""arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default"",""ProductFields"":{""Service_Name"":""cloudtrail.amazonaws.com"",""aws/inspector/AssessmentTargetName"":""My prod env"",""aws/inspector/AssessmentTemplateName"":""My daily CVE assessment"",""aws/inspector/RulesPackageName"":""Common Vulnerabilities and Exposures"",""generico/secure-pro/Count"":""6""},""ProductName"":""Security Hub"",""RecordState"":""ACTIVE"",""Region"":""us-east-1"",""RelatedFindings"":[{""Id"":""123e4567-e89b-12d3-a456-426655440000"",""ProductArn"":""arn:aws:securityhub:us-west-2::product/aws/guardduty""},{""Id"":""AcmeNerfHerder-111111111111-x189dx7824"",""ProductArn"":""arn:aws:securityhub:us-west-2::product/aws/guardduty""}],""Remediation"":{""Recommendation"":{""Text"":""Run sudo yum update and cross your fingers and toes."",""Url"":""http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html""}},""Resources"":[{""Details"":{""IamInstanceProfileArn"":""arn:aws:iam::123456789012:role/IamInstanceProfileArn"",""ImageId"":""ami-79fd7eee"",""IpV4Addresses"":[""175.16.199.1""],""IpV6Addresses"":[""2a02:cf40::""],""KeyName"":""testkey"",""LaunchedAt"":""2018-09-29T01:25:54Z"",""MetadataOptions"":{""HttpEndpoint"":""enabled"",""HttpProtocolIpv6"":""enabled"",""HttpPutResponseHopLimit"":1,""HttpTokens"":""optional"",""InstanceMetadataTags"":""disabled""},""NetworkInterfaces"":[{""NetworkInterfaceId"":""eni-e5aa89a3""}],""SubnetId"":""PublicSubnet"",""Type"":""i3.xlarge"",""VirtualizationType"":""hvm"",""VpcId"":""TestVPCIpv6""},""Id"":""i-cafebabe"",""Partition"":""aws"",""Region"":""us-west-2"",""Tags"":{""billingCode"":""Lotus-1-2-3"",""needsPatching"":""true""},""Type"":""AwsEc2Instance""}],""Sample"":true,""SchemaVersion"":""2018-10-08"",""Severity"":{""Label"":""CRITICAL"",""Original"":""8.3""},""SourceUrl"":""http://threatintelweekly.org/backdoors/8888"",""ThreatIntelIndicators"":[{""Category"":""BACKDOOR"",""LastObservedAt"":""2018-09-27T23:37:31Z"",""Source"":""Threat Intel Weekly"",""SourceUrl"":""http://threatintelweekly.org/backdoors/8888"",""Type"":""IPV4_ADDRESS"",""Value"":""175.16.199.1""}],""Threats"":[{""FilePaths"":[{""FileName"":""b.txt"",""FilePath"":""/tmp/b.txt"",""Hash"":""sha256"",""ResourceId"":""arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f""}],""ItemCount"":3,""Name"":""Iot.linux.mirai.vwisi"",""Severity"":""HIGH""}],""Title"":""EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up"",""Types"":[""Software and Configuration Checks/Vulnerabilities/CVE""],""UpdatedAt"":""2018-08-31T00:15:09Z"",""UserDefinedFields"":{""comeBackToLater"":""Check this again on Monday"",""reviewedByCio"":""true""},""VerificationState"":""UNKNOWN"",""Vulnerabilities"":[{""Cvss"":[{""BaseScore"":4.7,""BaseVector"":""AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"",""Version"":""V3""},{""BaseScore"":4.7,""BaseVector"":""AV:L/AC:M/Au:N/C:C/I:N/A:N"",""Version"":""V2""}],""Id"":""CVE-2020-12345"",""ReferenceUrls"":[""http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418"",""http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563""],""RelatedVulnerabilities"":[""CVE-2020-12345""],""Vendor"":{""Name"":""Alas"",""Url"":""https://alas.aws.amazon.com/ALAS-2020-1337.html"",""VendorCreatedAt"":""2020-01-16T00:01:43Z"",""VendorSeverity"":""Medium"",""VendorUpdatedAt"":""2020-01-16T00:01:43Z""},""VulnerablePackages"":[{""Architecture"":""x86_64"",""Epoch"":""1"",""Name"":""openssl"",""Release"":""16.amzn2.0.3"",""Version"":""1.0.2k""}]}],""Workflow"":{""Status"":""NEW""},""WorkflowState"":""NEW""}', 'type': ['info']}, 'input': {'type': 'httpjson'}, 'network': {'direction': 'IN', 'protocol': 'tcp'}, 'organization': {'name': 'AWS'}, 'process': {'end': '2018-09-27T23:37:31.000Z', 'executable': '/usr/sbin/syslogd', 'name': 'syslogd', 'parent': {'pid': 56789}, 'pid': 12345, 'start': '2018-09-27T22:37:31.000Z'}, 'related': {'ip': ['1.128.0.0', '2a02:cf40::']}, 'source': {'domain': 'example1.com', 'ip': ['1.128.0.0', '2a02:cf40::'], 'mac': '00-0D-83-B1-C0-8E', 'port': 42}, 'tags': ['preserve_original_event', 'forwarded', 'aws_securityhub_findings'], 'threat': {'indicator': {'last_seen': '2018-09-27T23:37:31.000Z', 'type': 'IPV4_ADDRESS'}}, 'url': {'domain': 'threatintelweekly.org', 'full': 'http://threatintelweekly.org/backdoors/8888', 'original': 'http://threatintelweekly.org/backdoors/8888', 'path': '/backdoors/8888', 'scheme': 'http'}, 'vulnerability': {'id': 'CVE-2020-12345', 'reference': ['http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563'], 'scanner': {'vendor': 'Alas'}, 'score': {'base': 4.7, 'version': 'V2'}}}"
Amazon ECS,"https://docs.elastic.co/integrations/aws/ecs
","{'agent': {'name': '4b4f1fd6f3ff', 'id': '8c424f1d-e9b1-4aab-8ce5-77dceb4becfb', 'type': 'metricbeat', 'ephemeral_id': '0c23896b-0bfe-469f-bf76-7203a2d52568', 'version': '8.1.0'}, 'elastic_agent': {'id': '8c424f1d-e9b1-4aab-8ce5-77dceb4becfb', 'version': '8.1.0', 'snapshot': False}, 'cloud': {'provider': 'aws', 'region': 'eu-west-1', 'account': {'name': 'elastic-observability', 'id': '627286350134'}}, '@timestamp': '2022-07-26T08:59:00.000Z', 'ecs': {'version': '8.0.0'}, 'service': {'type': 'aws'}, 'data_stream': {'namespace': 'default', 'type': 'metrics', 'dataset': 'aws.ecs_metrics'}, 'host': {'hostname': '4b4f1fd6f3ff', 'os': {'kernel': '5.10.104-linuxkit', 'codename': 'focal', 'name': 'Ubuntu', 'family': 'debian', 'type': 'linux', 'version': '20.04.3 LTS (Focal Fossa)', 'platform': 'ubuntu'}, 'containerized': False, 'ip': ['172.19.0.4'], 'name': '4b4f1fd6f3ff', 'mac': ['02:42:ac:13:00:04'], 'architecture': 'aarch64'}, 'metricset': {'period': 300000, 'name': 'cloudwatch'}, 'aws': {'ecs': {'metrics': {'CPUUtilization': {'avg': 100.040084913373}, 'MemoryUtilization': {'avg': 9.195963541666666}}}, 'cloudwatch': {'namespace': 'AWS/ECS'}, 'dimensions': {'ServiceName': 'integration-service-1', 'ClusterName': 'integration-cluster-1'}}, 'event': {'duration': 1862196584, 'agent_id_status': 'verified', 'ingested': '2022-07-26T09:04:12Z', 'module': 'aws', 'dataset': 'aws.ecs_metrics'}}"
AWS Inspector,"https://docs.elastic.co/integrations/aws/inspector
","{'@timestamp': '2022-09-20T19:52:26.405Z', 'agent': {'ephemeral_id': 'd1032859-fd44-410c-9960-dde7dcbc3a2e', 'id': '4a3373c9-b63f-4544-a929-761b42f50054', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.4.0'}, 'aws': {'inspector': {'finding_arn': 'arn:aws:s3:::sample', 'first_observed_at': '2022-09-20T19:52:26.405Z', 'inspector_score': 1.2, 'inspector_score_details': {'adjusted_cvss': {'adjustments': [{'metric': 'Base', 'reason': 'use Base metric'}], 'cvss_source': 'scope1', 'score': {'source': 'scope2', 'value': 8.9}, 'scoring_vector': 'Attack Vector', 'version': 'v3.1'}}, 'last_observed_at': '2022-09-20T19:52:26.405Z', 'network_reachability_details': {'network_path': {'steps': [{'component': {'id': '02ce3860-3126-42af-8ac7-c2a661134129', 'type': 'type'}}]}, 'open_port_range': {'begin': 1234, 'end': 4567}}, 'package_vulnerability_details': {'cvss': [{'scoring_vector': 'Attack Vector', 'source': 'scope3'}], 'related_vulnerabilities': ['security'], 'source': {'url': {'domain': 'cve.mitre.org', 'extension': 'cgi', 'original': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111', 'path': '/cgi-bin/cvename.cgi', 'query': 'name=CVE-2019-6111', 'scheme': 'https'}, 'value': 'example'}, 'vendor': {'created_at': '2022-09-20T19:52:26.405Z', 'updated_at': '2022-09-20T19:52:26.405Z'}, 'vulnerable_packages': [{'arch': 'arch', 'epoch': 123, 'file_path': '/example', 'fixed_inversion': '3', 'name': 'example', 'package_manager': 'BUNDLER', 'release': 'release', 'source_layer_hash': '50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c', 'version': '2.0'}]}, 'remediation': {'recommendation': {'text': 'example', 'url': {'domain': 'cve.mitre.org', 'extension': 'cgi', 'original': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111', 'path': '/cgi-bin/cvename.cgi', 'query': 'name=CVE-2019-6111', 'scheme': 'https'}}}, 'resources': [{'details': {'aws': {'ec2_instance': {'iam_instance_profile_arn': 'arn:aws:s3:::iam', 'image_id': '123456789', 'ipv4_addresses': ['89.160.20.128', '81.2.69.192'], 'ipv6_addresses': ['2a02:cf40::'], 'key_name': 'sample', 'launched_at': '2022-09-20T19:52:26.405Z', 'platform': 'EC2', 'subnet_id': '123456', 'type': 'Instance', 'vpc_id': '3265875'}, 'ecr_container_image': {'architecture': 'arch', 'author': 'example', 'image': {'hash': '50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545d', 'tags': ['sample']}, 'platform': 'ECR', 'pushed_at': '2022-09-20T19:52:26.405Z', 'registry': 'ecr registry', 'repository_name': 'sample'}}}, 'id': '12345678', 'partition': 'partition', 'tags': {'string1': 'string1', 'string2': 'string2'}, 'type': 'AWS_EC2_INSTANCE'}], 'severity': 'INFORMATIONAL', 'status': 'ACTIVE', 'title': 'sample findings', 'type': 'NETWORK_REACHABILITY'}}, 'cloud': {'account': {'id': '123456789'}, 'region': ['us-east-1']}, 'data_stream': {'dataset': 'aws.inspector', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.2.0'}, 'elastic_agent': {'id': '4a3373c9-b63f-4544-a929-761b42f50054', 'snapshot': False, 'version': '8.4.0'}, 'event': {'agent_id_status': 'verified', 'created': '2022-11-17T13:05:04.253Z', 'dataset': 'aws.inspector', 'ingested': '2022-11-17T13:05:07Z', 'kind': 'event', 'original': '{""awsAccountId"":""123456789"",""description"":""Findins message"",""findingArn"":""arn:aws:s3:::sample"",""firstObservedAt"":""1.663703546405E9"",""inspectorScore"":1.2,""inspectorScoreDetails"":{""adjustedCvss"":{""adjustments"":[{""metric"":""Base"",""reason"":""use Base metric""}],""cvssSource"":""scope1"",""score"":8.9,""scoreSource"":""scope2"",""scoringVector"":""Attack Vector"",""version"":""v3.1""}},""lastObservedAt"":""1.663703546405E9"",""networkReachabilityDetails"":{""networkPath"":{""steps"":[{""componentId"":""02ce3860-3126-42af-8ac7-c2a661134129"",""componentType"":""type""}]},""openPortRange"":{""begin"":1234,""end"":4567},""protocol"":""TCP""},""packageVulnerabilityDetails"":{""cvss"":[{""baseScore"":1.1,""scoringVector"":""Attack Vector"",""source"":""scope3"",""version"":""v3.1""}],""referenceUrls"":[""https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111""],""relatedVulnerabilities"":[""security""],""source"":""example"",""sourceUrl"":""https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111"",""vendorCreatedAt"":""1.663703546405E9"",""vendorSeverity"":""basic"",""vendorUpdatedAt"":""1.663703546405E9"",""vulnerabilityId"":""123456789"",""vulnerablePackages"":[{""arch"":""arch"",""epoch"":123,""filePath"":""/example"",""fixedInVersion"":""3"",""name"":""example"",""packageManager"":""BUNDLER"",""release"":""release"",""sourceLayerHash"":""50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c"",""version"":""2.0""}]},""remediation"":{""recommendation"":{""Url"":""https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111"",""text"":""example""}},""resources"":[{""details"":{""awsEc2Instance"":{""iamInstanceProfileArn"":""arn:aws:s3:::iam"",""imageId"":""123456789"",""ipV4Addresses"":[""89.160.20.128"",""81.2.69.192""],""ipV6Addresses"":[""2a02:cf40::""],""keyName"":""sample"",""launchedAt"":""1.663703546405E9"",""platform"":""EC2"",""subnetId"":""123456"",""type"":""Instance"",""vpcId"":""3265875""},""awsEcrContainerImage"":{""architecture"":""arch"",""author"":""example"",""imageHash"":""50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545d"",""imageTags"":[""sample""],""platform"":""ECR"",""pushedAt"":""1.663703546405E9"",""registry"":""ecr registry"",""repositoryName"":""sample""}},""id"":""12345678"",""partition"":""partition"",""region"":""us-east-1"",""tags"":{""string1"":""string1"",""string2"":""string2""},""type"":""AWS_EC2_INSTANCE""}],""severity"":""INFORMATIONAL"",""status"":""ACTIVE"",""title"":""sample findings"",""type"":""NETWORK_REACHABILITY"",""updatedAt"":""1.663703546405E9""}', 'type': ['info']}, 'input': {'type': 'httpjson'}, 'message': 'Findins message', 'network': {'transport': 'tcp'}, 'related': {'hash': ['50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c', '50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545d'], 'ip': ['89.160.20.128', '81.2.69.192', '2a02:cf40::']}, 'tags': ['preserve_original_event', 'forwarded', 'aws-inspector'], 'vulnerability': {'id': '123456789', 'reference': ['https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111'], 'score': {'base': [1.1], 'version': ['v3.1']}, 'severity': 'basic'}}"
Kubernetes Audit Logs,"https://docs.elastic.co/integrations/kubernetes/audit-logs
","{'kubernetes': {'audit': {'auditID': 'bcacfeaa-5ab5-48de-8bac-3a87d1474b6a', 'requestReceivedTimestamp': '2022-08-31T08:09:39.660940Z', 'level': 'RequestResponse', 'kind': 'Event', 'verb': 'get', 'annotations': {'authorization_k8s_io/decision': 'allow', 'authorization_k8s_io/reason': 'RBAC: allowed by ClusterRoleBinding ""system:public-info-viewer"" of ClusterRole ""system:public-info-viewer"" to Group ""system:unauthenticated""'}, 'userAgent': 'kube-probe/1.24', 'requestURI': '/readyz', 'responseStatus': {'metadata': {}, 'code': 200}, 'stageTimestamp': '2022-08-31T08:09:39.662241Z', 'sourceIPs': ['172.18.0.2'], 'apiVersion': 'audit.k8s.io/v1', 'stage': 'ResponseComplete', 'user': {'groups': ['system:unauthenticated'], 'username': 'system:anonymous'}}}, 'input': {'type': 'filestream'}, 'agent': {'name': 'kind-control-plane', 'id': '6e730a0c-7da5-48ff-b4c9-f6c63844975d', 'type': 'filebeat', 'ephemeral_id': 'd27511c8-9cd1-402c-8b1b-234abbd9dcae', 'version': '8.4.0'}, '@timestamp': '2022-08-31T08:09:57.520Z', 'ecs': {'version': '8.0.0'}, 'log': {'file': {'path': '/var/log/kubernetes/kube-apiserver-audit-1.log'}, 'offset': 20995}, 'data_stream': {'namespace': 'default', 'type': 'logs', 'dataset': 'kubernetes.audit_logs'}, 'host': {'hostname': 'kind-control-plane', 'os': {'kernel': '5.10.104-linuxkit', 'codename': 'focal', 'name': 'Ubuntu', 'type': 'linux', 'family': 'debian', 'version': '20.04.4 LTS (Focal Fossa)', 'platform': 'ubuntu'}, 'containerized': False, 'ip': ['10.244.0.1', '10.244.0.1', '10.244.0.1', '172.30.0.3', '172.18.0.2', 'fc00:f853:ccd:e793::2', 'fe80::42:acff:fe12:2'], 'name': 'kind-control-plane', 'id': '5016511f0829451ea244f458eebf2212', 'mac': ['02:42:ac:12:00:02', '02:42:ac:1e:00:03', '3a:ba:49:df:78:35', '86:c7:fe:c8:fa:22', 'd6:48:c1:a2:a4:15'], 'architecture': 'x86_64'}, 'elastic_agent': {'id': '6e730a0c-7da5-48ff-b4c9-f6c63844975d', 'version': '8.4.0', 'snapshot': False}, 'event': {'agent_id_status': 'verified', 'ingested': '2022-08-31T08:09:58Z', 'dataset': 'kubernetes.audit_logs'}}"
Spring Boot,"https://docs.elastic.co/integrations/spring_boot
","{'@timestamp': '2022-08-05T09:30:10.644Z', 'agent': {'ephemeral_id': '575ffec5-bd74-4689-8baa-8486735193f3', 'id': '3ab22ca1-4caf-465f-8789-2a45a81ed9b1', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.1.0'}, 'data_stream': {'dataset': 'spring_boot.audit_events', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.5.1'}, 'elastic_agent': {'id': '3ab22ca1-4caf-465f-8789-2a45a81ed9b1', 'snapshot': False, 'version': '8.1.0'}, 'event': {'agent_id_status': 'verified', 'category': 'web', 'created': '2022-08-05T09:30:10.644Z', 'dataset': 'spring_boot.audit_events', 'ingested': '2022-08-05T09:30:14Z', 'kind': 'event', 'module': 'spring_boot', 'type': 'info'}, 'host': {'architecture': 'x86_64', 'containerized': True, 'hostname': 'docker-fleet-agent', 'ip': ['192.168.112.5'], 'mac': ['02:42:c0:a8:70:05'], 'name': 'docker-fleet-agent', 'os': {'codename': 'focal', 'family': 'debian', 'kernel': '3.10.0-1160.71.1.el7.x86_64', 'name': 'Ubuntu', 'platform': 'ubuntu', 'type': 'linux', 'version': '20.04.4 LTS (Focal Fossa)'}}, 'spring_boot': {'audit_events': {'data': {'remote_address': '192.168.144.2'}, 'principal': 'actuator', 'type': 'AUTHENTICATION_SUCCESS'}}, 'tags': ['spring_boot.audit_events.metrics']}"
Fortinet FortiManager Logs,"https://docs.elastic.co/integrations/fortinet_fortimanager
","{'@timestamp': '2016-01-29T06:09:59.000Z', 'agent': {'ephemeral_id': '607e3bda-a938-4637-8dd4-02613e9144ac', 'id': '4e3f135a-d5f9-40b6-ae01-2c834ecbead0', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.0.0'}, 'data_stream': {'dataset': 'fortinet_fortimanager.log', 'namespace': 'ep', 'type': 'logs'}, 'destination': {'bytes': 449, 'geo': {'country_name': 'sequa'}, 'ip': ['10.44.173.44'], 'nat': {'ip': '10.189.58.145', 'port': 5273}, 'port': 6125}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '4e3f135a-d5f9-40b6-ae01-2c834ecbead0', 'snapshot': True, 'version': '8.0.0'}, 'event': {'action': 'allow', 'agent_id_status': 'verified', 'code': 'sse', 'dataset': 'fortinet_fortimanager.log', 'ingested': '2022-01-25T12:33:50Z', 'original': 'logver=iusm devname=""modtempo"" devid=""olab"" vd=nto date=2016-1-29 time=6:09:59 logid=sse type=exercita subtype=der level=very-high eventtime=odoco logtime=ria srcip=10.20.234.169 srcport=1001 srcintf=eth5722 srcintfrole=vol dstip=10.44.173.44 dstport=6125 dstintf=enp0s3068 dstintfrole=nseq poluuid=itinvol sessionid=psa proto=21 action=allow policyid=ntium policytype=psaq crscore=13.800000 craction=eab crlevel=aliqu appcat=Ute service=lupt srccountry=dolore dstcountry=sequa trandisp=abo tranip=10.189.58.145 tranport=5273 duration=14.119000 sentbyte=7880 rcvdbyte=449 sentpkt=mqui app=nci\n', 'timezone': '+00:00'}, 'input': {'type': 'udp'}, 'log': {'level': 'very-high', 'source': {'address': '172.30.0.4:60997'}}, 'network': {'bytes': 8329}, 'observer': {'egress': {'interface': {'name': 'enp0s3068'}}, 'ingress': {'interface': {'name': 'eth5722'}}, 'product': 'FortiManager', 'type': 'Configuration', 'vendor': 'Fortinet'}, 'related': {'hosts': ['modtempo'], 'ip': ['10.189.58.145', '10.20.234.169', '10.44.173.44']}, 'rsa': {'internal': {'messageid': 'generic_fortinetmgr_1'}, 'misc': {'action': ['allow'], 'category': 'der', 'context': 'abo', 'event_source': 'modtempo', 'event_type': 'exercita', 'hardware_id': 'olab', 'log_session_id': 'psa', 'policy_id': 'ntium', 'reference_id': 'sse', 'severity': 'very-high', 'vsys': 'nto'}, 'network': {'dinterface': 'enp0s3068', 'network_service': 'lupt', 'sinterface': 'eth5722'}, 'time': {'duration_time': 14.119, 'event_time': '2016-01-29T06:09:59.000Z', 'event_time_str': 'odoco'}, 'web': {'reputation_num': 13.8}}, 'source': {'bytes': 7880, 'geo': {'country_name': 'dolore'}, 'ip': ['10.20.234.169'], 'port': 1001}, 'tags': ['preserve_original_event', 'fortinet-fortimanager', 'forwarded']}"
Fortinet FortiMail Logs,"https://docs.elastic.co/integrations/fortinet_fortimail
","{'@timestamp': '2016-01-29T06:09:59.000Z', 'agent': {'ephemeral_id': '821504b9-6e80-4572-aae7-c5bb3cf38906', 'id': '4e3f135a-d5f9-40b6-ae01-2c834ecbead0', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.0.0'}, 'data_stream': {'dataset': 'fortinet_fortimail.log', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '4e3f135a-d5f9-40b6-ae01-2c834ecbead0', 'snapshot': True, 'version': '8.0.0'}, 'event': {'action': 'event', 'agent_id_status': 'verified', 'code': 'nes', 'dataset': 'fortinet_fortimail.log', 'ingested': '2022-01-25T12:29:32Z', 'original': 'date=2016-1-29 time=06:09:59 device_id=pexe log_id=nes log_part=eab type=event subtype=update pri=high msg=""boNemoe""\n', 'timezone': '+00:00'}, 'input': {'type': 'udp'}, 'log': {'level': 'high', 'source': {'address': '172.30.0.4:44540'}}, 'observer': {'product': 'FortiMail', 'type': 'Firewall', 'vendor': 'Fortinet'}, 'rsa': {'internal': {'event_desc': 'boNemoe', 'messageid': 'event_update'}, 'misc': {'category': 'update', 'event_type': 'event', 'hardware_id': 'pexe', 'msgIdPart1': 'event', 'msgIdPart2': 'update', 'reference_id': 'nes', 'reference_id1': 'eab', 'severity': 'high'}, 'time': {'event_time': '2016-01-29T06:09:59.000Z'}}, 'tags': ['preserve_original_event', 'fortinet-fortimail', 'forwarded']}"
Proofpoint TAP,"https://docs.elastic.co/integrations/proofpoint_tap
","{'@timestamp': '2022-03-30T10:11:12.000Z', 'agent': {'ephemeral_id': 'e1f6ec70-06b8-4d4b-829f-03000950c530', 'id': '19f05486-b68d-449a-9bdd-1493d2f3b55d', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.4.0'}, 'data_stream': {'dataset': 'proofpoint_tap.clicks_blocked', 'namespace': 'ep', 'type': 'logs'}, 'destination': {'as': {'number': 29518, 'organization': {'name': 'Bredband2 AB'}}, 'geo': {'city_name': 'Linköping', 'continent_name': 'Europe', 'country_iso_code': 'SE', 'country_name': 'Sweden', 'location': {'lat': 58.4167, 'lon': 15.6167}, 'region_iso_code': 'SE-E', 'region_name': 'Östergötland County'}, 'ip': '89.160.20.112'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '19f05486-b68d-449a-9bdd-1493d2f3b55d', 'snapshot': False, 'version': '8.4.0'}, 'email': {'from': {'address': 'abc123@example.com'}, 'message_id': '12345678912345.12345.mail@example.com', 'to': {'address': '9c52aa64228824247c48df69b066e5a7@example.com'}}, 'event': {'agent_id_status': 'verified', 'category': ['email'], 'created': '2022-11-04T13:46:30.114Z', 'dataset': 'proofpoint_tap.clicks_blocked', 'id': 'a5c9f8bb-1234-1234-1234-dx9xxx2xx9xxx', 'ingested': '2022-11-04T13:46:33Z', 'kind': 'event', 'original': '{""GUID"":""ZcxxxxVxyxFxyxLxxxDxVxx4xxxxx"",""campaignId"":""46x01x8x-x899-404x-xxx9-111xx393d1x7"",""classification"":""malware"",""clickIP"":""89.160.20.112"",""clickTime"":""2022-03-30T10:11:12.000Z"",""id"":""a5c9f8bb-1234-1234-1234-dx9xxx2xx9xxx"",""messageID"":""12345678912345.12345.mail@example.com"",""recipient"":""9c52aa64228824247c48df69b066e5a7@example.com"",""sender"":""abc123@example.com"",""senderIP"":""81.2.69.143"",""threatID"":""502b7xxxx0x5x1x3xb6xcxexbxxxxxxxcxxexc6xbxxxxxxdx7fxcx6x9xxxx9xdxxxxxxxx5f"",""threatStatus"":""active"",""threatTime"":""2022-03-21T14:40:31.000Z"",""threatURL"":""https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/502xxxxxxxxxcebxxxxxxxxxxa04277xxxxx5dxc6xxxxxxxxx5f"",""url"":""https://www.example.com/abcdabcd123?query=0"",""userAgent"":""Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/199.0.427504638 Mobile/15E148 Safari/604.1""}', 'type': ['denied']}, 'input': {'type': 'httpjson'}, 'proofpoint_tap': {'clicks_blocked': {'campaign_id': '46x01x8x-x899-404x-xxx9-111xx393d1x7', 'classification': 'malware', 'threat': {'id': '502b7xxxx0x5x1x3xb6xcxexbxxxxxxxcxxexc6xbxxxxxxdx7fxcx6x9xxxx9xdxxxxxxxx5f', 'status': 'active', 'time': '2022-03-21T14:40:31.000Z', 'url': 'https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/502xxxxxxxxxcebxxxxxxxxxxa04277xxxxx5dxc6xxxxxxxxx5f'}}, 'guid': 'ZcxxxxVxyxFxyxLxxxDxVxx4xxxxx'}, 'related': {'ip': ['81.2.69.143', '89.160.20.112']}, 'source': {'ip': '81.2.69.143'}, 'tags': ['preserve_original_event', 'forwarded', 'proofpoint_tap-clicks_blocked'], 'url': {'domain': 'www.example.com', 'full': 'https://www.example.com/abcdabcd123?query=0', 'path': '/abcdabcd123', 'query': 'query=0', 'scheme': 'https'}, 'user_agent': {'device': {'name': 'iPhone'}, 'name': 'Google', 'original': 'Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/199.0.427504638 Mobile/15E148 Safari/604.1', 'os': {'full': 'iOS 14.6', 'name': 'iOS', 'version': '14.6'}, 'version': '199.0.427504638'}}"
AWS Fargate,"https://docs.elastic.co/integrations/awsfargate
","{'@timestamp': '2017-10-12T08:05:34.853Z', 'awsfargate': {'task_stats': {'cluster_name': 'default', 'task_known_status': 'RUNNING', 'task_desired_status': 'RUNNING', 'cpu': {'core': None, 'kernel': {'norm': {'pct': 0}, 'pct': 0, 'ticks': 1520000000}, 'system': {'norm': {'pct': 1}, 'pct': 2, 'ticks': 1420180000000}, 'total': {'norm': {'pct': 0.2}, 'pct': 0.4}, 'user': {'norm': {'pct': 0}, 'pct': 0, 'ticks': 490000000}}, 'diskio': {'read': {'bytes': 3452928, 'ops': 118, 'queued': 0, 'rate': 0, 'service_time': 0, 'wait_time': 0}, 'reads': 0, 'summary': {'bytes': 3452928, 'ops': 118, 'queued': 0, 'rate': 0, 'service_time': 0, 'wait_time': 0}, 'total': 0, 'write': {'bytes': 0, 'ops': 0, 'queued': 0, 'rate': 0, 'service_time': 0, 'wait_time': 0}, 'writes': 0}, 'identifier': 'query-metadata/1234', 'memory': {'fail': {'count': 0}, 'limit': 0, 'rss': {'pct': 0.0010557805807105247, 'total': 4157440}, 'stats': {'active_anon': 4157440, 'active_file': 4497408, 'cache': 6000640, 'dirty': 16384, 'hierarchical_memory_limit': 2147483648, 'hierarchical_memsw_limit': 9223372036854772000, 'inactive_anon': 0, 'inactive_file': 1503232, 'mapped_file': 2183168, 'pgfault': 6668, 'pgmajfault': 52, 'pgpgin': 5925, 'pgpgout': 3445, 'rss': 4157440, 'rss_huge': 0, 'total_active_anon': 4157440, 'total_active_file': 4497408, 'total_cache': 600064, 'total_dirty': 16384, 'total_inactive_anon': 0, 'total_inactive_file': 4497408, 'total_mapped_file': 2183168, 'total_pgfault': 6668, 'total_pgmajfault': 52, 'total_pgpgin': 5925, 'total_pgpgout': 3445, 'total_rss': 4157440, 'total_rss_huge': 0, 'total_unevictable': 0, 'total_writeback': 0, 'unevictable': 0, 'writeback': 0}, 'usage': {'max': 15294464, 'pct': 0.003136136404770672, 'total': 12349440}}, 'network': {'eth0': {'inbound': {'bytes': 137315578, 'dropped': 0, 'errors': 0, 'packets': 94338}, 'outbound': {'bytes': 1086811, 'dropped': 0, 'errors': 0, 'packets': 25857}}}, 'task_name': 'query-metadata'}}, 'cloud': {'region': 'us-west-2'}, 'container': {'id': '1234', 'image': {'name': 'mreferre/eksutils'}, 'labels': {'com_amazonaws_ecs_cluster': 'arn:aws:ecs:us-west-2:111122223333:cluster/default', 'com_amazonaws_ecs_container-name': 'query-metadata', 'com_amazonaws_ecs_task-arn': 'arn:aws:ecs:us-west-2:111122223333:task/default/febee046097849aba589d4435207c04a', 'com_amazonaws_ecs_task-definition-family': 'query-metadata', 'com_amazonaws_ecs_task-definition-version': '7'}, 'name': 'query-metadata'}, 'service': {'type': 'awsfargate'}}"
Cisco ISE,"https://docs.elastic.co/integrations/cisco_ise
","{'@timestamp': '2020-02-21T19:13:08.328Z', 'agent': {'ephemeral_id': '88645c33-21f7-47a1-a1e6-b4a53f32ec43', 'id': '94011a8e-8b26-4bce-a627-d54316798b52', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.6.0'}, 'cisco_ise': {'log': {'acct': {'request': {'flags': 'Stop'}}, 'acs': {'session': {'id': 'ldnnacpsn1/359344348/952729'}}, 'authen_method': 'TacacsPlus', 'avpair': {'priv_lvl': 15, 'start_time': '2020-03-26T01:17:12.000Z', 'task_id': '2962', 'timezone': 'GMT'}, 'category': {'name': 'CISE_TACACS_Accounting'}, 'cmdset': '[ CmdAV=show mac-address-table <cr> ]', 'config_version': {'id': 1829}, 'cpm': {'session': {'id': '81.2.69.144Accounting306034364'}}, 'device': {'type': ['Device Type#All Device Types#Routers', 'Device Type#All Device Types#Routers']}, 'ipsec': ['IPSEC#Is IPSEC Device', 'IPSEC#Is IPSEC Device'], 'location': ['Location#All Locations#EMEA', 'Location#All Locations#EMEA'], 'message': {'code': '3300', 'description': 'Tacacs-Accounting: TACACS+ Accounting with Command', 'id': '0000000001'}, 'model': {'name': 'Unknown'}, 'network': {'device': {'groups': ['Location#All Locations#EMEA', 'Device Type#All Device Types#Routers', 'IPSEC#Is IPSEC Device'], 'name': 'wlnwan1', 'profile': ['Cisco', 'Cisco']}}, 'port': 'tty10', 'privilege': {'level': 15}, 'request': {'latency': 1}, 'response': {'AcctReply-Status': 'Success'}, 'segment': {'number': 0, 'total': 4}, 'selected': {'access': {'service': 'Device Admin - TACACS'}}, 'service': {'argument': 'shell', 'name': 'Login'}, 'software': {'version': 'Unknown'}, 'step': ['13006', '15049', '15008', '15048', '13035'], 'type': 'Accounting'}}, 'client': {'ip': '81.2.69.144'}, 'data_stream': {'dataset': 'cisco_ise.log', 'namespace': 'ep', 'type': 'logs'}, 'destination': {'ip': '81.2.69.144'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '94011a8e-8b26-4bce-a627-d54316798b52', 'snapshot': True, 'version': '8.6.0'}, 'event': {'action': 'tacacs-accounting', 'agent_id_status': 'verified', 'category': ['configuration'], 'dataset': 'cisco_ise.log', 'ingested': '2023-01-13T12:14:37Z', 'kind': 'event', 'sequence': 18415781, 'timezone': '+00:00', 'type': ['info']}, 'host': {'hostname': 'cisco-ise-host'}, 'input': {'type': 'udp'}, 'log': {'level': 'notice', 'source': {'address': '172.27.0.4:59237'}, 'syslog': {'priority': 182, 'severity': {'name': 'notice'}}}, 'message': '2020-02-21 19:13:08.328 +00:00 0018415781 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ConfigVersionId=1829, Device IP Address=81.2.69.144, CmdSet=[ CmdAV=show mac-address-table <cr> ], RequestLatency=1, NetworkDeviceName=wlnwan1, Type=Accounting, Privilege-Level=15, Service=Login, User=psxvne, Port=tty10, Remote-Address=81.2.69.144, Authen-Method=TacacsPlus, AVPair=task_id=2962, AVPair=timezone=GMT, AVPair=start_time=1585185432, AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=ldnnacpsn1/359344348/952729, SelectedAccessService=Device Admin - TACACS, Step=13006, Step=15049, Step=15008, Step=15048, Step=13035, NetworkDeviceGroups=Location#All Locations#EMEA, NetworkDeviceGroups=Device Type#All Device Types#Routers, NetworkDeviceGroups=IPSEC#Is IPSEC Device, CPMSessionID=81.2.69.144Accounting306034364, Model Name=Unknown, Software Version=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }, Network Device Profile=Cisco, Location=Location#All Locations#EMEA, Device Type=Device Type#All Device Types#Routers, IPSEC=IPSEC#Is IPSEC Device, Response={AcctReply-Status=Success; }', 'related': {'hosts': ['cisco-ise-host'], 'ip': ['81.2.69.144'], 'user': ['psxvne']}, 'tags': ['forwarded', 'cisco_ise-log'], 'user': {'name': 'psxvne'}}"
Azure Application Insights Metrics Overview,"https://docs.elastic.co/integrations/azure_application_insights
","{'agent': {'hostname': 'docker-fleet-agent', 'name': 'docker-fleet-agent', 'id': 'd979a8cf-ddeb-458f-9019-389414e0ab47', 'ephemeral_id': '4162d5df-ab00-4c1b-b4f3-7db2e3b599d4', 'type': 'metricbeat', 'version': '7.15.0'}, 'elastic_agent': {'id': 'd979a8cf-ddeb-458f-9019-389414e0ab47', 'version': '7.15.0', 'snapshot': True}, 'cloud': {'provider': 'azure'}, '@timestamp': '2021-08-23T14:37:42.268Z', 'ecs': {'version': '1.12.0'}, 'service': {'type': 'azure'}, 'data_stream': {'namespace': 'default', 'type': 'metrics', 'dataset': 'azure.app_insights'}, 'host': {'hostname': 'docker-fleet-agent', 'os': {'kernel': '4.19.128-microsoft-standard', 'codename': 'Core', 'name': 'CentOS Linux', 'family': 'redhat', 'type': 'linux', 'version': '7 (Core)', 'platform': 'centos'}, 'containerized': True, 'ip': ['192.168.96.7'], 'name': 'docker-fleet-agent', 'id': '1642d255f9a32fc6926cddf21bb0d5d3', 'mac': ['02:42:c0:a8:60:07'], 'architecture': 'x86_64'}, 'metricset': {'period': 300000, 'name': 'app_insights'}, 'event': {'duration': 503187300, 'agent_id_status': 'verified', 'ingested': '2021-08-23T14:37:41Z', 'module': 'azure', 'dataset': 'azure.app_insights'}, 'azure': {'app_insights': {'end_date': '2021-08-23T14:37:42.268Z', 'start_date': '2021-08-23T14:32:42.268Z'}, 'metrics': {'requests_count': {'sum': 4}}, 'application_id': '42cb59a9-d5be-400b-a5c4-69b0a0026ac6', 'dimensions': {'request_name': 'GET Home/Index', 'request_url_host': 'demoappobs.azurewebsites.net'}}}"
Cisco Secure Email Gateway,"https://docs.elastic.co/integrations/cisco_secure_email_gateway
","{'@timestamp': '2023-03-17T18:24:37.000Z', 'agent': {'ephemeral_id': '4e9fd9b0-5de2-40cd-83b6-9f71ce5aa238', 'id': 'ffb5b53a-4f77-4103-afe1-2d02bcc1a0cb', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.6.0'}, 'cisco_secure_email_gateway': {'log': {'category': {'name': 'amp'}, 'message': ""File reputation query initiating. File Name = 'mod-6.exe', MID = 5, File Size = 1673216 bytes, File Type = application/x-dosexec""}}, 'data_stream': {'dataset': 'cisco_secure_email_gateway.log', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': 'ffb5b53a-4f77-4103-afe1-2d02bcc1a0cb', 'snapshot': False, 'version': '8.6.0'}, 'email': {'attachments': {'file': {'name': 'mod-6.exe', 'size': 1673216}}, 'content_type': 'application/x-dosexec', 'message_id': '5'}, 'event': {'agent_id_status': 'verified', 'dataset': 'cisco_secure_email_gateway.log', 'ingested': '2023-01-31T06:32:29Z', 'kind': 'event'}, 'input': {'type': 'udp'}, 'log': {'level': 'info', 'source': {'address': '192.168.144.1:59695'}, 'syslog': {'priority': 166}}, 'tags': ['forwarded', 'cisco_secure_email_gateway-log']}"
Google Cloud Platform (GCP) Billing metrics,"https://docs.elastic.co/integrations/gcp/billing
","{'@timestamp': '2017-10-12T08:05:34.853Z', 'cloud': {'account': {'id': '01475F-5B1080-1137E7'}, 'project': {'id': 'elastic-bi', 'name': 'elastic-containerlib-prod'}, 'provider': 'gcp'}, 'event': {'dataset': 'gcp.billing', 'duration': 115000, 'module': 'gcp'}, 'gcp': {'billing': {'billing_account_id': '01475F-5B1080-1137E7', 'cost_type': 'regular', 'invoice_month': '202106', 'project_id': 'containerlib-prod-12763', 'project_name': 'elastic-containerlib-prod', 'total': 4717.170681}}, 'metricset': {'name': 'billing', 'period': 10000}, 'service': {'type': 'gcp'}}"
Google Cloud Platform (GCP) Audit logs,"https://docs.elastic.co/integrations/gcp/audit
","{'@timestamp': '2019-12-19T00:44:25.051Z', 'agent': {'ephemeral_id': 'f4dde373-2ff7-464b-afdb-da94763f219b', 'id': '5d3eee86-91a9-4afa-af92-c6b79bd866c0', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.6.0'}, 'client': {'user': {'email': 'xxx@xxx.xxx'}}, 'cloud': {'project': {'id': 'elastic-beats'}, 'provider': 'gcp'}, 'data_stream': {'dataset': 'gcp.audit', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '5d3eee86-91a9-4afa-af92-c6b79bd866c0', 'snapshot': True, 'version': '8.6.0'}, 'event': {'action': 'beta.compute.instances.aggregatedList', 'agent_id_status': 'verified', 'category': ['network', 'configuration'], 'created': '2023-01-13T14:59:20.459Z', 'dataset': 'gcp.audit', 'id': 'yonau2dg2zi', 'ingested': '2023-01-13T14:59:21Z', 'kind': 'event', 'outcome': 'success', 'provider': 'data_access', 'type': ['access', 'allowed']}, 'gcp': {'audit': {'authorization_info': [{'granted': True, 'permission': 'compute.instances.list', 'resource_attributes': {'name': 'projects/elastic-beats', 'service': 'resourcemanager', 'type': 'resourcemanager.projects'}}], 'num_response_items': 61, 'request': {'@type': 'type.googleapis.com/compute.instances.aggregatedList'}, 'resource_location': {'current_locations': ['global']}, 'resource_name': 'projects/elastic-beats/global/instances', 'response': {'@type': 'core.k8s.io/v1.Status', 'apiVersion': 'v1', 'details': {'group': 'batch', 'kind': 'jobs', 'name': 'gsuite-exporter-1589294700', 'uid': '2beff34a-945f-11ea-bacf-42010a80007f'}, 'kind': 'Status', 'status_value': 'Success'}, 'type': 'type.googleapis.com/google.cloud.audit.AuditLog'}}, 'input': {'type': 'gcp-pubsub'}, 'log': {'level': 'INFO', 'logger': 'projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access'}, 'service': {'name': 'compute.googleapis.com'}, 'source': {'ip': '192.168.1.1'}, 'tags': ['forwarded', 'gcp-audit'], 'user_agent': {'device': {'name': 'Mac'}, 'name': 'Firefox', 'original': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)', 'os': {'full': 'Mac OS X 10.15', 'name': 'Mac OS X', 'version': '10.15'}, 'version': '71.0.'}}"
Google Cloud Platform (GCP) Firewall logs,"https://docs.elastic.co/integrations/gcp/firewall
","{'@timestamp': '2019-10-30T13:52:42.191Z', 'agent': {'ephemeral_id': 'f4dde373-2ff7-464b-afdb-da94763f219b', 'id': '5d3eee86-91a9-4afa-af92-c6b79bd866c0', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.6.0'}, 'cloud': {'availability_zone': 'us-east1-b', 'project': {'id': 'test-beats'}, 'provider': 'gcp', 'region': 'us-east1'}, 'data_stream': {'dataset': 'gcp.firewall', 'namespace': 'ep', 'type': 'logs'}, 'destination': {'address': '10.42.0.2', 'domain': 'test-windows', 'ip': '10.42.0.2', 'port': 3389}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '5d3eee86-91a9-4afa-af92-c6b79bd866c0', 'snapshot': True, 'version': '8.6.0'}, 'event': {'action': 'firewall-rule', 'agent_id_status': 'verified', 'category': 'network', 'created': '2023-01-13T15:01:23.807Z', 'dataset': 'gcp.firewall', 'id': '1f21ciqfpfssuo', 'ingested': '2023-01-13T15:01:24Z', 'kind': 'event', 'type': 'connection'}, 'gcp': {'destination': {'instance': {'project_id': 'test-beats', 'region': 'us-east1', 'zone': 'us-east1-b'}, 'vpc': {'project_id': 'test-beats', 'subnetwork_name': 'windows-isolated', 'vpc_name': 'windows-isolated'}}, 'firewall': {'rule_details': {'action': 'ALLOW', 'direction': 'INGRESS', 'ip_port_info': [{'ip_protocol': 'TCP', 'port_range': ['3389']}], 'priority': 1000, 'source_range': ['0.0.0.0/0'], 'target_tag': ['allow-rdp']}}}, 'input': {'type': 'gcp-pubsub'}, 'log': {'logger': 'projects/test-beats/logs/compute.googleapis.com%2Ffirewall'}, 'network': {'community_id': '1:OdLB9eXsBDLz8m97ao4LepX6q+4=', 'direction': 'inbound', 'iana_number': '6', 'name': 'windows-isolated', 'transport': 'tcp', 'type': 'ipv4'}, 'related': {'ip': ['192.168.2.126', '10.42.0.2']}, 'rule': {'name': 'network:windows-isolated/firewall:windows-isolated-allow-rdp'}, 'source': {'address': '192.168.2.126', 'geo': {'continent_name': 'Asia', 'country_name': 'omn'}, 'ip': '192.168.2.126', 'port': 64853}, 'tags': ['forwarded', 'gcp-firewall']}"
Amazon Redshift,"https://docs.elastic.co/integrations/aws/redshift
","{'@timestamp': '2022-06-27T11:58:00.000Z', 'agent': {'ephemeral_id': 'a94b780f-b5b5-49b1-88cd-b7a7835f2996', 'id': 'd745bccd-73a3-41b4-9fd0-4d9bac14f77b', 'name': 'docker-fleet-agent', 'type': 'metricbeat', 'version': '8.2.0'}, 'aws': {'cloudwatch': {'namespace': 'AWS/Redshift'}, 'dimensions': {'ClusterIdentifier': 'test'}, 'redshift': {'metrics': {'CPUUtilization': {'avg': 2.43551912568288}, 'CommitQueueLength': {'avg': 0}, 'ConcurrencyScalingActiveClusters': {'avg': 0}, 'DatabaseConnections': {'avg': 0}, 'HealthStatus': {'avg': 1}, 'MaintenanceMode': {'avg': 0}, 'MaxConfiguredConcurrencyScalingClusters': {'avg': 1}, 'NetworkReceiveThroughput': {'avg': 2585.956001900078}, 'NetworkTransmitThroughput': {'avg': 23262.257531749852}, 'NumExceededSchemaQuotas': {'avg': 0}, 'PercentageDiskSpaceUsed': {'avg': 0.2197265625}, 'ReadIOPS': {'avg': 0}, 'ReadLatency': {'avg': 0}, 'ReadThroughput': {'avg': 0}, 'TotalTableCount': {'avg': 7}, 'WriteIOPS': {'avg': 0}, 'WriteLatency': {'avg': 0}, 'WriteThroughput': {'avg': 0}}}}, 'cloud': {'account': {'id': '627286350134', 'name': 'elastic-observability'}, 'provider': 'aws', 'region': 'us-east-1'}, 'data_stream': {'dataset': 'aws.redshift', 'namespace': 'ep', 'type': 'metrics'}, 'ecs': {'version': '8.0.0'}, 'elastic_agent': {'id': 'd745bccd-73a3-41b4-9fd0-4d9bac14f77b', 'snapshot': False, 'version': '8.2.0'}, 'event': {'agent_id_status': 'verified', 'dataset': 'aws.redshift', 'duration': 12571706173, 'ingested': '2022-06-27T12:13:13Z', 'module': 'aws'}, 'host': {'architecture': 'x86_64', 'containerized': False, 'hostname': 'docker-fleet-agent', 'ip': ['192.168.112.7'], 'mac': ['02:42:c0:a8:70:07'], 'name': 'docker-fleet-agent', 'os': {'codename': 'focal', 'family': 'debian', 'kernel': '5.10.104-linuxkit', 'name': 'Ubuntu', 'platform': 'ubuntu', 'type': 'linux', 'version': '20.04.4 LTS (Focal Fossa)'}}, 'metricset': {'name': 'cloudwatch', 'period': 300000}, 'service': {'type': 'aws'}}"
Google Cloud Platform (GCP) Compute metrics,"https://docs.elastic.co/integrations/gcp/compute
","{'@timestamp': '2017-10-12T08:05:34.853Z', 'cloud': {'account': {'id': 'elastic-obs-integrations-dev', 'name': 'elastic-obs-integrations-dev'}, 'instance': {'id': '4751091017865185079', 'name': 'gke-cluster-1-default-pool-6617a8aa-5clh'}, 'machine': {'type': 'e2-medium'}, 'provider': 'gcp', 'availability_zone': 'us-central1-c', 'region': 'us-central1'}, 'event': {'dataset': 'gcp.compute', 'duration': 115000, 'module': 'gcp'}, 'gcp': {'compute': {'firewall': {'dropped': {'bytes': 421}, 'dropped_packets_count': {'value': 4}}, 'instance': {'cpu': {'reserved_cores': {'value': 1}, 'usage': {'pct': 0.07259952346383708}, 'usage_time': {'sec': 4.355971407830225}}, 'memory': {'balloon': {'ram_size': {'value': 4128378880}, 'ram_used': {'value': 2190848000}, 'swap_in': {'bytes': 0}, 'swap_out': {'bytes': 0}}}, 'uptime': {'sec': 60.00000000000091}}}, 'labels': {'user': {'goog-gke-node': ''}}}, 'host': {'id': '4751091017865185079', 'name': 'gke-cluster-1-default-pool-6617a8aa-5clh'}, 'metricset': {'name': 'compute', 'period': 10000}, 'service': {'type': 'gcp'}}"
Google Cloud Platform (GCP) Firestore metrics,"https://docs.elastic.co/integrations/gcp/firestore
","{'@timestamp': '2017-10-12T08:05:34.853Z', 'cloud': {'account': {'id': 'elastic-obs-integrations-dev', 'name': 'elastic-obs-integrations-dev'}, 'instance': {'id': '4751091017865185079', 'name': 'gke-cluster-1-default-pool-6617a8aa-5clh'}, 'machine': {'type': 'e2-medium'}, 'provider': 'gcp', 'availability_zone': 'us-central1-c', 'region': 'us-central1'}, 'event': {'dataset': 'gcp.firestore', 'duration': 115000, 'module': 'gcp'}, 'gcp': {'firestore': {'document': {'delete': {'count': 3}, 'read': {'count': 10}, 'write': {'count': 1}}}, 'labels': {'user': {'goog-gke-node': ''}}}, 'host': {'id': '4751091017865185079', 'name': 'gke-cluster-1-default-pool-6617a8aa-5clh'}, 'metricset': {'name': 'firestore', 'period': 10000}, 'service': {'type': 'gcp'}}"
AWS Usage,"https://docs.elastic.co/integrations/aws/usage
","{'@timestamp': '2022-07-25T20:50:00.000Z', 'agent': {'name': 'docker-fleet-agent', 'id': '2d4b09d0-cdb6-445e-ac3f-6415f87b9864', 'type': 'metricbeat', 'ephemeral_id': '6bab70d4-84d9-411d-887c-f144d4244e78', 'version': '8.3.2'}, 'elastic_agent': {'id': '2d4b09d0-cdb6-445e-ac3f-6415f87b9864', 'version': '8.3.2', 'snapshot': False}, 'cloud': {'provider': 'aws', 'region': 'eu-north-1', 'account': {'name': 'elastic-beats', 'id': '428152502467'}}, 'ecs': {'version': '8.0.0'}, 'service': {'type': 'aws'}, 'data_stream': {'namespace': 'default', 'type': 'metrics', 'dataset': 'aws.usage'}, 'metricset': {'period': 60000, 'name': 'cloudwatch'}, 'aws': {'usage': {'metrics': {'CallCount': {'sum': 1}}}, 'cloudwatch': {'namespace': 'AWS/Usage'}, 'dimensions': {'Type': 'API', 'Resource': 'ListMetrics', 'Service': 'CloudWatch', 'Class': 'None'}}, 'event': {'duration': 1432082500, 'agent_id_status': 'verified', 'ingested': '2022-07-25T20:51:19Z', 'module': 'aws', 'dataset': 'aws.usage'}}"
AWS Route 53,"https://docs.elastic.co/integrations/aws/route53
","{'awscloudwatch': {'log_group': 'test', 'ingestion_time': '2021-12-06T02:18:20.000Z', 'log_stream': 'test'}, 'agent': {'name': 'docker-fleet-agent', 'id': 'c00f804f-7a02-441b-88f4-aeb9da6410d9', 'type': 'filebeat', 'ephemeral_id': '1cf87179-f6b3-44b0-a46f-3aa6bc0f995f', 'version': '8.0.0'}, 'elastic_agent': {'id': 'c00f804f-7a02-441b-88f4-aeb9da6410d9', 'version': '8.0.0', 'snapshot': True}, 'dns': {'response_code': 'NOERROR', 'question': {'registered_domain': 'example.com', 'top_level_domain': 'com', 'name': 'txt.example.com', 'subdomain': 'txt', 'type': 'TXT'}}, 'source': {'as': {'number': 721, 'organization': {'name': 'DoD Network Information Center'}}, 'address': '55.36.5.7', 'ip': '55.36.5.7'}, 'tags': ['preserve_original_event', 'forwarded', 'aws-route53-logs'], 'network': {'protocol': 'dns', 'transport': 'udp', 'type': 'ipv4', 'iana_number': '17'}, 'cloud': {'provider': 'aws', 'region': 'us-east-1'}, 'input': {'type': 'aws-cloudwatch'}, '@timestamp': '2017-12-13T08:16:05.744Z', 'ecs': {'version': '8.0.0'}, 'related': {'hosts': ['txt.example.com'], 'ip': ['55.36.5.7']}, 'data_stream': {'namespace': 'default', 'type': 'logs', 'dataset': 'aws.route53_public_logs'}, 'log.file.path': 'test/test', 'event': {'agent_id_status': 'verified', 'ingested': '2021-12-06T02:37:25Z', 'original': '1.0 2017-12-13T08:16:05.744Z Z123412341234 txt.example.com TXT NOERROR UDP JFK5 55.36.5.7 -', 'kind': 'event', 'id': '36545504503447201576705984279898091551471012413796646912', 'category': ['network'], 'type': ['protocol'], 'dataset': 'aws.route53_public_logs', 'outcome': 'success'}, 'aws': {'route53': {'hosted_zone_id': 'Z123412341234', 'edge_location': 'JFK5'}}}"
Google Cloud Platform (GCP) VPC Flow logs,"https://docs.elastic.co/integrations/gcp/vpcflow
","{'@timestamp': '2019-06-14T03:50:10.845Z', 'agent': {'ephemeral_id': 'f4dde373-2ff7-464b-afdb-da94763f219b', 'id': '5d3eee86-91a9-4afa-af92-c6b79bd866c0', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.6.0'}, 'cloud': {'provider': 'gcp'}, 'data_stream': {'dataset': 'gcp.vpcflow', 'namespace': 'ep', 'type': 'logs'}, 'destination': {'address': '10.87.40.76', 'domain': 'kibana', 'ip': '10.87.40.76', 'port': 5601}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '5d3eee86-91a9-4afa-af92-c6b79bd866c0', 'snapshot': True, 'version': '8.6.0'}, 'event': {'agent_id_status': 'verified', 'category': 'network', 'created': '2023-01-13T15:03:19.118Z', 'dataset': 'gcp.vpcflow', 'end': '2019-06-14T03:40:37.048196137Z', 'id': 'ut8lbrffooxzf', 'ingested': '2023-01-13T15:03:20Z', 'kind': 'event', 'start': '2019-06-14T03:40:36.895188084Z', 'type': 'connection'}, 'gcp': {'destination': {'instance': {'project_id': 'my-sample-project', 'region': 'us-east1', 'zone': 'us-east1-b'}, 'vpc': {'project_id': 'my-sample-project', 'subnetwork_name': 'default', 'vpc_name': 'default'}}, 'vpcflow': {'reporter': 'DEST', 'rtt': {'ms': 36}}}, 'input': {'type': 'gcp-pubsub'}, 'log': {'logger': 'projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows'}, 'network': {'bytes': 1464, 'community_id': '1:++9/JiESSUdwTGGcxwXk4RA0lY8=', 'direction': 'inbound', 'iana_number': '6', 'packets': 7, 'transport': 'tcp', 'type': 'ipv4'}, 'related': {'ip': ['192.168.2.117', '10.87.40.76']}, 'source': {'address': '192.168.2.117', 'as': {'number': 15169}, 'bytes': 1464, 'geo': {'continent_name': 'America', 'country_name': 'usa'}, 'ip': '192.168.2.117', 'packets': 7, 'port': 50646}, 'tags': ['forwarded', 'gcp-vpcflow']}"
Amazon S3 Storage Lens,"https://docs.elastic.co/integrations/aws/s3_storage_lens
","{'@timestamp': '2021-11-07T20:38:00.000Z', 'ecs': {'version': '8.0.0'}, 'data_stream': {'namespace': 'default', 'type': 'metrics', 'dataset': 'aws.s3_storage_lens'}, 'service': {'type': 'aws'}, 'cloud': {'provider': 'aws', 'region': 'us-east-1', 'account': {'name': 'elastic-beats', 'id': '428152502467'}}, 'metricset': {'period': 86400000, 'name': 'cloudwatch'}, 'event': {'duration': 22973251900, 'agent_id_status': 'verified', 'ingested': '2021-11-08T20:38:37Z', 'module': 'aws', 'dataset': 'aws.s3_storage_lens'}, 'aws': {'s3_storage_lens': {'metrics': {'NonCurrentVersionStorageBytes': {'avg': 0}, 'DeleteMarkerObjectCount': {'avg': 0}, 'GetRequests': {'avg': 0}, 'SelectReturnedBytes': {'avg': 0}, 'ObjectCount': {'avg': 164195}, 'HeadRequests': {'avg': 0}, 'ListRequests': {'avg': 0}, 'DeleteRequests': {'avg': 0}, 'SelectRequests': {'avg': 0}, '5xxErrors': {'avg': 0}, 'BytesDownloaded': {'avg': 0}, 'BytesUploaded': {'avg': 82537}, 'CurrentVersionStorageBytes': {'avg': 154238334}, 'StorageBytes': {'avg': 154238334}, 'ObjectLockEnabledStorageBytes': {'avg': 0}, '4xxErrors': {'avg': 0}, 'PutRequests': {'avg': 145}, 'ObjectLockEnabledObjectCount': {'avg': 0}, 'EncryptedObjectCount': {'avg': 164191}, 'CurrentVersionObjectCount': {'avg': 164195}, 'IncompleteMultipartUploadObjectCount': {'avg': 0}, 'ReplicatedObjectCount': {'avg': 0}, 'AllRequests': {'avg': 145}, 'PostRequests': {'avg': 0}, 'IncompleteMultipartUploadStorageBytes': {'avg': 0}, 'NonCurrentVersionObjectCount': {'avg': 0}, 'ReplicatedStorageBytes': {'avg': 0}, 'EncryptedStorageBytes': {'avg': 154237917}, 'SelectScannedBytes': {'avg': 0}}}, 'cloudwatch': {'namespace': 'AWS/S3/Storage-Lens'}, 'dimensions': {'metrics_version': '1.0', 'storage_class': 'STANDARD', 'aws_region': 'eu-central-1', 'bucket_name': 'filebeat-aws-elb-test', 'aws_account_number': '428152502467', 'configuration_id': 'default-account-dashboard', 'record_type': 'BUCKET'}}}"
Amazon SQS,"https://docs.elastic.co/integrations/aws/sqs
","{'@timestamp': '2022-07-26T21:43:00.000Z', 'agent': {'name': 'docker-fleet-agent', 'id': '2d4b09d0-cdb6-445e-ac3f-6415f87b9864', 'type': 'metricbeat', 'ephemeral_id': 'cdaaaabb-be7e-432f-816b-bda019fd7c15', 'version': '8.3.2'}, 'elastic_agent': {'id': '2d4b09d0-cdb6-445e-ac3f-6415f87b9864', 'version': '8.3.2', 'snapshot': False}, 'cloud': {'provider': 'aws', 'region': 'eu-central-1', 'account': {'name': 'elastic-beats', 'id': '428152502467'}}, 'ecs': {'version': '8.0.0'}, 'service': {'type': 'aws'}, 'data_stream': {'namespace': 'default', 'type': 'metrics', 'dataset': 'aws.sqs'}, 'metricset': {'period': 300000, 'name': 'cloudwatch'}, 'aws': {'sqs': {'messages': {'visible': 1518.4, 'deleted': 0, 'not_visible': 0, 'delayed': 0, 'received': 0, 'sent': 0.16666666666666666}, 'empty_receives': 0, 'sent_message_size': {'bytes': 1002}, 'oldest_message_age': {'sec': 345605.6}, 'queue': {'name': 'filebeat-aws-elb-test'}}, 'cloudwatch': {'namespace': 'AWS/SQS'}, 'dimensions': {'QueueName': 'filebeat-aws-elb-test'}, 'tags': {'created-by': 'kaiyan'}}, 'event': {'duration': 11576777300, 'agent_id_status': 'verified', 'ingested': '2022-07-26T21:47:48Z', 'module': 'aws', 'dataset': 'aws.sqs'}}"
AWS Security Hub,"https://docs.elastic.co/integrations/aws/securityhub
","{'@timestamp': '2017-03-22T13:22:13.933Z', 'agent': {'ephemeral_id': '01f4fdba-8670-479d-b54f-7d39403bb723', 'id': 'eea1c0db-3657-4195-add3-da25a54834e7', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.4.0'}, 'aws': {'securityhub_findings': {'action': {'port_probe': {'blocked': False, 'details': [{'local': {'ip': {'address_v4': '1.128.0.0'}, 'port': {'name': 'HTTP', 'number': 80}}, 'remote_ip': {'city': {'name': 'Example City'}, 'country': {'name': 'Example Country'}, 'geolocation': {'latitude': 0, 'longitude': 0}, 'organization': {'asn': '64496', 'asn_organization': 'ExampleASO', 'internet_provider': 'ExampleOrg', 'internet_service_provider': 'ExampleISP'}}}]}}, 'aws_account_id': '111111111111', 'company': {'name': 'AWS'}, 'compliance': {'related_requirements': ['Req1', 'Req2'], 'status': 'PASSED', 'status_reasons': [{'description': 'CloudWatch alarms do not exist in the account', 'reason_code': 'CLOUDWATCH_ALARMS_NOT_PRESENT'}]}, 'confidence': 42, 'criticality': 99, 'description': 'The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.', 'first_observed_at': '2017-03-22T13:22:13.933Z', 'generator': {'id': 'acme-vuln-9ab348'}, 'last_observed_at': '2017-03-23T13:22:13.933Z', 'malware': [{'name': 'Stringler', 'path': '/usr/sbin/stringler', 'state': 'OBSERVED', 'type': 'COIN_MINER'}], 'network': {'open_port_range': {'begin': 443, 'end': 443}}, 'network_path': [{'component': {'id': 'abc-01a234bc56d8901ee', 'type': 'AWS::EC2::InternetGateway'}, 'egress': {'destination': {'address': ['1.128.0.0/24'], 'port_ranges': [{'begin': 443, 'end': 443}]}, 'protocol': 'TCP', 'source': {'address': ['175.16.199.1/24']}}, 'ingress': {'destination': {'address': ['175.16.199.1/24'], 'port_ranges': [{'begin': 443, 'end': 443}]}, 'protocol': 'TCP', 'source': {'address': ['175.16.199.1/24']}}}], 'note': {'text': ""Don't forget to check under the mat."", 'updated_at': '2018-08-31T00:15:09.000Z', 'updated_by': 'jsmith'}, 'patch_summary': {'failed': {'count': 0}, 'id': 'pb-123456789098', 'installed': {'count': 100, 'other': {'count': 1023}, 'pending_reboot': 0, 'rejected': {'count': 0}}, 'missing': {'count': 100}, 'operation': {'end_time': '2018-09-27T23:39:31.000Z', 'start_time': '2018-09-27T23:37:31.000Z', 'type': 'Install'}, 'reboot_option': 'RebootIfNeeded'}, 'product': {'arn': 'arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default', 'fields': {'Service_Name': 'cloudtrail.amazonaws.com', 'aws/inspector/AssessmentTargetName': 'My prod env', 'aws/inspector/AssessmentTemplateName': 'My daily CVE assessment', 'aws/inspector/RulesPackageName': 'Common Vulnerabilities and Exposures', 'generico/secure-pro/Count': '6'}, 'name': 'Security Hub'}, 'provider_fields': {'confidence': 42, 'criticality': 99, 'related_findings': [{'id': '123e4567-e89b-12d3-a456-426655440000', 'product': {'arn': 'arn:aws:securityhub:us-west-2::product/aws/guardduty'}}], 'severity': {'label': 'MEDIUM', 'original': 'MEDIUM'}, 'types': ['Software and Configuration Checks/Vulnerabilities/CVE']}, 'record_state': 'ACTIVE', 'region': 'us-east-1', 'related_findings': [{'id': '123e4567-e89b-12d3-a456-426655440000', 'product': {'arn': 'arn:aws:securityhub:us-west-2::product/aws/guardduty'}}, {'id': 'AcmeNerfHerder-111111111111-x189dx7824', 'product': {'arn': 'arn:aws:securityhub:us-west-2::product/aws/guardduty'}}], 'remediation': {'recommendation': {'text': 'Run sudo yum update and cross your fingers and toes.', 'url': 'http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html'}}, 'resources': [{'Details': {'IamInstanceProfileArn': 'arn:aws:iam::123456789012:role/IamInstanceProfileArn', 'ImageId': 'ami-79fd7eee', 'IpV4Addresses': ['175.16.199.1'], 'IpV6Addresses': ['2a02:cf40::'], 'KeyName': 'testkey', 'LaunchedAt': '2018-09-29T01:25:54Z', 'MetadataOptions': {'HttpEndpoint': 'enabled', 'HttpProtocolIpv6': 'enabled', 'HttpPutResponseHopLimit': 1, 'HttpTokens': 'optional', 'InstanceMetadataTags': 'disabled'}, 'NetworkInterfaces': [{'NetworkInterfaceId': 'eni-e5aa89a3'}], 'SubnetId': 'PublicSubnet', 'Type': 'i3.xlarge', 'VirtualizationType': 'hvm', 'VpcId': 'TestVPCIpv6'}, 'Id': 'i-cafebabe', 'Partition': 'aws', 'Region': 'us-west-2', 'Tags': {'billingCode': 'Lotus-1-2-3', 'needsPatching': 'true'}, 'Type': 'AwsEc2Instance'}], 'sample': True, 'schema': {'version': '2018-10-08'}, 'severity': {'label': 'CRITICAL', 'original': '8.3'}, 'source_url': 'http://threatintelweekly.org/backdoors/8888', 'threat_intel_indicators': [{'category': 'BACKDOOR', 'source': 'Threat Intel Weekly', 'source_url': 'http://threatintelweekly.org/backdoors/8888', 'value': '175.16.199.1'}], 'title': 'EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up', 'types': ['Software and Configuration Checks/Vulnerabilities/CVE'], 'updated_at': '2018-08-31T00:15:09.000Z', 'user_defined_fields': {'comeBackToLater': 'Check this again on Monday', 'reviewedByCio': 'true'}, 'verification_state': 'UNKNOWN', 'vulnerabilities': [{'cvss': [{'base_score': 4.7, 'base_vector': 'AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N', 'version': 'V3'}, {'base_score': 4.7, 'base_vector': 'AV:L/AC:M/Au:N/C:C/I:N/A:N', 'version': 'V2'}], 'related_vulnerabilities': ['CVE-2020-12345'], 'vendor': {'created_at': '2020-01-16T00:01:43.000Z', 'severity': 'Medium', 'updated_at': '2020-01-16T00:01:43.000Z', 'url': 'https://alas.aws.amazon.com/ALAS-2020-1337.html'}, 'vulnerable_packages': [{'architecture': 'x86_64', 'epoch': '1', 'name': 'openssl', 'release': '16.amzn2.0.3', 'version': '1.0.2k'}]}], 'workflow': {'state': 'NEW', 'status': 'NEW'}}}, 'cloud': {'account': {'id': '111111111111'}}, 'data_stream': {'dataset': 'aws.securityhub_findings', 'namespace': 'ep', 'type': 'logs'}, 'destination': {'domain': 'example2.com', 'ip': ['1.128.0.0', '2a02:cf40::'], 'port': 80}, 'ecs': {'version': '8.2.0'}, 'elastic_agent': {'id': 'eea1c0db-3657-4195-add3-da25a54834e7', 'snapshot': True, 'version': '8.4.0'}, 'event': {'action': 'port_probe', 'agent_id_status': 'verified', 'created': '2022-07-27T12:47:41.799Z', 'dataset': 'aws.securityhub_findings', 'id': 'us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef', 'ingested': '2022-07-27T12:47:45Z', 'kind': 'event', 'original': '{""Action"":{""ActionType"":""PORT_PROBE"",""PortProbeAction"":{""Blocked"":false,""PortProbeDetails"":[{""LocalIpDetails"":{""IpAddressV4"":""1.128.0.0""},""LocalPortDetails"":{""Port"":80,""PortName"":""HTTP""},""RemoteIpDetails"":{""City"":{""CityName"":""Example City""},""Country"":{""CountryName"":""Example Country""},""GeoLocation"":{""Lat"":0,""Lon"":0},""Organization"":{""Asn"":64496,""AsnOrg"":""ExampleASO"",""Isp"":""ExampleISP"",""Org"":""ExampleOrg""}}}]}},""AwsAccountId"":""111111111111"",""CompanyName"":""AWS"",""Compliance"":{""RelatedRequirements"":[""Req1"",""Req2""],""Status"":""PASSED"",""StatusReasons"":[{""Description"":""CloudWatch alarms do not exist in the account"",""ReasonCode"":""CLOUDWATCH_ALARMS_NOT_PRESENT""}]},""Confidence"":42,""CreatedAt"":""2017-03-22T13:22:13.933Z"",""Criticality"":99,""Description"":""The version of openssl found on instance i-abcd1234 is known to contain a vulnerability."",""FindingProviderFields"":{""Confidence"":42,""Criticality"":99,""RelatedFindings"":[{""Id"":""123e4567-e89b-12d3-a456-426655440000"",""ProductArn"":""arn:aws:securityhub:us-west-2::product/aws/guardduty""}],""Severity"":{""Label"":""MEDIUM"",""Original"":""MEDIUM""},""Types"":[""Software and Configuration Checks/Vulnerabilities/CVE""]},""FirstObservedAt"":""2017-03-22T13:22:13.933Z"",""GeneratorId"":""acme-vuln-9ab348"",""Id"":""us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef"",""LastObservedAt"":""2017-03-23T13:22:13.933Z"",""Malware"":[{""Name"":""Stringler"",""Path"":""/usr/sbin/stringler"",""State"":""OBSERVED"",""Type"":""COIN_MINER""}],""Network"":{""DestinationDomain"":""example2.com"",""DestinationIpV4"":""1.128.0.0"",""DestinationIpV6"":""2a02:cf40::"",""DestinationPort"":""80"",""Direction"":""IN"",""OpenPortRange"":{""Begin"":443,""End"":443},""Protocol"":""TCP"",""SourceDomain"":""example1.com"",""SourceIpV4"":""1.128.0.0"",""SourceIpV6"":""2a02:cf40::"",""SourceMac"":""00:0d:83:b1:c0:8e"",""SourcePort"":""42""},""NetworkPath"":[{""ComponentId"":""abc-01a234bc56d8901ee"",""ComponentType"":""AWS::EC2::InternetGateway"",""Egress"":{""Destination"":{""Address"":[""1.128.0.0/24""],""PortRanges"":[{""Begin"":443,""End"":443}]},""Protocol"":""TCP"",""Source"":{""Address"":[""175.16.199.1/24""]}},""Ingress"":{""Destination"":{""Address"":[""175.16.199.1/24""],""PortRanges"":[{""Begin"":443,""End"":443}]},""Protocol"":""TCP"",""Source"":{""Address"":[""175.16.199.1/24""]}}}],""Note"":{""Text"":""Don\'t forget to check under the mat."",""UpdatedAt"":""2018-08-31T00:15:09Z"",""UpdatedBy"":""jsmith""},""PatchSummary"":{""FailedCount"":""0"",""Id"":""pb-123456789098"",""InstalledCount"":""100"",""InstalledOtherCount"":""1023"",""InstalledPendingReboot"":""0"",""InstalledRejectedCount"":""0"",""MissingCount"":""100"",""Operation"":""Install"",""OperationEndTime"":""2018-09-27T23:39:31Z"",""OperationStartTime"":""2018-09-27T23:37:31Z"",""RebootOption"":""RebootIfNeeded""},""Process"":{""LaunchedAt"":""2018-09-27T22:37:31Z"",""Name"":""syslogd"",""ParentPid"":56789,""Path"":""/usr/sbin/syslogd"",""Pid"":12345,""TerminatedAt"":""2018-09-27T23:37:31Z""},""ProductArn"":""arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default"",""ProductFields"":{""Service_Name"":""cloudtrail.amazonaws.com"",""aws/inspector/AssessmentTargetName"":""My prod env"",""aws/inspector/AssessmentTemplateName"":""My daily CVE assessment"",""aws/inspector/RulesPackageName"":""Common Vulnerabilities and Exposures"",""generico/secure-pro/Count"":""6""},""ProductName"":""Security Hub"",""RecordState"":""ACTIVE"",""Region"":""us-east-1"",""RelatedFindings"":[{""Id"":""123e4567-e89b-12d3-a456-426655440000"",""ProductArn"":""arn:aws:securityhub:us-west-2::product/aws/guardduty""},{""Id"":""AcmeNerfHerder-111111111111-x189dx7824"",""ProductArn"":""arn:aws:securityhub:us-west-2::product/aws/guardduty""}],""Remediation"":{""Recommendation"":{""Text"":""Run sudo yum update and cross your fingers and toes."",""Url"":""http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html""}},""Resources"":[{""Details"":{""IamInstanceProfileArn"":""arn:aws:iam::123456789012:role/IamInstanceProfileArn"",""ImageId"":""ami-79fd7eee"",""IpV4Addresses"":[""175.16.199.1""],""IpV6Addresses"":[""2a02:cf40::""],""KeyName"":""testkey"",""LaunchedAt"":""2018-09-29T01:25:54Z"",""MetadataOptions"":{""HttpEndpoint"":""enabled"",""HttpProtocolIpv6"":""enabled"",""HttpPutResponseHopLimit"":1,""HttpTokens"":""optional"",""InstanceMetadataTags"":""disabled""},""NetworkInterfaces"":[{""NetworkInterfaceId"":""eni-e5aa89a3""}],""SubnetId"":""PublicSubnet"",""Type"":""i3.xlarge"",""VirtualizationType"":""hvm"",""VpcId"":""TestVPCIpv6""},""Id"":""i-cafebabe"",""Partition"":""aws"",""Region"":""us-west-2"",""Tags"":{""billingCode"":""Lotus-1-2-3"",""needsPatching"":""true""},""Type"":""AwsEc2Instance""}],""Sample"":true,""SchemaVersion"":""2018-10-08"",""Severity"":{""Label"":""CRITICAL"",""Original"":""8.3""},""SourceUrl"":""http://threatintelweekly.org/backdoors/8888"",""ThreatIntelIndicators"":[{""Category"":""BACKDOOR"",""LastObservedAt"":""2018-09-27T23:37:31Z"",""Source"":""Threat Intel Weekly"",""SourceUrl"":""http://threatintelweekly.org/backdoors/8888"",""Type"":""IPV4_ADDRESS"",""Value"":""175.16.199.1""}],""Threats"":[{""FilePaths"":[{""FileName"":""b.txt"",""FilePath"":""/tmp/b.txt"",""Hash"":""sha256"",""ResourceId"":""arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f""}],""ItemCount"":3,""Name"":""Iot.linux.mirai.vwisi"",""Severity"":""HIGH""}],""Title"":""EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up"",""Types"":[""Software and Configuration Checks/Vulnerabilities/CVE""],""UpdatedAt"":""2018-08-31T00:15:09Z"",""UserDefinedFields"":{""comeBackToLater"":""Check this again on Monday"",""reviewedByCio"":""true""},""VerificationState"":""UNKNOWN"",""Vulnerabilities"":[{""Cvss"":[{""BaseScore"":4.7,""BaseVector"":""AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"",""Version"":""V3""},{""BaseScore"":4.7,""BaseVector"":""AV:L/AC:M/Au:N/C:C/I:N/A:N"",""Version"":""V2""}],""Id"":""CVE-2020-12345"",""ReferenceUrls"":[""http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418"",""http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563""],""RelatedVulnerabilities"":[""CVE-2020-12345""],""Vendor"":{""Name"":""Alas"",""Url"":""https://alas.aws.amazon.com/ALAS-2020-1337.html"",""VendorCreatedAt"":""2020-01-16T00:01:43Z"",""VendorSeverity"":""Medium"",""VendorUpdatedAt"":""2020-01-16T00:01:43Z""},""VulnerablePackages"":[{""Architecture"":""x86_64"",""Epoch"":""1"",""Name"":""openssl"",""Release"":""16.amzn2.0.3"",""Version"":""1.0.2k""}]}],""Workflow"":{""Status"":""NEW""},""WorkflowState"":""NEW""}', 'type': ['info']}, 'input': {'type': 'httpjson'}, 'network': {'direction': 'IN', 'protocol': 'tcp'}, 'organization': {'name': 'AWS'}, 'process': {'end': '2018-09-27T23:37:31.000Z', 'executable': '/usr/sbin/syslogd', 'name': 'syslogd', 'parent': {'pid': 56789}, 'pid': 12345, 'start': '2018-09-27T22:37:31.000Z'}, 'related': {'ip': ['1.128.0.0', '2a02:cf40::']}, 'source': {'domain': 'example1.com', 'ip': ['1.128.0.0', '2a02:cf40::'], 'mac': '00-0D-83-B1-C0-8E', 'port': 42}, 'tags': ['preserve_original_event', 'forwarded', 'aws_securityhub_findings'], 'threat': {'indicator': {'last_seen': '2018-09-27T23:37:31.000Z', 'type': 'IPV4_ADDRESS'}}, 'url': {'domain': 'threatintelweekly.org', 'full': 'http://threatintelweekly.org/backdoors/8888', 'original': 'http://threatintelweekly.org/backdoors/8888', 'path': '/backdoors/8888', 'scheme': 'http'}, 'vulnerability': {'id': 'CVE-2020-12345', 'reference': ['http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563'], 'scanner': {'vendor': 'Alas'}, 'score': {'base': 4.7, 'version': 'V2'}}}"
Amazon ECS,"https://docs.elastic.co/integrations/aws/ecs
","{'agent': {'name': '4b4f1fd6f3ff', 'id': '8c424f1d-e9b1-4aab-8ce5-77dceb4becfb', 'type': 'metricbeat', 'ephemeral_id': '0c23896b-0bfe-469f-bf76-7203a2d52568', 'version': '8.1.0'}, 'elastic_agent': {'id': '8c424f1d-e9b1-4aab-8ce5-77dceb4becfb', 'version': '8.1.0', 'snapshot': False}, 'cloud': {'provider': 'aws', 'region': 'eu-west-1', 'account': {'name': 'elastic-observability', 'id': '627286350134'}}, '@timestamp': '2022-07-26T08:59:00.000Z', 'ecs': {'version': '8.0.0'}, 'service': {'type': 'aws'}, 'data_stream': {'namespace': 'default', 'type': 'metrics', 'dataset': 'aws.ecs_metrics'}, 'host': {'hostname': '4b4f1fd6f3ff', 'os': {'kernel': '5.10.104-linuxkit', 'codename': 'focal', 'name': 'Ubuntu', 'family': 'debian', 'type': 'linux', 'version': '20.04.3 LTS (Focal Fossa)', 'platform': 'ubuntu'}, 'containerized': False, 'ip': ['172.19.0.4'], 'name': '4b4f1fd6f3ff', 'mac': ['02:42:ac:13:00:04'], 'architecture': 'aarch64'}, 'metricset': {'period': 300000, 'name': 'cloudwatch'}, 'aws': {'ecs': {'metrics': {'CPUUtilization': {'avg': 100.040084913373}, 'MemoryUtilization': {'avg': 9.195963541666666}}}, 'cloudwatch': {'namespace': 'AWS/ECS'}, 'dimensions': {'ServiceName': 'integration-service-1', 'ClusterName': 'integration-cluster-1'}}, 'event': {'duration': 1862196584, 'agent_id_status': 'verified', 'ingested': '2022-07-26T09:04:12Z', 'module': 'aws', 'dataset': 'aws.ecs_metrics'}}"
AWS Inspector,"https://docs.elastic.co/integrations/aws/inspector
","{'@timestamp': '2022-09-20T19:52:26.405Z', 'agent': {'ephemeral_id': 'd1032859-fd44-410c-9960-dde7dcbc3a2e', 'id': '4a3373c9-b63f-4544-a929-761b42f50054', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.4.0'}, 'aws': {'inspector': {'finding_arn': 'arn:aws:s3:::sample', 'first_observed_at': '2022-09-20T19:52:26.405Z', 'inspector_score': 1.2, 'inspector_score_details': {'adjusted_cvss': {'adjustments': [{'metric': 'Base', 'reason': 'use Base metric'}], 'cvss_source': 'scope1', 'score': {'source': 'scope2', 'value': 8.9}, 'scoring_vector': 'Attack Vector', 'version': 'v3.1'}}, 'last_observed_at': '2022-09-20T19:52:26.405Z', 'network_reachability_details': {'network_path': {'steps': [{'component': {'id': '02ce3860-3126-42af-8ac7-c2a661134129', 'type': 'type'}}]}, 'open_port_range': {'begin': 1234, 'end': 4567}}, 'package_vulnerability_details': {'cvss': [{'scoring_vector': 'Attack Vector', 'source': 'scope3'}], 'related_vulnerabilities': ['security'], 'source': {'url': {'domain': 'cve.mitre.org', 'extension': 'cgi', 'original': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111', 'path': '/cgi-bin/cvename.cgi', 'query': 'name=CVE-2019-6111', 'scheme': 'https'}, 'value': 'example'}, 'vendor': {'created_at': '2022-09-20T19:52:26.405Z', 'updated_at': '2022-09-20T19:52:26.405Z'}, 'vulnerable_packages': [{'arch': 'arch', 'epoch': 123, 'file_path': '/example', 'fixed_inversion': '3', 'name': 'example', 'package_manager': 'BUNDLER', 'release': 'release', 'source_layer_hash': '50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c', 'version': '2.0'}]}, 'remediation': {'recommendation': {'text': 'example', 'url': {'domain': 'cve.mitre.org', 'extension': 'cgi', 'original': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111', 'path': '/cgi-bin/cvename.cgi', 'query': 'name=CVE-2019-6111', 'scheme': 'https'}}}, 'resources': [{'details': {'aws': {'ec2_instance': {'iam_instance_profile_arn': 'arn:aws:s3:::iam', 'image_id': '123456789', 'ipv4_addresses': ['89.160.20.128', '81.2.69.192'], 'ipv6_addresses': ['2a02:cf40::'], 'key_name': 'sample', 'launched_at': '2022-09-20T19:52:26.405Z', 'platform': 'EC2', 'subnet_id': '123456', 'type': 'Instance', 'vpc_id': '3265875'}, 'ecr_container_image': {'architecture': 'arch', 'author': 'example', 'image': {'hash': '50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545d', 'tags': ['sample']}, 'platform': 'ECR', 'pushed_at': '2022-09-20T19:52:26.405Z', 'registry': 'ecr registry', 'repository_name': 'sample'}}}, 'id': '12345678', 'partition': 'partition', 'tags': {'string1': 'string1', 'string2': 'string2'}, 'type': 'AWS_EC2_INSTANCE'}], 'severity': 'INFORMATIONAL', 'status': 'ACTIVE', 'title': 'sample findings', 'type': 'NETWORK_REACHABILITY'}}, 'cloud': {'account': {'id': '123456789'}, 'region': ['us-east-1']}, 'data_stream': {'dataset': 'aws.inspector', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.2.0'}, 'elastic_agent': {'id': '4a3373c9-b63f-4544-a929-761b42f50054', 'snapshot': False, 'version': '8.4.0'}, 'event': {'agent_id_status': 'verified', 'created': '2022-11-17T13:05:04.253Z', 'dataset': 'aws.inspector', 'ingested': '2022-11-17T13:05:07Z', 'kind': 'event', 'original': '{""awsAccountId"":""123456789"",""description"":""Findins message"",""findingArn"":""arn:aws:s3:::sample"",""firstObservedAt"":""1.663703546405E9"",""inspectorScore"":1.2,""inspectorScoreDetails"":{""adjustedCvss"":{""adjustments"":[{""metric"":""Base"",""reason"":""use Base metric""}],""cvssSource"":""scope1"",""score"":8.9,""scoreSource"":""scope2"",""scoringVector"":""Attack Vector"",""version"":""v3.1""}},""lastObservedAt"":""1.663703546405E9"",""networkReachabilityDetails"":{""networkPath"":{""steps"":[{""componentId"":""02ce3860-3126-42af-8ac7-c2a661134129"",""componentType"":""type""}]},""openPortRange"":{""begin"":1234,""end"":4567},""protocol"":""TCP""},""packageVulnerabilityDetails"":{""cvss"":[{""baseScore"":1.1,""scoringVector"":""Attack Vector"",""source"":""scope3"",""version"":""v3.1""}],""referenceUrls"":[""https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111""],""relatedVulnerabilities"":[""security""],""source"":""example"",""sourceUrl"":""https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111"",""vendorCreatedAt"":""1.663703546405E9"",""vendorSeverity"":""basic"",""vendorUpdatedAt"":""1.663703546405E9"",""vulnerabilityId"":""123456789"",""vulnerablePackages"":[{""arch"":""arch"",""epoch"":123,""filePath"":""/example"",""fixedInVersion"":""3"",""name"":""example"",""packageManager"":""BUNDLER"",""release"":""release"",""sourceLayerHash"":""50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c"",""version"":""2.0""}]},""remediation"":{""recommendation"":{""Url"":""https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111"",""text"":""example""}},""resources"":[{""details"":{""awsEc2Instance"":{""iamInstanceProfileArn"":""arn:aws:s3:::iam"",""imageId"":""123456789"",""ipV4Addresses"":[""89.160.20.128"",""81.2.69.192""],""ipV6Addresses"":[""2a02:cf40::""],""keyName"":""sample"",""launchedAt"":""1.663703546405E9"",""platform"":""EC2"",""subnetId"":""123456"",""type"":""Instance"",""vpcId"":""3265875""},""awsEcrContainerImage"":{""architecture"":""arch"",""author"":""example"",""imageHash"":""50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545d"",""imageTags"":[""sample""],""platform"":""ECR"",""pushedAt"":""1.663703546405E9"",""registry"":""ecr registry"",""repositoryName"":""sample""}},""id"":""12345678"",""partition"":""partition"",""region"":""us-east-1"",""tags"":{""string1"":""string1"",""string2"":""string2""},""type"":""AWS_EC2_INSTANCE""}],""severity"":""INFORMATIONAL"",""status"":""ACTIVE"",""title"":""sample findings"",""type"":""NETWORK_REACHABILITY"",""updatedAt"":""1.663703546405E9""}', 'type': ['info']}, 'input': {'type': 'httpjson'}, 'message': 'Findins message', 'network': {'transport': 'tcp'}, 'related': {'hash': ['50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c', '50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545d'], 'ip': ['89.160.20.128', '81.2.69.192', '2a02:cf40::']}, 'tags': ['preserve_original_event', 'forwarded', 'aws-inspector'], 'vulnerability': {'id': '123456789', 'reference': ['https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111'], 'score': {'base': [1.1], 'version': ['v3.1']}, 'severity': 'basic'}}"
Kubernetes Audit Logs,"https://docs.elastic.co/integrations/kubernetes/audit-logs
","{'kubernetes': {'audit': {'auditID': 'bcacfeaa-5ab5-48de-8bac-3a87d1474b6a', 'requestReceivedTimestamp': '2022-08-31T08:09:39.660940Z', 'level': 'RequestResponse', 'kind': 'Event', 'verb': 'get', 'annotations': {'authorization_k8s_io/decision': 'allow', 'authorization_k8s_io/reason': 'RBAC: allowed by ClusterRoleBinding ""system:public-info-viewer"" of ClusterRole ""system:public-info-viewer"" to Group ""system:unauthenticated""'}, 'userAgent': 'kube-probe/1.24', 'requestURI': '/readyz', 'responseStatus': {'metadata': {}, 'code': 200}, 'stageTimestamp': '2022-08-31T08:09:39.662241Z', 'sourceIPs': ['172.18.0.2'], 'apiVersion': 'audit.k8s.io/v1', 'stage': 'ResponseComplete', 'user': {'groups': ['system:unauthenticated'], 'username': 'system:anonymous'}}}, 'input': {'type': 'filestream'}, 'agent': {'name': 'kind-control-plane', 'id': '6e730a0c-7da5-48ff-b4c9-f6c63844975d', 'type': 'filebeat', 'ephemeral_id': 'd27511c8-9cd1-402c-8b1b-234abbd9dcae', 'version': '8.4.0'}, '@timestamp': '2022-08-31T08:09:57.520Z', 'ecs': {'version': '8.0.0'}, 'log': {'file': {'path': '/var/log/kubernetes/kube-apiserver-audit-1.log'}, 'offset': 20995}, 'data_stream': {'namespace': 'default', 'type': 'logs', 'dataset': 'kubernetes.audit_logs'}, 'host': {'hostname': 'kind-control-plane', 'os': {'kernel': '5.10.104-linuxkit', 'codename': 'focal', 'name': 'Ubuntu', 'type': 'linux', 'family': 'debian', 'version': '20.04.4 LTS (Focal Fossa)', 'platform': 'ubuntu'}, 'containerized': False, 'ip': ['10.244.0.1', '10.244.0.1', '10.244.0.1', '172.30.0.3', '172.18.0.2', 'fc00:f853:ccd:e793::2', 'fe80::42:acff:fe12:2'], 'name': 'kind-control-plane', 'id': '5016511f0829451ea244f458eebf2212', 'mac': ['02:42:ac:12:00:02', '02:42:ac:1e:00:03', '3a:ba:49:df:78:35', '86:c7:fe:c8:fa:22', 'd6:48:c1:a2:a4:15'], 'architecture': 'x86_64'}, 'elastic_agent': {'id': '6e730a0c-7da5-48ff-b4c9-f6c63844975d', 'version': '8.4.0', 'snapshot': False}, 'event': {'agent_id_status': 'verified', 'ingested': '2022-08-31T08:09:58Z', 'dataset': 'kubernetes.audit_logs'}}"
SonicWall Firewall,"https://docs.elastic.co/integrations/sonicwall_firewall
","{'@timestamp': '2022-05-16T08:18:39.000+02:00', 'agent': {'ephemeral_id': '6cc3228b-d89c-4104-b750-d9cb44ed5513', 'id': '08a5caf6-a717-4f5f-90e2-0f4eb7c59b00', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.2.0'}, 'data_stream': {'dataset': 'sonicwall_firewall.log', 'namespace': 'ep', 'type': 'logs'}, 'destination': {'geo': {'city_name': 'London', 'continent_name': 'Europe', 'country_iso_code': 'GB', 'country_name': 'United Kingdom', 'location': {'lat': 51.5142, 'lon': -0.0931}, 'region_iso_code': 'GB-ENG', 'region_name': 'England'}, 'ip': '81.2.69.193', 'mac': '00-17-C5-30-F9-D9', 'port': 64889}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '08a5caf6-a717-4f5f-90e2-0f4eb7c59b00', 'snapshot': False, 'version': '8.2.0'}, 'event': {'action': 'connection-denied', 'agent_id_status': 'verified', 'category': ['network'], 'code': '713', 'dataset': 'sonicwall_firewall.log', 'ingested': '2022-05-23T13:47:58Z', 'kind': 'event', 'outcome': 'success', 'sequence': '692', 'severity': '7', 'timezone': '+02:00', 'type': ['connection', 'denied']}, 'input': {'type': 'udp'}, 'log': {'level': 'debug', 'source': {'address': '172.24.0.4:47831'}}, 'message': '� (TCP Flag(s): RST)', 'network': {'bytes': 46, 'protocol': 'https', 'transport': 'tcp'}, 'observer': {'egress': {'interface': {'name': 'X1'}, 'zone': 'Untrusted'}, 'ingress': {'interface': {'name': 'X1'}, 'zone': 'Untrusted'}, 'ip': '10.0.0.96', 'name': 'firewall', 'product': 'SonicOS', 'serial_number': '0040103CE114', 'type': 'firewall', 'vendor': 'SonicWall'}, 'related': {'ip': ['10.0.0.96', '81.2.69.193'], 'user': ['admin']}, 'rule': {'id': '15 (WAN->WAN)'}, 'sonicwall': {'firewall': {'app': '12', 'event_group_category': 'Firewall Settings', 'gcat': '6', 'sess': 'Web'}}, 'source': {'bytes': 46, 'ip': '10.0.0.96', 'mac': '00-06-B1-DD-4F-D4', 'port': 443}, 'tags': ['sonicwall-firewall', 'forwarded'], 'user': {'name': 'admin'}}"
AWS Inspector,"https://docs.elastic.co/integrations/aws/inspector
","{'@timestamp': '2022-09-20T19:52:26.405Z', 'agent': {'ephemeral_id': 'd1032859-fd44-410c-9960-dde7dcbc3a2e', 'id': '4a3373c9-b63f-4544-a929-761b42f50054', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.4.0'}, 'aws': {'inspector': {'finding_arn': 'arn:aws:s3:::sample', 'first_observed_at': '2022-09-20T19:52:26.405Z', 'inspector_score': 1.2, 'inspector_score_details': {'adjusted_cvss': {'adjustments': [{'metric': 'Base', 'reason': 'use Base metric'}], 'cvss_source': 'scope1', 'score': {'source': 'scope2', 'value': 8.9}, 'scoring_vector': 'Attack Vector', 'version': 'v3.1'}}, 'last_observed_at': '2022-09-20T19:52:26.405Z', 'network_reachability_details': {'network_path': {'steps': [{'component': {'id': '02ce3860-3126-42af-8ac7-c2a661134129', 'type': 'type'}}]}, 'open_port_range': {'begin': 1234, 'end': 4567}}, 'package_vulnerability_details': {'cvss': [{'scoring_vector': 'Attack Vector', 'source': 'scope3'}], 'related_vulnerabilities': ['security'], 'source': {'url': {'domain': 'cve.mitre.org', 'extension': 'cgi', 'original': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111', 'path': '/cgi-bin/cvename.cgi', 'query': 'name=CVE-2019-6111', 'scheme': 'https'}, 'value': 'example'}, 'vendor': {'created_at': '2022-09-20T19:52:26.405Z', 'updated_at': '2022-09-20T19:52:26.405Z'}, 'vulnerable_packages': [{'arch': 'arch', 'epoch': 123, 'file_path': '/example', 'fixed_inversion': '3', 'name': 'example', 'package_manager': 'BUNDLER', 'release': 'release', 'source_layer_hash': '50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c', 'version': '2.0'}]}, 'remediation': {'recommendation': {'text': 'example', 'url': {'domain': 'cve.mitre.org', 'extension': 'cgi', 'original': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111', 'path': '/cgi-bin/cvename.cgi', 'query': 'name=CVE-2019-6111', 'scheme': 'https'}}}, 'resources': [{'details': {'aws': {'ec2_instance': {'iam_instance_profile_arn': 'arn:aws:s3:::iam', 'image_id': '123456789', 'ipv4_addresses': ['89.160.20.128', '81.2.69.192'], 'ipv6_addresses': ['2a02:cf40::'], 'key_name': 'sample', 'launched_at': '2022-09-20T19:52:26.405Z', 'platform': 'EC2', 'subnet_id': '123456', 'type': 'Instance', 'vpc_id': '3265875'}, 'ecr_container_image': {'architecture': 'arch', 'author': 'example', 'image': {'hash': '50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545d', 'tags': ['sample']}, 'platform': 'ECR', 'pushed_at': '2022-09-20T19:52:26.405Z', 'registry': 'ecr registry', 'repository_name': 'sample'}}}, 'id': '12345678', 'partition': 'partition', 'tags': {'string1': 'string1', 'string2': 'string2'}, 'type': 'AWS_EC2_INSTANCE'}], 'severity': 'INFORMATIONAL', 'status': 'ACTIVE', 'title': 'sample findings', 'type': 'NETWORK_REACHABILITY'}}, 'cloud': {'account': {'id': '123456789'}, 'region': ['us-east-1']}, 'data_stream': {'dataset': 'aws.inspector', 'namespace': 'ep', 'type': 'logs'}, 'ecs': {'version': '8.2.0'}, 'elastic_agent': {'id': '4a3373c9-b63f-4544-a929-761b42f50054', 'snapshot': False, 'version': '8.4.0'}, 'event': {'agent_id_status': 'verified', 'created': '2022-11-17T13:05:04.253Z', 'dataset': 'aws.inspector', 'ingested': '2022-11-17T13:05:07Z', 'kind': 'event', 'original': '{""awsAccountId"":""123456789"",""description"":""Findins message"",""findingArn"":""arn:aws:s3:::sample"",""firstObservedAt"":""1.663703546405E9"",""inspectorScore"":1.2,""inspectorScoreDetails"":{""adjustedCvss"":{""adjustments"":[{""metric"":""Base"",""reason"":""use Base metric""}],""cvssSource"":""scope1"",""score"":8.9,""scoreSource"":""scope2"",""scoringVector"":""Attack Vector"",""version"":""v3.1""}},""lastObservedAt"":""1.663703546405E9"",""networkReachabilityDetails"":{""networkPath"":{""steps"":[{""componentId"":""02ce3860-3126-42af-8ac7-c2a661134129"",""componentType"":""type""}]},""openPortRange"":{""begin"":1234,""end"":4567},""protocol"":""TCP""},""packageVulnerabilityDetails"":{""cvss"":[{""baseScore"":1.1,""scoringVector"":""Attack Vector"",""source"":""scope3"",""version"":""v3.1""}],""referenceUrls"":[""https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111""],""relatedVulnerabilities"":[""security""],""source"":""example"",""sourceUrl"":""https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111"",""vendorCreatedAt"":""1.663703546405E9"",""vendorSeverity"":""basic"",""vendorUpdatedAt"":""1.663703546405E9"",""vulnerabilityId"":""123456789"",""vulnerablePackages"":[{""arch"":""arch"",""epoch"":123,""filePath"":""/example"",""fixedInVersion"":""3"",""name"":""example"",""packageManager"":""BUNDLER"",""release"":""release"",""sourceLayerHash"":""50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c"",""version"":""2.0""}]},""remediation"":{""recommendation"":{""Url"":""https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111"",""text"":""example""}},""resources"":[{""details"":{""awsEc2Instance"":{""iamInstanceProfileArn"":""arn:aws:s3:::iam"",""imageId"":""123456789"",""ipV4Addresses"":[""89.160.20.128"",""81.2.69.192""],""ipV6Addresses"":[""2a02:cf40::""],""keyName"":""sample"",""launchedAt"":""1.663703546405E9"",""platform"":""EC2"",""subnetId"":""123456"",""type"":""Instance"",""vpcId"":""3265875""},""awsEcrContainerImage"":{""architecture"":""arch"",""author"":""example"",""imageHash"":""50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545d"",""imageTags"":[""sample""],""platform"":""ECR"",""pushedAt"":""1.663703546405E9"",""registry"":""ecr registry"",""repositoryName"":""sample""}},""id"":""12345678"",""partition"":""partition"",""region"":""us-east-1"",""tags"":{""string1"":""string1"",""string2"":""string2""},""type"":""AWS_EC2_INSTANCE""}],""severity"":""INFORMATIONAL"",""status"":""ACTIVE"",""title"":""sample findings"",""type"":""NETWORK_REACHABILITY"",""updatedAt"":""1.663703546405E9""}', 'type': ['info']}, 'input': {'type': 'httpjson'}, 'message': 'Findins message', 'network': {'transport': 'tcp'}, 'related': {'hash': ['50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c', '50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545d'], 'ip': ['89.160.20.128', '81.2.69.192', '2a02:cf40::']}, 'tags': ['preserve_original_event', 'forwarded', 'aws-inspector'], 'vulnerability': {'id': '123456789', 'reference': ['https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111'], 'score': {'base': [1.1], 'version': ['v3.1']}, 'severity': 'basic'}}"
Kubernetes Audit Logs,"https://docs.elastic.co/integrations/kubernetes/audit-logs
","{'kubernetes': {'audit': {'auditID': 'bcacfeaa-5ab5-48de-8bac-3a87d1474b6a', 'requestReceivedTimestamp': '2022-08-31T08:09:39.660940Z', 'level': 'RequestResponse', 'kind': 'Event', 'verb': 'get', 'annotations': {'authorization_k8s_io/decision': 'allow', 'authorization_k8s_io/reason': 'RBAC: allowed by ClusterRoleBinding ""system:public-info-viewer"" of ClusterRole ""system:public-info-viewer"" to Group ""system:unauthenticated""'}, 'userAgent': 'kube-probe/1.24', 'requestURI': '/readyz', 'responseStatus': {'metadata': {}, 'code': 200}, 'stageTimestamp': '2022-08-31T08:09:39.662241Z', 'sourceIPs': ['172.18.0.2'], 'apiVersion': 'audit.k8s.io/v1', 'stage': 'ResponseComplete', 'user': {'groups': ['system:unauthenticated'], 'username': 'system:anonymous'}}}, 'input': {'type': 'filestream'}, 'agent': {'name': 'kind-control-plane', 'id': '6e730a0c-7da5-48ff-b4c9-f6c63844975d', 'type': 'filebeat', 'ephemeral_id': 'd27511c8-9cd1-402c-8b1b-234abbd9dcae', 'version': '8.4.0'}, '@timestamp': '2022-08-31T08:09:57.520Z', 'ecs': {'version': '8.0.0'}, 'log': {'file': {'path': '/var/log/kubernetes/kube-apiserver-audit-1.log'}, 'offset': 20995}, 'data_stream': {'namespace': 'default', 'type': 'logs', 'dataset': 'kubernetes.audit_logs'}, 'host': {'hostname': 'kind-control-plane', 'os': {'kernel': '5.10.104-linuxkit', 'codename': 'focal', 'name': 'Ubuntu', 'type': 'linux', 'family': 'debian', 'version': '20.04.4 LTS (Focal Fossa)', 'platform': 'ubuntu'}, 'containerized': False, 'ip': ['10.244.0.1', '10.244.0.1', '10.244.0.1', '172.30.0.3', '172.18.0.2', 'fc00:f853:ccd:e793::2', 'fe80::42:acff:fe12:2'], 'name': 'kind-control-plane', 'id': '5016511f0829451ea244f458eebf2212', 'mac': ['02:42:ac:12:00:02', '02:42:ac:1e:00:03', '3a:ba:49:df:78:35', '86:c7:fe:c8:fa:22', 'd6:48:c1:a2:a4:15'], 'architecture': 'x86_64'}, 'elastic_agent': {'id': '6e730a0c-7da5-48ff-b4c9-f6c63844975d', 'version': '8.4.0', 'snapshot': False}, 'event': {'agent_id_status': 'verified', 'ingested': '2022-08-31T08:09:58Z', 'dataset': 'kubernetes.audit_logs'}}"
SonicWall Firewall,"https://docs.elastic.co/integrations/sonicwall_firewall
","{'@timestamp': '2022-05-16T08:18:39.000+02:00', 'agent': {'ephemeral_id': '6cc3228b-d89c-4104-b750-d9cb44ed5513', 'id': '08a5caf6-a717-4f5f-90e2-0f4eb7c59b00', 'name': 'docker-fleet-agent', 'type': 'filebeat', 'version': '8.2.0'}, 'data_stream': {'dataset': 'sonicwall_firewall.log', 'namespace': 'ep', 'type': 'logs'}, 'destination': {'geo': {'city_name': 'London', 'continent_name': 'Europe', 'country_iso_code': 'GB', 'country_name': 'United Kingdom', 'location': {'lat': 51.5142, 'lon': -0.0931}, 'region_iso_code': 'GB-ENG', 'region_name': 'England'}, 'ip': '81.2.69.193', 'mac': '00-17-C5-30-F9-D9', 'port': 64889}, 'ecs': {'version': '8.6.0'}, 'elastic_agent': {'id': '08a5caf6-a717-4f5f-90e2-0f4eb7c59b00', 'snapshot': False, 'version': '8.2.0'}, 'event': {'action': 'connection-denied', 'agent_id_status': 'verified', 'category': ['network'], 'code': '713', 'dataset': 'sonicwall_firewall.log', 'ingested': '2022-05-23T13:47:58Z', 'kind': 'event', 'outcome': 'success', 'sequence': '692', 'severity': '7', 'timezone': '+02:00', 'type': ['connection', 'denied']}, 'input': {'type': 'udp'}, 'log': {'level': 'debug', 'source': {'address': '172.24.0.4:47831'}}, 'message': '� (TCP Flag(s): RST)', 'network': {'bytes': 46, 'protocol': 'https', 'transport': 'tcp'}, 'observer': {'egress': {'interface': {'name': 'X1'}, 'zone': 'Untrusted'}, 'ingress': {'interface': {'name': 'X1'}, 'zone': 'Untrusted'}, 'ip': '10.0.0.96', 'name': 'firewall', 'product': 'SonicOS', 'serial_number': '0040103CE114', 'type': 'firewall', 'vendor': 'SonicWall'}, 'related': {'ip': ['10.0.0.96', '81.2.69.193'], 'user': ['admin']}, 'rule': {'id': '15 (WAN->WAN)'}, 'sonicwall': {'firewall': {'app': '12', 'event_group_category': 'Firewall Settings', 'gcat': '6', 'sess': 'Web'}}, 'source': {'bytes': 46, 'ip': '10.0.0.96', 'mac': '00-06-B1-DD-4F-D4', 'port': 443}, 'tags': ['sonicwall-firewall', 'forwarded'], 'user': {'name': 'admin'}}"