diff --git a/packages/amazon_security_lake/_dev/build/docs/README.md b/packages/amazon_security_lake/_dev/build/docs/README.md index 4a685d80987d..18008fd0da68 100644 --- a/packages/amazon_security_lake/_dev/build/docs/README.md +++ b/packages/amazon_security_lake/_dev/build/docs/README.md @@ -10,7 +10,7 @@ The Amazon Security Lake integration can be used in two different modes to colle ## Compatibility -This module follows the latest OCSF Schema Version **v1.0.0**. +This module follows the OCSF Schema Version **v1.1.0**. ## Data streams @@ -19,6 +19,8 @@ The Amazon Security Lake integration collects logs from both [Third-party servic ### **NOTE**: - The Amazon Security Lake integration supports events collected from [AWS services](https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html) and [third-party services](https://docs.aws.amazon.com/security-lake/latest/userguide/custom-sources.html). +- Due to the nature and structure of the OCSF schema, this integration has limitations on how deep the mappings run. Some important objects like 'Actor', 'User' and 'Product' have more fleshed-out mappings compared to others which get flattened after the initial 2-3 levels of nesting to keep them maintainable and stay within field mapping [limits](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-settings-limit.html). This will evolve as needed. + ## Requirements - Elastic Agent must be installed. diff --git a/packages/amazon_security_lake/changelog.yml b/packages/amazon_security_lake/changelog.yml index b320a9cdbe99..294689e3035f 100644 --- a/packages/amazon_security_lake/changelog.yml +++ b/packages/amazon_security_lake/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.0.0" + changes: + - description: Updated to support OCSF v1.1.0. with major pipeline rework and dynamic mapping support. + type: enhancement + link: https://github.com/elastic/integrations/pull/10405 - version: "1.5.0" changes: - description: Re-added SQS notification settings which were removed due to a prior update error. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml new file mode 100644 index 000000000000..76096c38c9bb --- /dev/null +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml @@ -0,0 +1,1815 @@ +- name: ocsf + type: group + fields: + - name: actor + type: group + fields: + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: idp + type: group + fields: + - name: name + type: keyword + description: The name of the identity provider. + - name: uid + type: keyword + description: The unique identifier of the identity provider. + - name: invoked_by + type: keyword + description: The name of the service that invoked the activity as described in the event. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: count + type: integer + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/api-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/api-fields.yml new file mode 100644 index 000000000000..852880315189 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/api-fields.yml @@ -0,0 +1,154 @@ +- name: ocsf + type: group + fields: + - name: api + type: group + description: Describes details about a typical API (Application Programming Interface) call. + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: group + type: group + description: The information pertaining to the API group. + fields: + - name: desc + type: text + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: request + type: group + description: Details pertaining to the API request. + fields: + - name: uid + type: keyword + description: The unique request identifier. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: response + type: group + description: Details pertaining to the API response. + fields: + - name: code + type: integer + description: The numeric response sent to a request. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: text + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: message + type: text + description: The description of the event/finding, as defined by the source. + - name: service + type: group + description: The information pertaining to the API service. + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/device-fields.yml new file mode 100644 index 000000000000..1fbf81b593e4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/device-fields.yml @@ -0,0 +1,348 @@ +- name: ocsf + type: group + fields: + - name: device + type: group + fields: + - name: autoscale_uid + type: keyword + description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: created_time + type: date + description: The time when the device was known to have been created. + - name: created_time_dt + type: date + description: TThe time when the device was known to have been created. + - name: desc + type: keyword + description: The description of the device, ordinarily as reported by the operating system. + - name: domain + type: keyword + description: 'The network domain where the device resides. For example: work.example.com.' + - name: first_seen_time + type: date + description: The initial discovery time of the device. + - name: first_seen_time_dt + type: date + description: The initial discovery time of the device. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: hostname + type: keyword + description: The devicename. + - name: hw_info + type: group + fields: + - name: bios_date + type: keyword + description: 'The BIOS date. For example: 03/31/16.' + - name: bios_manufacturer + type: keyword + description: 'The BIOS manufacturer. For example: LENOVO.' + - name: bios_ver + type: keyword + description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' + - name: chassis + type: keyword + description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. + - name: cpu_bits + type: long + description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' + - name: cpu_cores + type: long + description: 'The number of processor cores in all installed processors. For Example: 42.' + - name: cpu_count + type: long + description: 'The number of physical processors on a system. For example: 1.' + - name: cpu_speed + type: long + description: 'The speed of the processor in Mhz. For Example: 4200.' + - name: cpu_type + type: keyword + description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' + - name: desktop_display + type: group + fields: + - name: color_depth + type: long + description: The numeric color depth. + - name: physical_height + type: long + description: The numeric physical height of display. + - name: physical_orientation + type: long + description: The numeric physical orientation of display. + - name: physical_width + type: long + description: The numeric physical width of display. + - name: scale_factor + type: long + description: The numeric scale factor of display. + - name: keyboard_info + type: group + fields: + - name: function_keys + type: long + description: The number of function keys on client keyboard. + - name: ime + type: keyword + description: The Input Method Editor (IME) file name. + - name: keyboard_layout + type: keyword + description: The keyboard locale identifier name (e.g., en-US). + - name: keyboard_subtype + type: long + description: The keyboard numeric code. + - name: keyboard_type + type: keyword + description: The keyboard type (e.g., xt, ico). + - name: ram_size + type: long + description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' + - name: serial_number + type: keyword + description: The device manufacturer serial number. + - name: hypervisor + type: keyword + description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: imei + type: keyword + description: The International Mobile Station Equipment Identifier that is associated with the device. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: ip + type: ip + description: The device IP address, in either IPv4 or IPv6 format. + - name: is_compliant + type: boolean + description: The event occurred on a compliant device. + - name: is_managed + type: boolean + description: The event occurred on a managed device. + - name: is_personal + type: boolean + description: The event occurred on a personal device. + - name: is_trusted + type: boolean + description: The event occurred on a trusted device. + - name: last_seen_time + type: date + description: The most recent discovery time of the device. + - name: last_seen_time_dt + type: date + description: The most recent discovery time of the device. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The device Media Access Control (MAC) address. + - name: modified_time + type: date + description: The time when the device was last known to have been modified. + - name: modified_time_dt + type: date + description: The time when the device was last known to have been modified. + - name: name + type: keyword + description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: network_interfaces + type: group + fields: + - name: hostname + type: keyword + description: The hostname associated with the network interface. + - name: ip + type: ip + description: The IP address associated with the network interface. + - name: mac + type: keyword + description: The MAC address of the network interface. + - name: name + type: keyword + description: The name of the network interface. + - name: namespace + type: keyword + description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. + - name: subnet_prefix + type: long + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. + - name: type + type: keyword + description: The type of network interface. + - name: type_id + type: keyword + description: The network interface type identifier. + - name: uid + type: keyword + description: The unique identifier for the network interface. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: os + type: group + fields: + - name: build + type: keyword + description: The operating system build number. + - name: country + type: keyword + description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. + - name: edition + type: keyword + description: The operating system edition. For example, Professional. + - name: lang + type: keyword + description: The two letter lower case language codes, as defined by ISO 639-1. + - name: name + type: keyword + description: The operating system name. + - name: sp_name + type: keyword + description: The name of the latest Service Pack. + - name: sp_ver + type: keyword + description: The version number of the latest Service Pack. + - name: type + type: keyword + description: The type of the operating system. + - name: type_id + type: keyword + description: The type identifier of the operating system. + - name: version + type: keyword + description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". + - name: region + type: keyword + description: The region where the virtual machine is located. For example, an AWS Region. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: subnet + type: ip_range + description: The subnet mask. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: type + type: keyword + description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The device type ID. + - name: uid + type: keyword + description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml index 57f77aaf0afd..e7f961422619 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml @@ -7,1713 +7,6 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. - - name: actor - type: group - fields: - - name: authorizations - type: group - fields: - - name: decision - type: keyword - description: Authorization Result/outcome, e.g. allowed, denied. - - name: policy - type: group - fields: - - name: desc - type: keyword - description: The description of the policy. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: 'The policy name. For example: IAM Policy.' - - name: uid - type: keyword - description: A unique identifier of the policy instance. - - name: version - type: keyword - description: The policy version number. - - name: idp - type: group - fields: - - name: name - type: keyword - description: The name of the identity provider. - - name: uid - type: keyword - description: The unique identifier of the identity provider. - - name: invoked_by - type: keyword - description: The name of the service that invoked the activity as described in the event. - - name: process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: api - type: group - fields: - - name: operation - type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version - type: keyword - description: The version of the API service. - name: app type: group fields: @@ -1723,18 +16,11 @@ - name: name type: keyword description: The CIS benchmark name. - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: path type: keyword description: The installation path of the product. @@ -1756,6 +42,39 @@ - name: category_uid type: keyword description: The category unique identifier of the event.3 Identity & Access ManagementIdentity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc. + - name: connection_info + type: group + fields: + - name: boundary + type: keyword + description: The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source.For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. + - name: boundary_id + type: keyword + description: The normalized identifier of the boundary of the connection. For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. + - name: direction + type: keyword + description: The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source. + - name: direction_id + type: keyword + description: The normalized identifier of the direction of the initiated connection, traffic, or email. + - name: protocol_name + type: keyword + description: 'The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See Protocol Numbers. For example: tcp or udp.' + - name: protocol_num + type: keyword + description: 'The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See Protocol Numbers. For example: 6 for TCP and 17 for UDP.' + - name: protocol_ver + type: keyword + description: The Internet Protocol version. + - name: protocol_ver_id + type: keyword + description: The Internet Protocol version identifier. + - name: tcp_flags + type: long + description: The network connection TCP header flags (i.e., control bits). + - name: uid + type: keyword + description: The unique identifier of the connection. - name: class_name type: keyword description: 'The event class name, as defined by class_uid value: Security Finding.' @@ -1807,36 +126,36 @@ - name: zone type: keyword description: The availability zone in the cloud region, as defined by the cloud provider. + - name: command_uid + type: keyword + description: The command identifier that is associated with this scan event. This ID uniquely identifies the proactive scan command, e.g., if remotely initiated. - name: count type: long description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. - - name: device + - name: duration + type: long + description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. + - name: database type: group fields: - - name: autoscale_uid + - name: uid type: keyword - description: The unique identifier of the cloud autoscale configuration. + description: The unique identifier of the database. - name: created_time - type: date - description: The time when the device was known to have been created. + type: long + description: The time when the database was known to have been created. - name: created_time_dt type: date - description: TThe time when the device was known to have been created. + description: The time (date) when the database was known to have been created. - name: desc type: keyword - description: The description of the device, ordinarily as reported by the operating system. - - name: domain - type: keyword - description: 'The network domain where the device resides. For example: work.example.com.' - - name: first_seen_time - type: date - description: The initial discovery time of the device. - - name: first_seen_time_dt - type: date - description: The initial discovery time of the device. + description: The description that pertains to the object or event. - name: groups type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -1852,378 +171,81 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: hostname - type: keyword - description: The devicename. - - name: hw_info - type: group - fields: - - name: bios_date - type: keyword - description: 'The BIOS date. For example: 03/31/16.' - - name: bios_manufacturer - type: keyword - description: 'The BIOS manufacturer. For example: LENOVO.' - - name: bios_ver - type: keyword - description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' - - name: chassis - type: keyword - description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. - - name: cpu_bits - type: long - description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' - - name: cpu_cores - type: long - description: 'The number of processor cores in all installed processors. For Example: 42.' - - name: cpu_count - type: long - description: 'The number of physical processors on a system. For example: 1.' - - name: cpu_speed - type: long - description: 'The speed of the processor in Mhz. For Example: 4200.' - - name: cpu_type - type: keyword - description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' - - name: desktop_display - type: group - fields: - - name: color_depth - type: long - description: The numeric color depth. - - name: physical_height - type: long - description: The numeric physical height of display. - - name: physical_orientation - type: long - description: The numeric physical orientation of display. - - name: physical_width - type: long - description: The numeric physical width of display. - - name: scale_factor - type: long - description: The numeric scale factor of display. - - name: keyboard_info - type: group - fields: - - name: function_keys - type: long - description: The number of function keys on client keyboard. - - name: ime - type: keyword - description: The Input Method Editor (IME) file name. - - name: keyboard_layout - type: keyword - description: The keyboard locale identifier name (e.g., en-US). - - name: keyboard_subtype - type: long - description: The keyboard numeric code. - - name: keyboard_type - type: keyword - description: The keyboard type (e.g., xt, ico). - - name: ram_size - type: long - description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' - - name: serial_number - type: keyword - description: The device manufacturer serial number. - - name: hypervisor - type: keyword - description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: imei - type: keyword - description: The International Mobile Station Equipment Identifier that is associated with the device. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: ip - type: ip - description: The device IP address, in either IPv4 or IPv6 format. - - name: is_compliant - type: boolean - description: The event occurred on a compliant device. - - name: is_managed - type: boolean - description: The event occurred on a managed device. - - name: is_personal - type: boolean - description: The event occurred on a personal device. - - name: is_trusted - type: boolean - description: The event occurred on a trusted device. - - name: last_seen_time - type: date - description: The most recent discovery time of the device. - - name: last_seen_time_dt - type: date - description: The most recent discovery time of the device. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The device Media Access Control (MAC) address. - name: modified_time - type: date - description: The time when the device was last known to have been modified. + type: long + description: The most recent time when any changes, updates, or modifications were made within the database. - name: modified_time_dt type: date - description: The time when the device was last known to have been modified. + description: The most recent time (date) when any changes, updates, or modifications were made within the database. - name: name type: keyword - description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. - - name: network_interfaces - type: group - fields: - - name: hostname - type: keyword - description: The hostname associated with the network interface. - - name: ip - type: ip - description: The IP address associated with the network interface. - - name: mac - type: keyword - description: The MAC address of the network interface. - - name: name - type: keyword - description: The name of the network interface. - - name: namespace - type: keyword - description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. - - name: type - type: keyword - description: The type of network interface. - - name: type_id - type: keyword - description: The network interface type identifier. - - name: uid - type: keyword - description: The unique identifier for the network interface. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: os - type: group - fields: - - name: build - type: keyword - description: The operating system build number. - - name: country - type: keyword - description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. - - name: cpu_bits - type: long - description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. - - name: edition - type: keyword - description: The operating system edition. For example, Professional. - - name: lang - type: keyword - description: The two letter lower case language codes, as defined by ISO 639-1. - - name: name - type: keyword - description: The operating system name. - - name: sp_name - type: keyword - description: The name of the latest Service Pack. - - name: sp_ver - type: keyword - description: The version number of the latest Service Pack. - - name: type - type: keyword - description: The type of the operating system. - - name: type_id - type: keyword - description: The type identifier of the operating system. - - name: version - type: keyword - description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". - - name: region - type: keyword - description: The region where the virtual machine is located. For example, an AWS Region. - - name: risk_level - type: keyword - description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. - - name: risk_level_id - type: keyword - description: The normalized risk level id. - - name: risk_score + description: The database name, ordinarily as assigned by a database administrator. + - name: size type: long - description: The risk score as reported by the event source. - - name: subnet - type: ip_range - description: The subnet mask. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. + description: The size of the database in bytes. - name: type type: keyword - description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + description: The database type. - name: type_id type: keyword - description: The device type ID. - - name: uid - type: keyword - description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - - name: dst_endpoint + description: The normalized identifier of the database type. + - name: databucket type: group fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name + - name: uid type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid + description: "Unique ID" + - name: created_time + type: long + description: The time when the databucket was known to have been created. + - name: created_time_dt + type: date + description: The time (date) when the databucket was known to have been created. + - name: desc type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location + description: The description of the databucket. + - name: file + type: flattened + description: A file within a databucket. + - name: groups type: group fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country + - name: domain type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code + description: The group description. + - name: name type: keyword - description: The postal code of the location. - - name: provider + description: The group name. + - name: privileges type: keyword - description: The provider of the geographical location data. - - name: region + description: The group privileges. + - name: type type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: modified_time + type: long + description: The most recent time when any changes, updates, or modifications were made within the databucket. + - name: modified_time_dt + type: date + description: The most recent time (date) when any changes, updates, or modifications were made within the databucket. - name: name type: keyword - description: The short name of the endpoint. - - name: port + description: The databucket name. + - name: size type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid + description: The size of the databucket in bytes. + - name: type type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid + description: The databucket type. + - name: type_id type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - - name: duration - type: long - description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. + description: The normalized identifier of the databucket type. - name: end_time type: date description: The end time of a time period, or the time of the most recent event included in the aggregate event. @@ -2235,6 +257,7 @@ fields: - name: data type: flattened + ignore_malformed: true description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - name: name type: keyword @@ -2248,6 +271,52 @@ - name: value type: keyword description: The value of the attribute to which the enriched data pertains. + - name: expiration_time + type: date + description: The share expiration time. + - name: expiration_time_dt + type: date + description: The share expiration time (date). + - name: firewall_rule + description: The Firewall Rule object represents a specific rule within a firewall policy or event. + type: group + fields: + - name: category + type: keyword + description: The rule category. + - name: condition + type: text + description: The rule trigger condition for the rule. For example, SQL_INJECTION. + - name: desc + type: text + description: The description of the rule that generated the event. + - name: duration + type: integer + description: The rule response time duration, usually used for challenge completion time. + - name: match_details + type: keyword + description: The data in a request that rule matched. + - name: match_location + type: keyword + description: The location of the matched data in the source which resulted in the triggered firewall rule. For example, HEADER. + - name: name + type: keyword + description: The name of the rule that generated the event. + - name: rate_limit + type: integer + description: The rate limit for a rate-based rule. + - name: sensitivity + type: keyword + description: The sensitivity of the firewall rule in the matched event. For example, HIGH. + - name: type + type: keyword + description: The rule type. + - name: uid + type: keyword + description: The unique identifier of the rule that generated the event. + - name: version + type: keyword + description: The rule version. For example, 1.1. - name: http_request type: group fields: @@ -2338,108 +407,9 @@ - name: message type: keyword description: The description of the event, as defined by the event source. - - name: metadata - type: group - fields: - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: - - name: name - type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid - type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version - type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider - type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version - type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time - type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt - type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: profiles - type: keyword - description: The list of profiles used to create the event. - - name: sequence - type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid - type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version - type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' + - name: num_* + type: integer + description: The number fields for counting various item scan results. - name: observables type: group fields: @@ -2470,97 +440,43 @@ - name: value type: keyword description: The value associated with the observable attribute. - - name: proxy + - name: policy type: group fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid + - name: desc type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location + description: The description of the policy. + - name: group type: group fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country + - name: domain type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp + description: The group description. + - name: name type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code + description: The group name. + - name: privileges type: keyword - description: The postal code of the location. - - name: provider + description: The group privileges. + - name: type type: keyword - description: The provider of the geographical location data. - - name: region + description: The type of the group or account. + - name: uid type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + description: 'The policy name. For example: IAM Policy.' - name: uid type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid + description: A unique identifier of the policy instance. + - name: version type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - - name: raw_data - type: flattened - description: The event data as received from the event source. - - name: severity - type: keyword - description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. - - name: severity_id - type: long - description: The normalized identifier of the event severity. The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events. - - name: src_endpoint + description: The policy version number. + - name: proxy type: group fields: - name: domain @@ -2641,6 +557,61 @@ - name: vpc_uid type: keyword description: The unique identifier of the Virtual Private Cloud (VPC). + - name: query_info + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the query. + - name: name + type: keyword + description: The query name for a saved or scheduled query. + - name: query_string + type: text + description: A string representing the query code being run. For example, SELECT * FROM my_table + - name: query_time + type: long + description: The time when the query was run. + - name: query_time_dt + type: date + description: The time (date) when the query was run. + - name: bytes + type: long + description: The size of the data returned from the query. + - name: data + type: flattened + description: The data returned from the query execution. + - name: raw_data + type: flattened + description: The event data as received from the event source. + - name: raw_data_keyword + type: match_only_text + description: The raw event data keyword as received from the event source. + - name: scan + type: group + description: The Scan object describes characteristics of a proactive scan. + fields: + - name: name + type: keyword + description: The administrator-supplied or application-generated name of the scan. + - name: type + type: keyword + description: The type of scan. + - name: type_id + type: keyword + description: The type id of the scan. + - name: uid + type: keyword + description: The application-defined unique identifier assigned to an instance of a scan. + - name: schedule_uid + type: keyword + description: The unique identifier of the schedule associated with a scan job. + - name: severity + type: keyword + description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. + - name: severity_id + type: long + description: The normalized identifier of the event severity. The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events. - name: start_time type: date description: The start time of a time period, or the time of the least recent event included in the aggregate event. @@ -2659,6 +630,9 @@ - name: status_id type: keyword description: The normalized identifier of the event status. + - name: total + type: integer + description: The total number of items that were scanned; zero if no items were scanned. - name: time type: date description: The normalized event occurrence time. @@ -2782,6 +756,60 @@ - name: version type: keyword description: The TLS protocol version. + - name: table + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the table. + - name: name + type: keyword + description: The table name, ordinarily as assigned by a database administrator. + - name: desc + type: text + description: The description of the table. + - name: created_time + type: long + description: The time when the table was known to have been created. + - name: created_time_dt + type: date + description: The time (date) when the table was known to have been created. + - name: modified_time + type: long + description: The most recent time when any changes, updates, or modifications were made within the table. + - name: modified_time_dt + type: date + description: The most recent time (date) when any changes, updates, or modifications were made within the table. + - name: size + type: long + description: The size of the data table in bytes. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: type + type: keyword + description: The event type name, as defined by the type_id. + - name: type_id + type: keyword + description: The normalized event type identifier. - name: type_name type: keyword description: The event type name, as defined by the type_uid. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/file-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/file-fields.yml new file mode 100644 index 000000000000..f0d2fe6bc6b1 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/file-fields.yml @@ -0,0 +1,509 @@ +- name: ocsf + type: group + fields: + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/metadata-fields.yml new file mode 100644 index 000000000000..01b1c11c4dc4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/metadata-fields.yml @@ -0,0 +1,122 @@ +- name: ocsf + type: group + fields: + - name: metadata + type: group + fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: extensions + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_level + type: keyword + description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/network-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/network-endpoint-fields.yml new file mode 100644 index 000000000000..91fca432e6eb --- /dev/null +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/network-endpoint-fields.yml @@ -0,0 +1,213 @@ +- name: ocsf + type: group + fields: + - name: dst_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. + - name: src_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/application_activity/fields/resource-fields.yml b/packages/amazon_security_lake/data_stream/application_activity/fields/resource-fields.yml new file mode 100644 index 000000000000..e3d9d54d6704 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/application_activity/fields/resource-fields.yml @@ -0,0 +1,141 @@ +- name: ocsf + type: group + fields: + - name: resources + type: group + fields: + - name: cloud_partition + type: keyword + description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' + - name: criticality + type: keyword + description: The criticality of the resource as defined by the event source. + - name: data + type: flattened + description: Additional data describing the resource. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: labels + type: keyword + description: The list of labels/tags associated to a resource. + - name: name + type: keyword + description: The name of the resource. + - name: namespace + type: keyword + description: The namespace is useful when similar entities exist that you need to keep separate. + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: type_id + type: keyword + description: The resource group type identifier. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: region + type: keyword + description: The cloud region of the resource. + - name: type + type: keyword + description: The resource type as defined by the event source. + - name: type_id + type: keyword + description: The resource type identifier. + - name: uid + type: keyword + description: The unique identifier of the resource. + - name: version + type: keyword + description: The version of the resource. For example 1.2.3. diff --git a/packages/amazon_security_lake/data_stream/application_activity/manifest.yml b/packages/amazon_security_lake/data_stream/application_activity/manifest.yml index 74966e6d2d35..6f544e408a1c 100644 --- a/packages/amazon_security_lake/data_stream/application_activity/manifest.yml +++ b/packages/amazon_security_lake/data_stream/application_activity/manifest.yml @@ -1,3 +1,9 @@ title: Amazon Security Lake Application Activity Events dataset: amazon_security_lake.application_activity type: logs +elasticsearch: + dynamic_dataset: true + dynamic_namespace: true + index_template: + mappings: + dynamic: true diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml new file mode 100644 index 000000000000..76096c38c9bb --- /dev/null +++ b/packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml @@ -0,0 +1,1815 @@ +- name: ocsf + type: group + fields: + - name: actor + type: group + fields: + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: idp + type: group + fields: + - name: name + type: keyword + description: The name of the identity provider. + - name: uid + type: keyword + description: The unique identifier of the identity provider. + - name: invoked_by + type: keyword + description: The name of the service that invoked the activity as described in the event. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: count + type: integer + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/api-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/api-fields.yml new file mode 100644 index 000000000000..852880315189 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/discovery/fields/api-fields.yml @@ -0,0 +1,154 @@ +- name: ocsf + type: group + fields: + - name: api + type: group + description: Describes details about a typical API (Application Programming Interface) call. + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: group + type: group + description: The information pertaining to the API group. + fields: + - name: desc + type: text + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: request + type: group + description: Details pertaining to the API request. + fields: + - name: uid + type: keyword + description: The unique request identifier. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: response + type: group + description: Details pertaining to the API response. + fields: + - name: code + type: integer + description: The numeric response sent to a request. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: text + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: message + type: text + description: The description of the event/finding, as defined by the source. + - name: service + type: group + description: The information pertaining to the API service. + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/device-fields.yml new file mode 100644 index 000000000000..1fbf81b593e4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/discovery/fields/device-fields.yml @@ -0,0 +1,348 @@ +- name: ocsf + type: group + fields: + - name: device + type: group + fields: + - name: autoscale_uid + type: keyword + description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: created_time + type: date + description: The time when the device was known to have been created. + - name: created_time_dt + type: date + description: TThe time when the device was known to have been created. + - name: desc + type: keyword + description: The description of the device, ordinarily as reported by the operating system. + - name: domain + type: keyword + description: 'The network domain where the device resides. For example: work.example.com.' + - name: first_seen_time + type: date + description: The initial discovery time of the device. + - name: first_seen_time_dt + type: date + description: The initial discovery time of the device. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: hostname + type: keyword + description: The devicename. + - name: hw_info + type: group + fields: + - name: bios_date + type: keyword + description: 'The BIOS date. For example: 03/31/16.' + - name: bios_manufacturer + type: keyword + description: 'The BIOS manufacturer. For example: LENOVO.' + - name: bios_ver + type: keyword + description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' + - name: chassis + type: keyword + description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. + - name: cpu_bits + type: long + description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' + - name: cpu_cores + type: long + description: 'The number of processor cores in all installed processors. For Example: 42.' + - name: cpu_count + type: long + description: 'The number of physical processors on a system. For example: 1.' + - name: cpu_speed + type: long + description: 'The speed of the processor in Mhz. For Example: 4200.' + - name: cpu_type + type: keyword + description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' + - name: desktop_display + type: group + fields: + - name: color_depth + type: long + description: The numeric color depth. + - name: physical_height + type: long + description: The numeric physical height of display. + - name: physical_orientation + type: long + description: The numeric physical orientation of display. + - name: physical_width + type: long + description: The numeric physical width of display. + - name: scale_factor + type: long + description: The numeric scale factor of display. + - name: keyboard_info + type: group + fields: + - name: function_keys + type: long + description: The number of function keys on client keyboard. + - name: ime + type: keyword + description: The Input Method Editor (IME) file name. + - name: keyboard_layout + type: keyword + description: The keyboard locale identifier name (e.g., en-US). + - name: keyboard_subtype + type: long + description: The keyboard numeric code. + - name: keyboard_type + type: keyword + description: The keyboard type (e.g., xt, ico). + - name: ram_size + type: long + description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' + - name: serial_number + type: keyword + description: The device manufacturer serial number. + - name: hypervisor + type: keyword + description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: imei + type: keyword + description: The International Mobile Station Equipment Identifier that is associated with the device. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: ip + type: ip + description: The device IP address, in either IPv4 or IPv6 format. + - name: is_compliant + type: boolean + description: The event occurred on a compliant device. + - name: is_managed + type: boolean + description: The event occurred on a managed device. + - name: is_personal + type: boolean + description: The event occurred on a personal device. + - name: is_trusted + type: boolean + description: The event occurred on a trusted device. + - name: last_seen_time + type: date + description: The most recent discovery time of the device. + - name: last_seen_time_dt + type: date + description: The most recent discovery time of the device. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The device Media Access Control (MAC) address. + - name: modified_time + type: date + description: The time when the device was last known to have been modified. + - name: modified_time_dt + type: date + description: The time when the device was last known to have been modified. + - name: name + type: keyword + description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: network_interfaces + type: group + fields: + - name: hostname + type: keyword + description: The hostname associated with the network interface. + - name: ip + type: ip + description: The IP address associated with the network interface. + - name: mac + type: keyword + description: The MAC address of the network interface. + - name: name + type: keyword + description: The name of the network interface. + - name: namespace + type: keyword + description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. + - name: subnet_prefix + type: long + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. + - name: type + type: keyword + description: The type of network interface. + - name: type_id + type: keyword + description: The network interface type identifier. + - name: uid + type: keyword + description: The unique identifier for the network interface. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: os + type: group + fields: + - name: build + type: keyword + description: The operating system build number. + - name: country + type: keyword + description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. + - name: edition + type: keyword + description: The operating system edition. For example, Professional. + - name: lang + type: keyword + description: The two letter lower case language codes, as defined by ISO 639-1. + - name: name + type: keyword + description: The operating system name. + - name: sp_name + type: keyword + description: The name of the latest Service Pack. + - name: sp_ver + type: keyword + description: The version number of the latest Service Pack. + - name: type + type: keyword + description: The type of the operating system. + - name: type_id + type: keyword + description: The type identifier of the operating system. + - name: version + type: keyword + description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". + - name: region + type: keyword + description: The region where the virtual machine is located. For example, an AWS Region. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: subnet + type: ip_range + description: The subnet mask. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: type + type: keyword + description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The device type ID. + - name: uid + type: keyword + description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml index 6147dba2ae12..bfbe2228e057 100644 --- a/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/discovery/fields/fields.yml @@ -7,1713 +7,6 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. - - name: actor - type: group - fields: - - name: authorizations - type: group - fields: - - name: decision - type: keyword - description: Authorization Result/outcome, e.g. allowed, denied. - - name: policy - type: group - fields: - - name: desc - type: keyword - description: The description of the policy. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: 'The policy name. For example: IAM Policy.' - - name: uid - type: keyword - description: A unique identifier of the policy instance. - - name: version - type: keyword - description: The policy version number. - - name: idp - type: group - fields: - - name: name - type: keyword - description: The name of the identity provider. - - name: uid - type: keyword - description: The unique identifier of the identity provider. - - name: invoked_by - type: keyword - description: The name of the service that invoked the activity as described in the event. - - name: process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: api - type: group - fields: - - name: operation - type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version - type: keyword - description: The version of the API service. - name: category_name type: keyword description: 'The event category name, as defined by category_uid value: Identity & Access Management.' @@ -1738,6 +31,12 @@ - name: kb_articles type: keyword description: The KB article/s related to the entity. + - name: kb_article_list + type: flattened + description: A list of KB articles or patches related to an endpoint. + - name: references + type: keyword + description: A list of supporting URL/s, references that help describe the remediation strategy. - name: rule type: group fields: @@ -1761,7 +60,7 @@ description: The rule version. - name: class_name type: keyword - description: 'The event class name, as defined by class_uid value: Security Finding.' + description: 'The event class name, as defined by class_uid value: Security Finding, User Inventory Info.' - name: class_uid type: keyword description: The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. @@ -1813,336 +112,6 @@ - name: count type: long description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. - - name: device - type: group - fields: - - name: autoscale_uid - type: keyword - description: The unique identifier of the cloud autoscale configuration. - - name: created_time - type: date - description: The time when the device was known to have been created. - - name: created_time_dt - type: date - description: TThe time when the device was known to have been created. - - name: desc - type: keyword - description: The description of the device, ordinarily as reported by the operating system. - - name: domain - type: keyword - description: 'The network domain where the device resides. For example: work.example.com.' - - name: first_seen_time - type: date - description: The initial discovery time of the device. - - name: first_seen_time_dt - type: date - description: The initial discovery time of the device. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: hostname - type: keyword - description: The devicename. - - name: hw_info - type: group - fields: - - name: bios_date - type: keyword - description: 'The BIOS date. For example: 03/31/16.' - - name: bios_manufacturer - type: keyword - description: 'The BIOS manufacturer. For example: LENOVO.' - - name: bios_ver - type: keyword - description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' - - name: chassis - type: keyword - description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. - - name: cpu_bits - type: long - description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' - - name: cpu_cores - type: long - description: 'The number of processor cores in all installed processors. For Example: 42.' - - name: cpu_count - type: long - description: 'The number of physical processors on a system. For example: 1.' - - name: cpu_speed - type: long - description: 'The speed of the processor in Mhz. For Example: 4200.' - - name: cpu_type - type: keyword - description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' - - name: desktop_display - type: group - fields: - - name: color_depth - type: long - description: The numeric color depth. - - name: physical_height - type: long - description: The numeric physical height of display. - - name: physical_orientation - type: long - description: The numeric physical orientation of display. - - name: physical_width - type: long - description: The numeric physical width of display. - - name: scale_factor - type: long - description: The numeric scale factor of display. - - name: keyboard_info - type: group - fields: - - name: function_keys - type: long - description: The number of function keys on client keyboard. - - name: ime - type: keyword - description: The Input Method Editor (IME) file name. - - name: keyboard_layout - type: keyword - description: The keyboard locale identifier name (e.g., en-US). - - name: keyboard_subtype - type: long - description: The keyboard numeric code. - - name: keyboard_type - type: keyword - description: The keyboard type (e.g., xt, ico). - - name: ram_size - type: long - description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' - - name: serial_number - type: keyword - description: The device manufacturer serial number. - - name: hypervisor - type: keyword - description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: imei - type: keyword - description: The International Mobile Station Equipment Identifier that is associated with the device. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: ip - type: ip - description: The device IP address, in either IPv4 or IPv6 format. - - name: is_compliant - type: boolean - description: The event occurred on a compliant device. - - name: is_managed - type: boolean - description: The event occurred on a managed device. - - name: is_personal - type: boolean - description: The event occurred on a personal device. - - name: is_trusted - type: boolean - description: The event occurred on a trusted device. - - name: last_seen_time - type: date - description: The most recent discovery time of the device. - - name: last_seen_time_dt - type: date - description: The most recent discovery time of the device. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The device Media Access Control (MAC) address. - - name: modified_time - type: date - description: The time when the device was last known to have been modified. - - name: modified_time_dt - type: date - description: The time when the device was last known to have been modified. - - name: name - type: keyword - description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. - - name: network_interfaces - type: group - fields: - - name: hostname - type: keyword - description: The hostname associated with the network interface. - - name: ip - type: ip - description: The IP address associated with the network interface. - - name: mac - type: keyword - description: The MAC address of the network interface. - - name: name - type: keyword - description: The name of the network interface. - - name: namespace - type: keyword - description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. - - name: type - type: keyword - description: The type of network interface. - - name: type_id - type: keyword - description: The network interface type identifier. - - name: uid - type: keyword - description: The unique identifier for the network interface. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: os - type: group - fields: - - name: build - type: keyword - description: The operating system build number. - - name: country - type: keyword - description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. - - name: cpu_bits - type: long - description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. - - name: edition - type: keyword - description: The operating system edition. For example, Professional. - - name: lang - type: keyword - description: The two letter lower case language codes, as defined by ISO 639-1. - - name: name - type: keyword - description: The operating system name. - - name: sp_name - type: keyword - description: The name of the latest Service Pack. - - name: sp_ver - type: keyword - description: The version number of the latest Service Pack. - - name: type - type: keyword - description: The type of the operating system. - - name: type_id - type: keyword - description: The type identifier of the operating system. - - name: version - type: keyword - description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". - - name: region - type: keyword - description: The region where the virtual machine is located. For example, an AWS Region. - - name: risk_level - type: keyword - description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. - - name: risk_level_id - type: keyword - description: The normalized risk level id. - - name: risk_score - type: long - description: The risk score as reported by the event source. - - name: subnet - type: ip_range - description: The subnet mask. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: type - type: keyword - description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - - name: type_id - type: keyword - description: The device type ID. - - name: uid - type: keyword - description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: duration type: long description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. @@ -2157,6 +126,7 @@ fields: - name: data type: flattened + ignore_malformed: true description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - name: name type: keyword @@ -2170,111 +140,49 @@ - name: value type: keyword description: The value of the attribute to which the enriched data pertains. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: metadata + - name: kb_article_list type: group + description: The KB Article object contains metadata that describes the patch or update. fields: - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: - - name: name - type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid - type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version - type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider + - name: uid type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version + description: The unique identifier for the kb article. + - name: bulletin type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time + description: The kb article bulletin identifier. + - name: classification type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt + description: The vendors classification of the kb article. + - name: created_time + type: long + description: The date the kb article was released by the vendor. + - name: created_time_dt type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: profiles + description: The date the kb article was released by the vendor. + - name: is_superseded + type: boolean + description: "The patch is superseded" + - name: severity type: keyword - description: The list of profiles used to create the event. - - name: sequence + description: The severity of the kb article. + - name: size type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid + description: The size in bytes for the kb article. + - name: src_url type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version + description: The kb article link from the source vendor. + - name: title type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' + description: The title of the kb article. + - name: os + type: flattened + description: The operating system the kb article applies. + - name: product + type: flattened + description: The product details the kb article applies. + - name: message + type: keyword + description: The description of the event, as defined by the event source. - name: observables type: group fields: @@ -2305,9 +213,38 @@ - name: value type: keyword description: The value associated with the observable attribute. + - name: prev_security_states + type: group + description: The previous security states of the device. + fields: + - name: state + type: keyword + description: The security state of the discovery. + - name: state_id + type: keyword + description: The security state of the managed entity. - name: raw_data type: flattened description: The event data as received from the event source. + - name: raw_data_keyword + type: match_only_text + description: The raw event data keyword as received from the event source. + - name: security_level + type: keyword + description: The current security level of the entity. + - name: security_level_id + type: integer + description: The current security level of the entity. + - name: security_states + type: group + description: The current security states of the device. + fields: + - name: state + type: keyword + description: The security state of the discovery. + - name: state_id + type: keyword + description: The security state of the managed entity. - name: severity type: keyword description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/metadata-fields.yml new file mode 100644 index 000000000000..01b1c11c4dc4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/discovery/fields/metadata-fields.yml @@ -0,0 +1,122 @@ +- name: ocsf + type: group + fields: + - name: metadata + type: group + fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: extensions + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_level + type: keyword + description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' diff --git a/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml b/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml new file mode 100644 index 000000000000..904fd937ffa0 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/discovery/fields/user-fields.yml @@ -0,0 +1,254 @@ +- name: ocsf + type: group + fields: + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/discovery/manifest.yml b/packages/amazon_security_lake/data_stream/discovery/manifest.yml index 378ed301c0b3..39d52c9c0dac 100644 --- a/packages/amazon_security_lake/data_stream/discovery/manifest.yml +++ b/packages/amazon_security_lake/data_stream/discovery/manifest.yml @@ -1,3 +1,9 @@ title: Amazon Security Lake Discovery Events dataset: amazon_security_lake.discovery type: logs +elasticsearch: + dynamic_dataset: true + dynamic_namespace: true + index_template: + mappings: + dynamic: true diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/env.yml b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/env.yml new file mode 100644 index 000000000000..b795fcdeb2c1 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/env.yml @@ -0,0 +1,9 @@ +version: '2.3' +services: + terraform: + environment: + - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} + - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} + - AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} + - AWS_PROFILE=${AWS_PROFILE} + - AWS_REGION=${AWS_REGION:-us-east-1} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/application_lifecycle.parquet b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/application_lifecycle.parquet new file mode 100644 index 000000000000..a9e689098ce3 Binary files /dev/null and b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/application_lifecycle.parquet differ diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/discovery_user_inventory_info.parquet b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/discovery_user_inventory_info.parquet new file mode 100644 index 000000000000..f91a099bdc67 Binary files /dev/null and b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/discovery_user_inventory_info.parquet differ diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/findings_compliance_findings.parquet b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/findings_compliance_findings.parquet new file mode 100644 index 000000000000..0658a8c71513 Binary files /dev/null and b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/findings_compliance_findings.parquet differ diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/iam_account_change.parquet b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/iam_account_change.parquet new file mode 100644 index 000000000000..368a4134ba0a Binary files /dev/null and b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/iam_account_change.parquet differ diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/network_email_activity.parquet b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/network_email_activity.parquet new file mode 100644 index 000000000000..f4935811e560 Binary files /dev/null and b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/network_email_activity.parquet differ diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/system_file_system_activity.parquet b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/system_file_system_activity.parquet new file mode 100644 index 000000000000..22ced6bea44d Binary files /dev/null and b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/system_file_system_activity.parquet differ diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/main.tf b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/main.tf new file mode 100644 index 000000000000..623a4846d444 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/main.tf @@ -0,0 +1,44 @@ +variable "TEST_RUN_ID" { + default = "detached" +} + +variable "files_path" { + description = "Path to the directory containing files to upload" + type = string + default = "./files" +} + +provider "aws" { + default_tags { + tags = { + environment = var.ENVIRONMENT + repo = var.REPO + branch = var.BRANCH + build = var.BUILD_ID + created_date = var.CREATED_DATE + } + } +} + +resource "aws_s3_bucket" "security_lake_logs" { + bucket = "security-lake-logs-bucket-${var.TEST_RUN_ID}" +} + +# Upload files to the single bucket with directory structures based on their file prefix +resource "aws_s3_object" "objects" { + for_each = fileset(var.files_path, "**") + + bucket = aws_s3_bucket.security_lake_logs.id + + # Create the directory structure based on the file prefix + key = "${split("_", each.value)[0]}/${each.value}" + + source = "${var.files_path}/${each.value}" # Full path to the source file + + etag = filemd5("${var.files_path}/${each.value}") +} + +output "bucket_arn" { + value = aws_s3_bucket.security_lake_logs.arn + description = "The ARN of the S3 bucket" +} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/variables.tf b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/variables.tf new file mode 100644 index 000000000000..9d78b1b3c4f8 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/variables.tf @@ -0,0 +1,22 @@ +variable "BRANCH" { + description = "Branch name or pull request for tagging purposes" + default = "unknown-branch" +} + +variable "BUILD_ID" { + description = "Build ID in the CI for tagging purposes" + default = "unknown-build" +} + +variable "CREATED_DATE" { + description = "Creation date in epoch time for tagging purposes" + default = "unknown-date" +} + +variable "ENVIRONMENT" { + default = "unknown-environment" +} + +variable "REPO" { + default = "unknown-repo-name" +} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log index c7ccb32bdd0b..3d62c91b4947 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log @@ -1,3 +1,7 @@ {"http_request":{"version":"1.0.0","uid":"072e083a-584a-11ee-9892-0242ac110005","url":{"port":51670,"scheme":"metallica races fears","path":"container profiles content","hostname":"congress.nato","query_string":"pads palestinian already","category_ids":[35,59],"url_string":"daily"},"user_agent":"webpage assets adams","http_headers":[{"name":"aol jim thick","value":"unexpected counts ease"},{"name":"ride sender reflections","value":"persistent irc finest"}],"http_method":"GET"},"message":"brain bear brush","status":"Unknown","time":1695277679358,"device":{"name":"explains slow junior","type":"IOT","ip":"81.2.69.142","desc":"evaluate permits yesterday","uid":"072de986-584a-11ee-b258-0242ac110005","hostname":"chuck.int","type_id":7,"interface_name":"uzbekistan published feedback","interface_uid":"072ddc66-584a-11ee-9824-0242ac110005","last_seen_time":1695277679358,"region":"invalid expressed participating"},"metadata":{"version":"1.0.0","product":{"name":"loc bw pa","version":"1.0.0","uid":"072dafa2-584a-11ee-bca3-0242ac110005","lang":"en","url_string":"indirect","vendor_name":"fotos choir archive"},"sequence":20,"profiles":["cloud","container","datetime","host"],"correlation_uid":"072db420-584a-11ee-adc0-0242ac110005","event_code":"edward","log_name":"foul jackson termination","log_provider":"copper protective inexpensive","original_time":"diploma mesh certified","logged_time_dt":"2023-09-21T06:42:26.632427Z"},"severity":"High","type_name":"Web Resource Access Activity: Access Error","activity_id":4,"type_uid":600404,"category_name":"Application Activity","class_uid":6004,"category_uid":6,"class_name":"Web Resource Access Activity","timezone_offset":55,"activity_name":"Access Error","cloud":{"org":{"name":"brazil newbie loc","uid":"072d99ea-584a-11ee-920a-0242ac110005","ou_name":"predicted themselves missile","ou_uid":"072da124-584a-11ee-bf8b-0242ac110005"},"provider":"speeches mail lack"},"severity_id":4,"status_id":0,"web_resources":[{"name":"ghost formats res","desc":"pleased won coverage","uid":"072dbbbe-584a-11ee-b4cc-0242ac110005","type": "package type","url_string":"consists"},{"data":{"logitech":"dehbs"},"url_string":"devil"}],"start_time_dt":"2023-09-21T06:42:26.634761Z", "http_response": {"code":22, "length":40, "latency":3, "message": "message regarding htp response"}} {"message":"washington like safari","status":"Failure","time":1695277679358,"metadata":{"version":"1.0.0","product":{"name":"eligible scenes worm","version":"1.0.0","uid":"f6508420-520e-11ee-adcc-0242ac110004","feature":{"name":"australia cup bios","version":"1.0.0","uid":"f6508bfa-520e-11ee-b54c-0242ac110004"},"lang":"en","vendor_name":"fix complicated accreditation"},"sequence":78,"profiles":[],"log_name":"ur bother bearing","log_provider":"performs elevation fox","log_version":"three maritime cowboy","logged_time":1695277679358,"original_time":"moore genetic symbols","processed_time":1695277679358},"start_time":1695277679358,"severity":"Unknown","type_name":"Web Resources Activity: Create","category_name":"Application Activity","timezone_offset":83,"activity_id":1,"class_uid":6001,"type_uid":600101,"category_uid":6,"class_name":"Web Resources Activity","activity_name":"Create","severity_id":0,"src_endpoint":{"name":"leasing imperial toner","port":31790,"domain":"hawaii unfortunately copying","ip":"81.2.69.142","hostname":"saudi.int","uid":"f650994c-520e-11ee-a9f4-0242ac110004","instance_uid":"f6509d0c-520e-11ee-9e6b-0242ac110004","interface_name":"somewhere mentor crm","interface_uid":"f650a3f6-520e-11ee-882f-0242ac110004","intermediate_ips":["81.2.69.142","81.2.69.143"],"svc_name":"sheets horror trader","vlan_uid":"f650a8a6-520e-11ee-b961-0242ac110004"},"status_detail":"only zone its","status_id":2,"web_resources":[{"data":{"discretion":"fhbds"},"desc":"Description of web resource","name":"concept navigator constitution","type":"fundamental previous ty","url_string":"past"}],"web_resources_result":[{"type":"prediction sunglasses rounds","uid":"f65072d2-520e-11ee-9b9a-0242ac110004","url_string":"military"},{"data":{"protect":"rfvfd"},"url_string":"association"}]} {"message":"issues kings loop","status":"Success","time":1695277679358,"device":{"name":"knows col covered","type":"Unknown","domain":"allied had insulation","ip":"81.2.69.142","uid":"651987a6-584c-11ee-ad31-0242ac110005","hostname":"zinc.biz","org":{"name":"chaos winner entered","uid":"65197a86-584c-11ee-96c1-0242ac110005","ou_name":"music client leaf"},"type_id":0,"created_time":1695277679358,"hw_info":{"ram_size":84,"serial_number":"training blink executives"},"instance_uid":"65197efa-584c-11ee-bc04-0242ac110005","interface_name":"lightbox bugs spain","interface_uid":"6519835a-584c-11ee-b813-0242ac110005","is_personal":false,"region":"casio paris norway","subnet_uid":"6519725c-584c-11ee-b6a2-0242ac110005","uid_alt":"older audience trends"},"metadata":{"version":"1.0.0","product":{"name":"enzyme cookie citations","version":"1.0.0","uid":"65195f88-584c-11ee-8118-0242ac110005","lang":"en","url_string":"deck","vendor_name":"rochester school force"},"profiles":["cloud","container","datetime","host"],"log_name":"collaboration blood loan","log_provider":"jurisdiction protecting witness","original_time":"effectively dimensional reservation","modified_time_dt":"2023-09-21T06:59:23.198620Z"},"app":{"name":"bottom loud knowledge","version":"1.0.0","uid":"6519a3da-584c-11ee-8c89-0242ac110005","path": "path o f","feature":{"name":"mit received implemented","version":"1.0.0","uid":"6519aa4c-584c-11ee-ac40-0242ac110005"},"lang":"en","vendor_name":"ss keeping administered"},"severity":"Fatal","type_name":"Application Lifecycle: Other","activity_id":99,"type_uid":600299,"category_name":"Application Activity","class_uid":6002,"category_uid":6,"class_name":"Application Lifecycle","activity_name":"look","cloud":{"org":{"name":"exclusive variables tag","uid":"65193f12-584c-11ee-ae9b-0242ac110005","ou_name":"custom packard pierre"},"account":{"type":"AWS Account","uid":"65194d7c-584c-11ee-8857-0242ac110005","type_id":10},"provider":"infrared delayed visiting","region":"initial lucia designer"},"severity_id":6,"status_detail":"rat forth dishes","status_id":1,"start_time_dt":"2023-09-21T06:59:23.200400Z"} +{"message":"routing rosa speeds","status":"Failure","type":"loc","time":1722945774073580,"metadata":{"version":"1.1.0","product":{"name":"nightlife joint talked","version":"1.1.0","path":"roulette covered encryption","uid":"cfcfc1aa-53eb-11ef-80a9-0242ac110005","vendor_name":"rainbow league closure"},"extensions":[{"name":"importantly identifying causing","version":"1.1.0","uid":"cfcfce02-53eb-11ef-a17b-0242ac110005"},{"name":"feof nightlife dans","version":"1.1.0","uid":"cfcfd5d2-53eb-11ef-acdf-0242ac110005"}],"labels":["dominant"],"log_level":"consult supplements external","profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"log_name":"ottawa triumph analysis","log_provider":"medal removing losses","original_time":"families batman star","tenant_uid":"cfcfde4c-53eb-11ef-9b9b-0242ac110005"},"severity":"Informational","duration":38,"type_name":"Datastore Activity: Write","activity_id":5,"type_uid":600505,"category_name":"Application Activity","class_uid":6005,"category_uid":6,"class_name":"Datastore Activity","type_id":99,"end_time_dt":"2024-08-06T12:02:54.073562Z","activity_name":"Write","actor":{"process":{"name":"Flashing","pid":98,"file":{"name":"senegal.dcr","type":"Folder","path":"stock armstrong ie/bobby.m3u/senegal.dcr","type_id":2,"creator":{"name":"Slight","type":"System","domain":"dedicated smile macintosh","uid":"cfd08748-53eb-11ef-8545-0242ac110005","type_id":3},"parent_folder":"stock armstrong ie/bobby.m3u","confidentiality":"Top Secret","confidentiality_id":4,"hashes":[{"value":"6AC2AD2B6F5A51A33103412CB1C13FA5FDB24737666758DD9FDD8402BB9D2A43","algorithm":"magic","algorithm_id":99},{"value":"7B849A50DA92F39D6AF294B10E0B93F5","algorithm":"MD5","algorithm_id":1}],"modified_time_dt":"2024-08-06T12:02:54.074547Z"},"user":{"name":"Contamination","type":"Admin","uid":"cfd09666-53eb-11ef-9cc7-0242ac110005","type_id":2},"group":{"name":"desired administration quotations","desc":"mime counsel uses","uid":"cfd0a0f2-53eb-11ef-a02f-0242ac110005"},"uid":"cfd0a73c-53eb-11ef-9622-0242ac110005","loaded_modules":["/chronicle/initiated/hormone/surprise/corps.html","/allan/appearance/viruses/college/naughty.rom"],"cmd_line":"associate directions partly","container":{"size":2753478121,"uid":"cfd0b25e-53eb-11ef-aab1-0242ac110005","image":{"name":"number serial patients","uid":"cfd0bb46-53eb-11ef-b743-0242ac110005"},"hash":{"value":"D908A0C6E33ABAEF5F1C8D9658E99DF9714CFF289FCE29B9DD5A362475554AF2","algorithm":"magic","algorithm_id":99}},"created_time":1722945774075951,"namespace_pid":78,"parent_process":{"name":"Basin","pid":63,"file":{"attributes":67,"name":"spirituality.mid","type":"Character Device","path":"analyzed election throws/composition.tax2020/spirituality.mid","uid":"cfd0d964-53eb-11ef-9f61-0242ac110005","type_id":3,"company_name":"Norberto Vena","parent_folder":"analyzed election throws/composition.tax2020","confidentiality":"Secret","confidentiality_id":3,"hashes":[{"value":"8C8D9D64A77C351C6AAFF4C0EF9B436F904638B7","algorithm":"SHA-1","algorithm_id":2}],"security_descriptor":"nor treasury uri","xattributes":{}},"user":{"name":"Revisions","type":"Admin","type_id":2,"ldap_person":{"created_time":1722945774077119,"hire_time":1722945774077128,"hire_time_dt":"2024-08-06T12:02:54.077132Z"}},"group":{"name":"adolescent antigua ui","domain":"detail blah motels","uid":"cfd0fa70-53eb-11ef-9120-0242ac110005"},"cmd_line":"hash unknown meters","container":{"name":"gnome face decisions","size":411217035,"uid":"cfd10448-53eb-11ef-8948-0242ac110005","image":{"name":"climbing quickly lonely","uid":"cfd10d12-53eb-11ef-8fcb-0242ac110005"},"hash":{"value":"48324C16BF85398DE1219E9270E663A1CCB2438C617A716A5F0F8D44034D7294","algorithm":"magic","algorithm_id":99}},"created_time":1722945774077934,"lineage":["off disturbed bidding","validity requested without"],"namespace_pid":60,"parent_process":{"name":"Zus","session":{"issuer":"informal witnesses endif","created_time":1722945774078143,"is_remote":false},"file":{"attributes":46,"name":"invite.flv","type":"Folder","path":"mobiles at hazards/feels.b/invite.flv","product":{"name":"executives dell bands","version":"1.1.0","uid":"cfd14174-53eb-11ef-ad92-0242ac110005","url_string":"divx","vendor_name":"neighbor advise animal"},"modifier":{"name":"Bang","type":"wicked","uid":"cfd14d0e-53eb-11ef-8822-0242ac110005","org":{"name":"snake dam rapidly","uid":"cfd155ba-53eb-11ef-9ea1-0242ac110005","ou_name":"photo acrylic highway"},"groups":[{"name":"wales indoor speaking","uid":"cfd160be-53eb-11ef-8f19-0242ac110005"},{"name":"mongolia records suffer","desc":"bathrooms transfers diego","uid":"cfd167da-53eb-11ef-b5a7-0242ac110005"}],"type_id":99,"full_name":"Etha Roy"},"uid":"cfd16ece-53eb-11ef-92bb-0242ac110005","type_id":2,"company_name":"Christian Cinda","parent_folder":"mobiles at hazards/feels.b","confidentiality":"promise","confidentiality_id":99,"hashes":[{"value":"CE59D0F436DBA3BA0A6A76043041A5E787C3B835","algorithm":"SHA-1","algorithm_id":2},{"value":"5DC822DDEFF863F87504863C2926EFADEA58E6CC12C9913FBF94816997FDAA2115104F362F7481BCFA8296CDB2EF69ABFF1D22A64E0B6F5D7B8BB6BDF0485F77","algorithm":"CTPH","algorithm_id":5}],"modified_time":1722945774080462,"security_descriptor":"allen mba skating"},"user":{"name":"Bernard","type":"Admin","type_id":2,"uid_alt":"denmark day sir"},"group":{"desc":"times substitute plasma","uid":"cfd17fa4-53eb-11ef-bb39-0242ac110005"},"tid":63,"uid":"cfd185c6-53eb-11ef-85ca-0242ac110005","loaded_modules":["/hotels/stream/anchor/ted/ghost.zipx","/secure/proprietary/execute/medicine/hl.dwg"],"cmd_line":"capabilities major outline","container":{"name":"ul primary rivers","size":4147443008,"uid":"cfd19624-53eb-11ef-b555-0242ac110005","image":{"name":"objectives cooper expenses","tag":"flashers incurred visiting","uid":"cfd19f5c-53eb-11ef-b6a5-0242ac110005"},"hash":{"value":"32F556C7248E9893205497FAD5588B52A815C9A2008D165B36C015A90F534BFA","algorithm":"SHA-256","algorithm_id":3}},"created_time":1722945774081680,"lineage":["feed prozac starring"],"parent_process":{"name":"Keep","pid":75,"file":{"name":"shirts.pct","type":"Folder","path":"reporters schools bermuda/investigations.apk/shirts.pct","modifier":{"name":"Drivers","type":"Admin","uid":"cfd1b884-53eb-11ef-9e17-0242ac110005","type_id":2,"credential_uid":"cfd1bf00-53eb-11ef-9ae0-0242ac110005"},"type_id":2,"parent_folder":"reporters schools bermuda/investigations.apk","confidentiality":"Secret","confidentiality_id":3,"hashes":[{"value":"8D99573EF8E69D00FAE94C1020E9BCDEAB0B2381D11507174E58B253935B16A8391E07FE4DDCFBC6B4EE66C04EB617345B997605559139B9986AC27695ACE216","algorithm":"SHA-512","algorithm_id":4}]},"user":{"name":"Northeast","type":"Admin","uid":"cfd1cbbc-53eb-11ef-86e4-0242ac110005","org":{"name":"demo dressing bloggers","ou_name":"infection replace kingdom"},"groups":[{"type":"multi extension th","domain":"rolled womens allowed","uid":"cfd1de54-53eb-11ef-9548-0242ac110005"},{"name":"shorter hydrocodone obtaining","type":"jenny version diploma"}],"type_id":2,"credential_uid":"cfd1e638-53eb-11ef-acdc-0242ac110005","email_addr":"Timika@starsmerchant.store","uid_alt":"jr participants illustration"},"group":{"name":"easily strengthening concept","type":"claimed farms dressed","domain":"jim presents tire","uid":"cfd1f0b0-53eb-11ef-a5b6-0242ac110005"},"tid":93,"uid":"cfd1f6b4-53eb-11ef-88fe-0242ac110005","container":{"name":"travesti borough biggest","size":3355225968,"uid":"cfd201c2-53eb-11ef-86c9-0242ac110005","hash":{"value":"A241B037A73C6DEFF4F66BAE284A4B2AEA05ACD3","algorithm":"SHA-1","algorithm_id":2}},"created_time":1722945774084196,"namespace_pid":63,"parent_process":{"name":"Acres","pid":41,"file":{"name":"cafe.fon","type":"Local Socket","path":"microwave cir nails/gtk.dmg/cafe.fon","uid":"cfd23214-53eb-11ef-aaf5-0242ac110005","type_id":5,"creator":{"name":"Soa","ldap_person":{"manager":{"name":"Arrangements","type":"bunch","domain":"permission eu anonymous","uid":"cfd25802-53eb-11ef-bc5e-0242ac110005","org":{"name":"positioning sending donald","uid":"cfd261e4-53eb-11ef-8e64-0242ac110005","ou_name":"americans pee mixed"},"type_id":99},"cost_center":"char immigration blue","employee_uid":"cfd269b4-53eb-11ef-862f-0242ac110005","job_title":"tm payday needed","office_location":"hack maintains suit","hire_time_dt":"2024-08-06T12:02:54.086830Z"}},"parent_folder":"microwave cir nails/gtk.dmg","security_descriptor":"hour rca writes"},"user":{"name":"Defence","type":"Admin","uid":"cfd27814-53eb-11ef-91f4-0242ac110005","groups":[{"name":"suppliers returns jewellery","uid":"cfd28336-53eb-11ef-a671-0242ac110005"},{"name":"archive honolulu restricted","uid":"cfd28a84-53eb-11ef-a27d-0242ac110005"}],"type_id":2,"account":{"name":"engage subscribe fireplace","type":"Unknown","uid":"cfd298e4-53eb-11ef-9fc1-0242ac110005","type_id":0},"ldap_person":{"manager":{"name":"Lucia","domain":"sides sheet lt","uid":"cfd2a640-53eb-11ef-b33d-0242ac110005","credential_uid":"cfd2ac3a-53eb-11ef-89b0-0242ac110005","email_addr":"Dodie@soundtrack.firm"},"modified_time":1722945774088534,"leave_time_dt":"2024-08-06T12:02:54.088544Z","last_login_time_dt":"2024-08-06T12:02:54.088552Z"},"uid_alt":"trustee tree normally"},"group":{"name":"income bridges uruguay","uid":"cfd2b96e-53eb-11ef-b3a0-0242ac110005"},"tid":47,"uid":"cfd2bf72-53eb-11ef-96ff-0242ac110005","loaded_modules":["/counters/kentucky/proceeding/yo/norwegian.mp3","/indianapolis/sega/statutes/java/purple.bat"],"cmd_line":"calibration signature temp","container":{"name":"begins magnetic inn","size":83122349,"uid":"cfd2ca08-53eb-11ef-af87-0242ac110005","image":{"name":"pot pulse ser","path":"seat employers licenses","uid":"cfd2d638-53eb-11ef-a4c4-0242ac110005"},"hash":{"value":"CEEA7A4A0C43E8765267E8AEF5F074E2D83C2B387ED111EB0F9E903BB79DFACD26A958A69404A2C9ACFC06C590DF12DFF79EAED625E9EE1BB25727BC3398F838","algorithm":"SHA-512","algorithm_id":4},"orchestrator":"essay brother facility","pod_uuid":"bachelor"},"created_time":1722945774089651,"integrity":"Protected","integrity_id":6,"namespace_pid":96,"parent_process":{"name":"Nationwide","pid":28,"file":{"name":"fragrance.otf","owner":{"name":"Does","type":"Admin","uid":"cfd2f1c2-53eb-11ef-9117-0242ac110005","type_id":2,"email_addr":"Patrina@prototype.gov","ldap_person":{"cost_center":"permits interact afternoon","deleted_time":1722945774090716,"ldap_dn":"renaissance exhibition far","leave_time_dt":"2024-08-06T12:02:54.090731Z","last_login_time_dt":"2024-08-06T12:02:54.090739Z"}},"type":"Block Device","path":"thumbzilla sir drawings/clicking.ico/fragrance.otf","modifier":{"name":"Romania","type":"Unknown","uid":"cfd30dd8-53eb-11ef-a1d7-0242ac110005","groups":[{"name":"boat generate canadian","type":"breast brave sacramento","domain":"mostly third hats","desc":"york yours falls","uid":"cfd317ec-53eb-11ef-b8c7-0242ac110005","privileges":["queries meyer wellness"]},{"name":"considerations wants books","uid":"cfd31f1c-53eb-11ef-8b0c-0242ac110005"}],"type_id":0},"type_id":4,"parent_folder":"thumbzilla sir drawings/clicking.ico","confidentiality":"Unknown","confidentiality_id":0,"created_time":1722945774091482,"hashes":[{"value":"8C4977626121F73FAF30273CA0604C3B2C1207E04716722E66C667D788C6F874","algorithm":"magic","algorithm_id":99},{"value":"A541714A17804AC281E6DDDA5B707952","algorithm":"MD5","algorithm_id":1}],"modified_time":1722945774091552,"xattributes":{}},"user":{"name":"Semester","type":"Unknown","uid":"cfd34d66-53eb-11ef-852b-0242ac110005","groups":[{"name":"ellis methods congratulations","uid":"cfd3572a-53eb-11ef-8889-0242ac110005","privileges":["deck version bathroom"]},{"name":"proposed margin drug","desc":"race pg usps","uid":"cfd35e64-53eb-11ef-8d1c-0242ac110005"}],"type_id":0,"email_addr":"Birdie@candle.edu","ldap_person":{},"uid_alt":"protein clubs membership"},"group":{"name":"blessed operates rug","uid":"cfd36e5e-53eb-11ef-9d98-0242ac110005"},"uid":"cfd374da-53eb-11ef-a5ba-0242ac110005","cmd_line":"vaccine l vegetarian","container":{"name":"matter venues paxil","size":3925402475,"uid":"cfd37e94-53eb-11ef-b3b8-0242ac110005","image":{"name":"troy when advertisers","path":"knife aluminum connectivity","uid":"cfd3879a-53eb-11ef-b5b2-0242ac110005"},"hash":{"value":"9B88DFD0CFCEDCD1108BAC8D96F5E7576E8AA5EFEE6228DEE92628994C808FA83487125996422844E815E8321734322E728259C00D5FC302552A542C80FC26DE","algorithm":"Unknown","algorithm_id":0},"pod_uuid":"examined"},"created_time":1722945774094193,"lineage":["relationship closed gathered","ment tu other"],"namespace_pid":26,"parent_process":{"name":"Pixel","pid":10,"session":{"uid":"cfd3a202-53eb-11ef-8e19-0242ac110005","issuer":"recognize lobby mon","created_time":1722945774095984,"is_remote":false},"file":{"name":"jane.m4a","type":"Folder","path":"living marsh smilies/turner.mim/jane.m4a","modifier":{"type":"System","uid":"cfd3e9ec-53eb-11ef-a8dd-0242ac110005","type_id":3,"uid_alt":"account qld kim"},"type_id":2,"parent_folder":"living marsh smilies/turner.mim","confidentiality":"auburn","confidentiality_id":99,"hashes":[{"value":"C6316326E7128B9D69A3C004DC06AF4240FCBE9CE2D36D76A6074A15DA9E1E5469C37D1BDEE8EB2EA2E4A0E20A366B43DB7C9529A7DFB7719025662F5B1B2868","algorithm":"quickXorHash","algorithm_id":7},{"value":"9ED2837AE1C9BF010E3821339FB9B60585584E697B0670BC2E532228F4DD9251B11715FE20D50FF600E1ED5B5BBA4637AF874B0CC900680B7ECDACBAD07624FD","algorithm":"SHA-512","algorithm_id":4}],"modified_time":1722945774096743,"security_descriptor":"ticket vegas generates","created_time_dt":"2024-08-06T12:02:54.096759Z"},"group":{"name":"bean learners accepting","type":"dietary firms hotels","uid":"cfd3fbe4-53eb-11ef-bdb1-0242ac110005"},"uid":"cfd40206-53eb-11ef-a429-0242ac110005","cmd_line":"initiative step gathered","container":{"name":"hundred central hrs","size":724491757,"uid":"cfd40e22-53eb-11ef-afb2-0242ac110005","image":{"name":"food qatar brain","uid":"cfd41700-53eb-11ef-a54d-0242ac110005"},"hash":{"value":"1C89EFCEB73F4433865E95F1BF2AB892DA6B9AA1C0205D1A8087C101B7AF953BE2F34683E786B31F4344403F35885F4D105EF2E764F6D299E44E31D284DBD5E3","algorithm":"Unknown","algorithm_id":0}},"created_time":1722945774097846,"namespace_pid":45,"parent_process":{"name":"Yield","pid":82,"file":{"name":"apartments.py","size":524979186,"type":"Named Pipe","path":"fig kelly companion/attorneys.com/apartments.py","uid":"cfd42dd0-53eb-11ef-8dc9-0242ac110005","type_id":6,"parent_folder":"fig kelly companion/attorneys.com","hashes":[{"value":"EBF49DCD836F810084C14E0F2DAB4DC1768BBDC5980481BF201FCF76771DFF7A","algorithm":"SHA-256","algorithm_id":3},{"value":"C2EB02DC35DC77D3373542631011FFD4C933AF5C6676646BAFB85126C8652AB679884C90C91E3109A28812D07AAC8C0DADDCF3DC7C86FAD4FBA91A1401900947","algorithm":"Unknown","algorithm_id":0}],"security_descriptor":"avoiding bear incoming"},"user":{"name":"Fatal","type":"Unknown","type_id":0},"group":{"name":"cam empirical path","uid":"cfd43d52-53eb-11ef-8205-0242ac110005"},"uid":"cfd4436a-53eb-11ef-84cf-0242ac110005","cmd_line":"pix potential mardi","container":{"name":"kerry courier tony","runtime":"ben dynamics vienna","size":3164331564,"image":{"name":"celebrities sensitive manufacture","tag":"staff ericsson duty","path":"selling rocky projection","uid":"cfd450d0-53eb-11ef-83f3-0242ac110005","labels":["healing","avoiding"]},"hash":{"value":"A9DCE75FB9B7C3AD1CCBE9A3001619DE593186058F77799D91C1413A074FDE187FE7C8719F8A94FA0453F77D76EB8AF6CC9074BABB51EAFF5476F9D169C724A7","algorithm":"SHA-512","algorithm_id":4},"orchestrator":"dui expansion focus"},"created_time":1722945774099345,"integrity":"g manner mambo","namespace_pid":96,"parent_process":{"name":"Organ","pid":90,"session":{"uid":"cfd469b2-53eb-11ef-8a8a-0242ac110005","issuer":"lyric fujitsu timber","created_time":1722945774099934,"is_remote":true,"created_time_dt":"2024-08-06T12:02:54.099943Z","expiration_time_dt":"2024-08-06T12:02:54.099951Z"},"file":{"name":"mothers.com","type":"Symbolic Link","version":"1.1.0","path":"wal quiz worker/skin.plugin/mothers.com","type_id":7,"company_name":"Delora Edyth","parent_folder":"wal quiz worker/skin.plugin","hashes":[{"value":"02799F801AA43966F78CC2C403CE6F0AB37F05D3AF823C0AEEDE58090A622F10470F614F19B68FE2CEFC4B1BEAFF7589FDF5E4DF0A47FF29700DA72C1E4A7966","algorithm":"SHA-512","algorithm_id":4},{"value":"805FAE387ABCC95FB8B74AD92202D2F367255E57291D4C54514FE11EB086C85E7B879FBC13E3405E1C6D5D663F69CD4F509A28B7F2BD0B7F57F71E31C52E2280","algorithm":"Unknown","algorithm_id":0}]},"user":{"type":"Unknown","uid":"cfd47e3e-53eb-11ef-a1ef-0242ac110005","type_id":0,"full_name":"Thuy Kristin"},"group":{"type":"figured eyes microphone","desc":"comparable likelihood jeep","uid":"cfd48fb4-53eb-11ef-bbb9-0242ac110005"},"uid":"cfd495e0-53eb-11ef-b81b-0242ac110005","cmd_line":"welding viewpicture sampling","container":{"name":"iii accessories ddr","size":3779122986,"uid":"cfd4a166-53eb-11ef-97e4-0242ac110005","image":{"name":"beach omaha protest","uid":"cfd4aa76-53eb-11ef-a970-0242ac110005"},"hash":{"value":"917004FD903B196255A9B56D08246E5E9FC34E38BC01CADD52A3ADABEB309DA5","algorithm":"magic","algorithm_id":99}},"created_time":1722945774101623,"namespace_pid":90,"parent_process":{"name":"Arrange","pid":5,"file":{"attributes":76,"name":"elizabeth.sln","size":1485425900,"type":"Folder","path":"kai surname approach/xp.wpd/elizabeth.sln","desc":"member dogs ports","type_id":2,"company_name":"Claudio Alejandra","parent_folder":"kai surname approach/xp.wpd","confidentiality":"says","confidentiality_id":99,"created_time_dt":"2024-08-06T12:02:54.102808Z"},"user":{"name":"Night","type":"Unknown","type_id":0,"ldap_person":{"manager":{"name":"Merchandise","type":"System","uid":"cfd4ff76-53eb-11ef-9efb-0242ac110005","org":{"name":"belief billion talented","ou_name":"volkswagen africa respect"},"groups":[{"name":"pos constraints inkjet","type":"stat tray charitable"},{"name":"yemen happiness theft"}],"type_id":3,"full_name":"Janiece Jon","credential_uid":"cfd50fd4-53eb-11ef-83d7-0242ac110005","ldap_person":{"surname":"cancelled present faced","modified_time_dt":"2024-08-06T12:02:54.104306Z"},"uid_alt":"fraud answers loved"},"email_addrs":["Sharonda@helena.name","Caroline@consent.mil"],"hire_time":1722945774104346,"office_location":"ways statement ni","surname":"cio evaluating bc","last_login_time_dt":"2024-08-06T12:02:54.104363Z"}},"group":{"name":"majority scores surveillance","desc":"bearing return gt","uid":"cfd52f3c-53eb-11ef-bb53-0242ac110005","privileges":["kansas religions cgi"]},"uid":"cfd53608-53eb-11ef-92de-0242ac110005","loaded_modules":["/save/tt/places/ballet/exclusive.psd","/administered/herbs/discrete/katie/rl.ttf"],"cmd_line":"visual dated alpha","container":{"name":"footwear checkout march","size":1641826457,"uid":"cfd542ec-53eb-11ef-be38-0242ac110005","image":{"name":"concentrations deck created","uid":"cfd54bf2-53eb-11ef-b477-0242ac110005"},"hash":{"value":"03C6D52314CF55EC4DFDAE665DC2100E56F08F7599D9B87FD76B0AF55FA44C4F3A7B4204C517E201F9326306ECC712A0CE46D93B7B4A03AAFDBDFAE7BD9A7471","algorithm":"TLSH","algorithm_id":6}},"created_time":1722945774105758,"integrity":"Unknown","integrity_id":0,"lineage":["length apr charm","farm chaos overseas"],"namespace_pid":33,"sandbox":"mexican mixer g","euid":59,"terminated_time_dt":"2024-08-06T12:02:54.105788Z"},"egid":49,"terminated_time_dt":"2024-08-06T12:02:54.105798Z"},"sandbox":"variance volleyball compile"},"auid":38,"terminated_time_dt":"2024-08-06T12:02:54.105811Z"}},"created_time_dt":"2024-08-06T12:02:54.105819Z"},"xattributes":{},"euid":32},"terminated_time":1722945774105859,"auid":17},"sandbox":"frequent dining arguments","xattributes":{},"created_time_dt":"2024-08-06T12:02:54.105883Z","terminated_time_dt":"2024-08-06T12:02:54.105888Z"},"euid":93,"terminated_time_dt":"2024-08-06T12:02:54.105894Z"},"user":{"name":"Ok","type":"System","domain":"rpm particular mae","uid":"cfd57668-53eb-11ef-ad7f-0242ac110005","groups":[{"name":"numbers nextel globe","type":"debug carpet per","domain":"indexed email mardi","uid":"cfd58068-53eb-11ef-b081-0242ac110005"},{"name":"fitting personalized estimation","uid":"cfd58ae0-53eb-11ef-850c-0242ac110005"}],"type_id":3}},"cloud":{"provider":"experimental mac seconds","region":"debate population smithsonian","zone":"raised expert baseball"},"database":{"name":"laden confidence arabic","type":"Object Oriented","uid":"cfcf8aaa-53eb-11ef-835d-0242ac110005","type_id":3,"created_time_dt":"2024-08-06T12:02:54.068006Z"},"databucket":{"name":"facts drug laos","type":"GCP Bucket","type_id":3},"severity_id":1,"src_endpoint":{"port":47139,"type":"Laptop","ip":"175.16.199.0","hostname":"thank.coop","uid":"cfcfee32-53eb-11ef-b8c3-0242ac110005","type_id":3,"container":{"name":"detect drop hobbies","size":2933944469,"tag":"together own republicans","uid":"cfd0401c-53eb-11ef-b764-0242ac110005","image":{"path":"constraint explosion ge","uid":"cfd04b5c-53eb-11ef-a7db-0242ac110005","labels":["er","distances"]}},"hw_info":{"cpu_count":74,"cpu_speed":92},"instance_uid":"cfd0555c-53eb-11ef-82ff-0242ac110005","interface_uid":"cfd05bd8-53eb-11ef-864c-0242ac110005","namespace_pid":25,"svc_name":"further compressed twisted","vlan_uid":"cfd06344-53eb-11ef-9b92-0242ac110005"},"status_id":2} +{"message":"fur stake pickup","status":"Failure","total":87,"time":1723108823724670,"metadata":{"version":"1.1.0","extension":{"name":"reward furniture awful","version":"1.1.0","uid":"70fa28aa-5567-11ef-9e8c-0242ac110005"},"product":{"name":"nintendo une exist","version":"1.1.0","uid":"70fa3656-5567-11ef-8ec3-0242ac110005","url_string":"eq","vendor_name":"investors viral conscious"},"labels":["sage"],"profiles":[],"log_name":"form rising isolated","log_provider":"commerce relatives qualify","loggers":[{"name":"configure fetish advertise","device":{"name":"scanners storage illinois","type":"Laptop","os":{"name":"bolt photographers oman","type":"Windows","build":"acne toolbox architectural","type_id":100,"edition":"hired moscow antibodies"},"ip":"151.112.44.246","desc":"bg falling her","hostname":"transformation.mobi","type_id":3,"subnet":"244.6.140.0/24","instance_uid":"70fa8246-5567-11ef-93ce-0242ac110005","interface_name":"bulletin keith reporters","interface_uid":"70fa8c3c-5567-11ef-b329-0242ac110005","is_trusted":false,"modified_time":1723108823723078,"region":"pm memorabilia penalty","subnet_uid":"70fa532a-5567-11ef-b983-0242ac110005","vlan_uid":"70fa5a0a-5567-11ef-a39d-0242ac110005"},"product":{"name":"april visit maximum","version":"1.1.0","uid":"70fa9c0e-5567-11ef-92a1-0242ac110005","vendor_name":"equivalent all operating"},"uid":"70faa3ac-5567-11ef-9136-0242ac110005","log_name":"thee mining your","transmit_time":1723108823724148},{"name":"gallery prayers vcr","product":{"name":"positioning tier electrical","version":"1.1.0","uid":"70faafd2-5567-11ef-9ce0-0242ac110005","url_string":"english","vendor_name":"reservation connection shell"},"log_name":"suggested blake pendant","log_provider":"beautifully ae beauty"}],"original_time":"sheffield origins travesti","tenant_uid":"70fab7d4-5567-11ef-9fcd-0242ac110005"},"scan":{"name":"cooperation edge magnificent","type":"Unknown","uid":"70fac396-5567-11ef-a8a3-0242ac110005","type_id":0},"start_time":1723108823725300,"severity":"Unknown","duration":39,"type_name":"Scan Activity: Cancelled","activity_id":3,"type_uid":600703,"category_name":"Application Activity","class_uid":6007,"category_uid":6,"class_name":"Scan Activity","timezone_offset":51,"end_time":1723108823724649,"activity_name":"Cancelled","command_uid":"70f9ff4c-5567-11ef-96d3-0242ac110005","num_files":85,"num_network_items":45,"num_processes":12,"num_registry_items":21,"num_resolutions":0,"num_skipped_items":80,"num_trusted_items":47,"policy":{"name":"these wordpress cos","version":"1.1.0","uid":"70fad110-5567-11ef-a15f-0242ac110005"},"schedule_uid":"70f9f600-5567-11ef-9766-0242ac110005","severity_id":0,"status_code":"shape","status_id":2} +{"actor":{"process":{"name":"Lightweight","pid":12,"file":{"attributes":83,"name":"hawk.wsf","owner":{"name":"Illegal","type":"System","domain":"shade variety cooper","uid":"ff702496-556b-11ef-9f4e-0242ac110005","type_id":3,"account":{"type":"AWS Account","uid":"ff702df6-556b-11ef-a8bb-0242ac110005","type_id":10},"email_addr":"Erick@invision.edu","uid_alt":"preceding psp cleared"},"type":"Character Device","modifier":{"name":"Hottest","type":"muscles","uid":"ff70411a-556b-11ef-9a1e-0242ac110005","type_id":99,"credential_uid":"ff7047d2-556b-11ef-966d-0242ac110005"},"desc":"playing motor literary","type_id":3,"accessor":{"name":"Golf","type":"died","uid":"ff70655a-556b-11ef-b23a-0242ac110005","type_id":99},"company_name":"Natalya Stormy"},"user":{"type":"brooklyn","uid":"ff707266-556b-11ef-8dd3-0242ac110005","org":{"name":"existence hypothetical audience","uid":"ff707b3a-556b-11ef-989b-0242ac110005","ou_name":"coupon tear compatibility","ou_uid":"ff7082c4-556b-11ef-8273-0242ac110005"},"type_id":99},"group":{"uid":"ff708c1a-556b-11ef-bea6-0242ac110005"},"tid":89,"uid":"ff709200-556b-11ef-a0bf-0242ac110005","cmd_line":"compression warner sapphire","container":{"name":"front myself techniques","size":3673925967,"uid":"ff70a01a-556b-11ef-98b5-0242ac110005","image":{"name":"stage trucks cw","uid":"ff70a8da-556b-11ef-9305-0242ac110005"},"hash":{"value":"892D74547E40E6FC23332CF6A88A2CAAC1D5BA6CF5201690F503FDE2B5717067D2C3B25EFEE63E1C5E5BCE1AF1F5A54076DCE0FDE9CDB56E3382C5F39AF3399B","algorithm":"Unknown","algorithm_id":0}},"created_time":1723110780721040,"parent_process":{"name":"Unlimited","pid":90,"file":{"name":"vulnerability.cue","type":"Local Socket","path":"full jewellery adverse/hans.xml/vulnerability.cue","uid":"ff70c5f4-556b-11ef-8001-0242ac110005","type_id":5,"accessor":{"name":"Breakfast","type":"Admin","uid":"ff70d09e-556b-11ef-82b8-0242ac110005","type_id":2,"full_name":"Cora Marchelle","uid_alt":"lesbian dk media"},"creator":{"name":"Broker","type":"juice","uid":"ff70ec96-556b-11ef-a10b-0242ac110005","type_id":99,"account":{"name":"develops til flu","type":"AWS IAM Role","uid":"ff70fb96-556b-11ef-b127-0242ac110005","type_id":4}},"parent_folder":"full jewellery adverse/hans.xml","hashes":[{"value":"88CB8A087B6E8CEBFC9AE5602F5A2159A6BCF923E7F2C56809BCDA6CAD1727A7","algorithm":"SHA-256","algorithm_id":3},{"value":"BFC7194DB6D123E245825AAF92C276855D32513520B471C67B94A62F46C8CBDB891CA09419FAD201F34F81C0CA0C72DCC1C4A68CFFFF5A7F0B629B35501E8EBA","algorithm":"Unknown","algorithm_id":0}],"xattributes":{}},"user":{"name":"Skip","type":"Admin","uid":"ff710f1e-556b-11ef-bcc2-0242ac110005","type_id":2,"uid_alt":"those facility genetic"},"group":{"name":"overseas avoiding attendance","uid":"ff711932-556b-11ef-8a55-0242ac110005","privileges":["drop welsh munich","developer strange beat"]},"uid":"ff71249a-556b-11ef-b2a4-0242ac110005","cmd_line":"legally hacker please","container":{"name":"ant elegant ana","runtime":"routes peripheral operates","size":3971411004,"uid":"ff712e7c-556b-11ef-b4ec-0242ac110005","image":{"name":"shanghai listen subaru","path":"toxic declaration intended","uid":"ff7150be-556b-11ef-a7e8-0242ac110005"},"hash":{"value":"994BB86DD62F615473EE5D1D05C5A1D950D2F3C3","algorithm":"SHA-1","algorithm_id":2}},"created_time":1723110780725334,"lineage":["viii define induced","starsmerchant interest city"],"namespace_pid":10,"parent_process":{"name":"Legs","pid":65,"file":{"attributes":62,"name":"figure.bin","type":"Local Socket","version":"1.1.0","type_id":5,"confidentiality":"outdoors archived regarding","hashes":[{"value":"AD6A21629A7DEABC182FDEA82DF619F693860085A862A8BFEE71FCD9BBAB45669A480AD8EDB096D0EAF29092215C7A39197EAC015A32E6D5957442A640C8ACDE","algorithm":"SHA-512","algorithm_id":4}],"modified_time":1723110780725738,"security_descriptor":"thesaurus stories skirts","accessed_time_dt":"2024-08-08T09:53:00.725750Z"},"user":{"name":"Marvel","type":"tunnel","uid":"ff716e14-556b-11ef-9183-0242ac110005","type_id":99},"group":{"name":"challenges photoshop want","type":"spice shine latex","uid":"ff717f9e-556b-11ef-beff-0242ac110005"},"tid":45,"uid":"ff71866a-556b-11ef-8d91-0242ac110005","container":{"name":"richard amendments yorkshire","size":2733947088,"uid":"ff7191fa-556b-11ef-b991-0242ac110005","image":{"tag":"g tiffany advocacy","path":"scoring skill rush","uid":"ff719b1e-556b-11ef-8397-0242ac110005"},"hash":{"value":"8A988DC6210B348668CFB0C69FFC40C3952920BEE33BEF02302FB1E486274CE8F56F324032A0BA2B9661E57022A3AF5C085E63028B71E4D30A36264236D98E83","algorithm":"quickXorHash","algorithm_id":7}},"integrity":"System","integrity_id":5,"namespace_pid":6,"parent_process":{"name":"Liability","pid":12,"file":{"name":"dress.pct","type":"Symbolic Link","path":"graphic easter hitting/celebration.xls/dress.pct","product":{"name":"relation resulting pride","version":"1.1.0","uid":"ff71b45a-556b-11ef-aee8-0242ac110005","lang":"en","vendor_name":"conversation gamespot myself"},"type_id":7,"accessor":{"name":"Nashville","type":"Admin","uid":"ff71c616-556b-11ef-89f0-0242ac110005","org":{"name":"steven harmony mediterranean","uid":"ff71cea4-556b-11ef-80aa-0242ac110005","ou_name":"beam transmit cook"},"type_id":2,"credential_uid":"ff71d5de-556b-11ef-bfb8-0242ac110005"},"parent_folder":"graphic easter hitting/celebration.xls","hashes":[{"value":"C597CBD53DDF5E7AA017A46E3D559E6DEE7AAB38151CD2B0116453D64744DCA63052DA0AC50DD2E29C8517583E688A23F85646ECB9E0746CCA1F447D33116333","algorithm":"Unknown","algorithm_id":0}]},"tid":23,"uid":"ff71e204-556b-11ef-b426-0242ac110005","cmd_line":"sponsored contractor notion","container":{"size":1046580299,"uid":"ff71eb82-556b-11ef-855e-0242ac110005","hash":{"value":"175A141E2713D00975BC765F1C4FE4ECBC01D88B69A016EE442829C445B4EE2C4C0776FADB4939337B8D43C185078967BA4AC71DD1651A0ABA1143394106DE8A","algorithm":"TLSH","algorithm_id":6}},"created_time":1723110780729284,"namespace_pid":66,"parent_process":{"name":"Believed","pid":12,"file":{"attributes":44,"name":"autumn.mid","size":1791990748,"type":"Symbolic Link","path":"normally soviet packaging/acne.js/autumn.mid","type_id":7,"mime_type":"foto/congo","parent_folder":"normally soviet packaging/acne.js","confidentiality":"Unknown","confidentiality_id":0,"hashes":[{"value":"0F9ABBECBDEC7BA8948C5C34A6D1A65712B51F4DA69A43F4A55845FC98133C5422097F2AED463CBC2CC6EFD07AC9F6A0493E263E0AEC4CA93045EAF86AAE1527","algorithm":"SHA-512","algorithm_id":4},{"value":"41D12DF274FFAEF654EA947446DD0211E338D2651D95805632E5353798F189E4","algorithm":"SHA-256","algorithm_id":3}],"accessed_time_dt":"2024-08-08T09:53:00.729741Z"},"user":{"name":"Aol","type":"Admin","uid":"ff7209d2-556b-11ef-859c-0242ac110005","type_id":2,"email_addr":"Claudia@destroyed.museum"},"group":{"name":"rivers kde impaired","uid":"ff7213f0-556b-11ef-afbe-0242ac110005"},"uid":"ff721b66-556b-11ef-a28e-0242ac110005","loaded_modules":["/ol/wr/trades/lucky/trusts.mp4"],"cmd_line":"cole playback contribute","container":{"name":"blackjack example page","size":2950957499,"tag":"lexmark sandwich determining","uid":"ff72291c-556b-11ef-9cb3-0242ac110005","image":{"name":"eight bow edges","uid":"ff7231f0-556b-11ef-af8b-0242ac110005","labels":["builders","guitars"]},"hash":{"value":"3D586550FC15946B6FC20EC2BB31B6CB2BF53F3AAD6565BC38B72776CE2784F7AD19E73C0313EA7A12AE3A664203FB3CE7759B22867BAEF1FD46FD0B20BB60F2","algorithm":"SHA-512","algorithm_id":4}},"created_time":1723110780731096,"namespace_pid":27,"parent_process":{"name":"Raising","pid":88,"file":{"attributes":10,"name":"spyware.dds","type":"Block Device","path":"protocol validity absence/luther.rm/spyware.dds","type_id":4,"mime_type":"institute/ivory","parent_folder":"protocol validity absence/luther.rm","confidentiality":"torture lawn fuel","hashes":[{"value":"298388E81525736B459B8830EC555869E081200C11C67EFB7444F32DB67C39E4CBB72D5FDDB490B903D4435BA037DAB92B233C64B15D13C5E66D1461BF976D14","algorithm":"SHA-512","algorithm_id":4},{"value":"E1ACB66647F799D4BF5B74B3CECBB8400B1C392A7585421EC33809A31466BDB24362A4DF7E19777422B7C2665222458FC48C22B1BF26EA331DE6ECD557929101","algorithm":"TLSH","algorithm_id":6}],"security_descriptor":"delta caution ncaa"},"user":{"name":"Ieee","type":"Unknown","domain":"numerical circuit charts","type_id":0},"group":{"name":"damaged cumulative applicable","domain":"highways phones introduces"},"uid":"ff72525c-556b-11ef-b49e-0242ac110005","cmd_line":"donation gaps according","container":{"name":"meant she least","tag":"commented attitude magazines","uid":"ff72b166-556b-11ef-af11-0242ac110005","image":{"name":"justify greeting attorney","uid":"ff72c4ee-556b-11ef-ae90-0242ac110005"},"hash":{"value":"23AF3E3302D598D92331ADF8D2CDAA30642018D52F7E585E7C485EEED310C245FF761DB9C3F08973E9C00DF8B86A3E7B8241E92C34A9C30EA27E1B302939F910","algorithm":"SHA-512","algorithm_id":4}},"created_time":1723110780734859,"namespace_pid":56},"auid":91,"euid":25}},"terminated_time_dt":"2024-08-08T09:53:00.734879Z"},"terminated_time":1723110780734887,"auid":42,"euid":36},"created_time_dt":"2024-08-08T09:53:00.734894Z"},"user":{"type":"Unknown","uid":"ff72d2e0-556b-11ef-bbe1-0242ac110005","type_id":0,"credential_uid":"ff72de20-556b-11ef-a522-0242ac110005","uid_alt":"weights hobbies divorce"},"authorizations":[{},{}]},"activity_name":"Started","num_detections":89,"start_time":1723110780716472,"policy":{"name":"katie producing webcast","desc":"relevance lots trigger","uid":"ff6ff8fe-556b-11ef-874e-0242ac110005"},"category_uid":6,"class_name":"Scan Activity","num_skipped_items":59,"message":"tools motivated nightlife","api":{"request":{"uid":"ff6fddec-556b-11ef-a2d3-0242ac110005"},"group":{"name":"dividend consistency definitely","type":"posts vendors student","uid":"ff6feb8e-556b-11ef-8cd0-0242ac110005"},"response":{"error":"headquarters viii accurately","code":96,"data":"phenomenon","message":"definitely existing colleges","error_message":"unexpected amazon worm"},"operation":"cathedral participate wrapping"},"scan":{"name":"caribbean operate detected","type":"Updated Content","uid":"ff6fd18a-556b-11ef-887c-0242ac110005","type_id":3},"severity_id":6,"time":1723110780715169,"type_name":"Scan Activity: Started","num_files":43,"device":{"name":"cams witnesses summary","type":"Unknown","domain":"a licensed facility","ip":"175.16.199.0","location":{"desc":"Falkland Islands (Malvinas)","city":"Messaging management","country":"FK","coordinates":[170.507,-62.7832],"continent":"South America"},"hostname":"active.jobs","uid":"ff6f8cca-556b-11ef-9bc0-0242ac110005","type_id":0,"subnet":"28.0.0.0/8","container":{"name":"related understanding tricks","size":3329432332,"uid":"ff6fafac-556b-11ef-9f24-0242ac110005","image":{"name":"items discharge whale","uid":"ff6fbc7c-556b-11ef-9149-0242ac110005"},"hash":{"value":"788AE8183287A6A47C315CEEA8BC503A5434CAAFAF93FB41C1AD3C75EF8238F2","algorithm":"magic","algorithm_id":99}},"interface_uid":"ff6fc604-556b-11ef-a921-0242ac110005","last_seen_time":1723110780713330,"modified_time":1723110780713347,"namespace_pid":13,"region":"patricia link controversy","risk_level":"ratios capable administrator","uid_alt":"scientific addition power","vpc_uid":"ff6f7bea-556b-11ef-99b2-0242ac110005","zone":"districts fit connector","modified_time_dt":"2024-08-08T09:53:00.713297Z","first_seen_time_dt":"2024-08-08T09:53:00.713342Z"},"end_time":1723110780712791,"num_folders":37,"timezone_offset":20,"metadata":{"version":"1.1.0","product":{"name":"hospitality fabric loop","version":"1.1.0","uid":"ff6f5962-556b-11ef-9975-0242ac110005","vendor_name":"hindu carlo achieve"},"uid":"ff6f607e-556b-11ef-b5f9-0242ac110005","log_level":"entities staying supplemental","profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"log_name":"brother lord wyoming","log_provider":"diana alternate finals","original_time":"negotiations hardwood avg","tenant_uid":"ff6f6844-556b-11ef-8efe-0242ac110005","logged_time_dt":"2024-08-08T09:53:00.712767Z"},"duration":0,"command_uid":"ff6f480a-556b-11ef-93ac-0242ac110005","status":"synthesis","num_resolutions":19,"activity_id":1,"total":63,"num_processes":41,"num_network_items":71,"class_uid":6007,"cloud":{"org":{"name":"serving invest coating","uid":"ff6f0be2-556b-11ef-9b41-0242ac110005","ou_name":"caroline au dos"},"account":{"name":"houston indexes puerto","type":"Apple Account","uid":"ff6f370c-556b-11ef-a592-0242ac110005","type_id":8},"project_uid":"ff6f3f0e-556b-11ef-913f-0242ac110005","provider":"greensboro gallery reporting","region":"consistency alert titten"},"type_uid":600701,"num_trusted_items":36,"severity":"Fatal","category_name":"Application Activity","status_id":99} +{"message":"epa stanley speech","status":"Unknown","time":1723114384287674,"file":{"name":"ate.cue","type":"Folder","version":"1.1.0","path":"wiki optimization counter/prohibited.ai/ate.cue","signature":{"certificate":{"version":"1.1.0","subject":"advised chess egyptian","issuer":"warning cute armor","fingerprints":[{"value":"367C62D5A1EE13A74F11A143DB9DD2389B73DE066483521D1905177739F6EB41DE30BDAFD42E95AF3306EF8BC6273C97A75C8276B592B1D5FCC7458F1EBBEB03","algorithm":"SHA-512","algorithm_id":4},{"value":"DEE5E5BE829C1FF9E773E27CDA4A8960CAB5C8A6F392DA6ACCBACB430B13B9BC64822221325357EAA87B60D5F4474090332CD89561EBEC061294834301DF9AE9","algorithm":"CTPH","algorithm_id":5}],"created_time":1723114384273661,"expiration_time":1723114384273675,"serial_number":"qld undergraduate cowboy","created_time_dt":"2024-08-08T10:53:04.273685Z"},"algorithm":"Unknown","algorithm_id":0,"created_time":1723114384273699},"modifier":{"name":"Scenic","type":"User","uid":"63533b6c-5574-11ef-bfed-0242ac110005","type_id":1,"account":{"name":"interactions minister lamps","type":"Windows Account","uid":"635347c4-5574-11ef-a25d-0242ac110005","type_id":2},"credential_uid":"63534eea-5574-11ef-8a7c-0242ac110005","ldap_person":{"created_time":1723114384275284,"email_addrs":["Leonida@consoles.gov"],"given_name":"routines identical brunswick","hire_time":1723114384275320,"job_title":"voted awareness pt","modified_time":1723114384275329,"leave_time_dt":"2024-08-08T10:53:04.275331Z"}},"type_id":2,"parent_folder":"wiki optimization counter/prohibited.ai","hashes":[{"value":"F6B8BFDD92E45272F30B728D921EF2A47DD9D950600D885830D30532F39E2A5688B4797CF0B172989E4C95B557B2497E98AC07417E8766E06BDFFEBDEBBE76C8","algorithm":"TLSH","algorithm_id":6},{"value":"4A2B4592EAC6D75C3BD4FE50308A2316D54BC427F65F109C7EC4105B6467C984","algorithm":"SHA-256","algorithm_id":3}]},"metadata":{"version":"1.1.0","product":{"name":"cooling florist anna","version":"1.1.0","path":"avoid meeting appear","uid":"63545eac-5574-11ef-8bb1-0242ac110005","vendor_name":"buying fa joel"},"profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"correlation_uid":"635472c0-5574-11ef-8c5d-0242ac110005","event_code":"sessions","log_name":"standing band submission","logged_time":1723114384282107,"original_time":"sum shipped decreased"},"severity":"Low","type_name":"File Hosting Activity: Move","activity_id":7,"type_uid":600607,"observables":[{"name":"affiliated fuji ralph","type":"Hostname","type_id":1},{"name":"sponsored fw illustrated","type":"Hostname","type_id":1}],"category_name":"Application Activity","class_uid":6006,"category_uid":6,"class_name":"File Hosting Activity","timezone_offset":56,"activity_name":"Move","actor":{"process":{"name":"Eden","pid":95,"file":{"attributes":91,"name":"physician.asf","type":"Regular File","path":"donors replied magazine/elder.accdb/physician.asf","modifier":{"name":"Dimensional","type":"System","domain":"beneficial az attraction","uid":"63556d6a-5574-11ef-ac26-0242ac110005","type_id":3,"email_addr":"Lura@consolidated.mil"},"desc":"xp endif record","type_id":1,"creator":{"name":"Resource","type":"System","uid":"6355ab18-5574-11ef-bc66-0242ac110005","type_id":3,"full_name":"Melodee Norma","email_addr":"Blaine@highlight.pro"},"mime_type":"incl/johnston","parent_folder":"donors replied magazine/elder.accdb","hashes":[{"value":"28E532D56B18548CC0B68A63311D2DCD2D258B2F","algorithm":"SHA-1","algorithm_id":2},{"value":"695BF60E03F83A36699AF46519E8E584","algorithm":"MD5","algorithm_id":1}],"xattributes":{}},"user":{"type":"Unknown","domain":"random john findlaw","groups":[{"name":"rural legislature built","type":"harm slovakia tone","uid":"6355ca8a-5574-11ef-8efb-0242ac110005","privileges":["clearing transfer worthy","jim pdas remind"]},{"domain":"seeing dynamics qualified","uid":"6355d2aa-5574-11ef-8276-0242ac110005"}],"type_id":0,"full_name":"Alexander Helena","credential_uid":"6355da02-5574-11ef-89ed-0242ac110005","uid_alt":"providing arms servers"},"group":{"name":"manage livestock tribes","domain":"problem choosing reform","uid":"6355e5e2-5574-11ef-b983-0242ac110005"},"uid":"6355ece0-5574-11ef-9b58-0242ac110005","loaded_modules":["/sic/measurement/morrison/routing/classroom.class","/projector/dare/dt/fancy/governance.wma"],"cmd_line":"syndication traveler charges","container":{"name":"slim rehabilitation nest","size":2119671744,"uid":"63560cca-5574-11ef-8db7-0242ac110005","image":{"name":"technician rogers federal","tag":"pub flexible interface","uid":"63561756-5574-11ef-85d8-0242ac110005","labels":["pants","firewall"]},"hash":{"value":"10EFC79292FD96E5C3DDF56D50E2BF33CB5A2EC1","algorithm":"SHA-1","algorithm_id":2}},"created_time":1723114384292928,"integrity":"cr darwin wearing","namespace_pid":27,"parent_process":{"name":"Outreach","pid":24,"session":{"uid":"63562c6e-5574-11ef-a07c-0242ac110005","uuid":"635632b8-5574-11ef-8dc9-0242ac110005","issuer":"watt ips cash","created_time":1723114384293568,"expiration_time":1723114384293578,"is_remote":false,"expiration_time_dt":"2024-08-08T10:53:04.293582Z"},"file":{"attributes":91,"name":"engineers.png","type":"Character Device","path":"judgment entering hydrocodone/sharp.uue/engineers.png","type_id":3,"accessor":{"type":"republican","uid":"6356478a-5574-11ef-bd16-0242ac110005","type_id":99,"email_addr":"Sunni@holders.jobs"},"parent_folder":"judgment entering hydrocodone/sharp.uue"},"user":{"type":"User","domain":"shortly payments endorsement","uid":"6356532e-5574-11ef-a4a6-0242ac110005","type_id":1,"uid_alt":"mysql syria beaches"},"group":{"type":"savannah weapon canon","desc":"rogers eco outlets","uid":"63565dba-5574-11ef-80bf-0242ac110005"},"uid":"635663a0-5574-11ef-b2fa-0242ac110005","cmd_line":"asks eight printed","container":{"name":"te beginners geology","size":1467240565,"uid":"63567160-5574-11ef-a13e-0242ac110005","image":{"name":"abu collectables clinical","uid":"63567a16-5574-11ef-8843-0242ac110005"},"hash":{"value":"D0A3630555BBEC7FC05A98D311C23B00FD1AB4D8296AC4A4125976D80B6A6959","algorithm":"SHA-256","algorithm_id":3}},"created_time":1723114384295435,"integrity":"eternal reservation which","namespace_pid":73,"parent_process":{"name":"Hung","pid":85,"user":{"name":"Paint","type":"creative","uid":"63568cfe-5574-11ef-9336-0242ac110005","type_id":99,"full_name":"Gussie Leila","email_addr":"Claire@longitude.arpa"},"group":{"name":"prince enhance terrain","desc":"dual yacht replace","uid":"635698ac-5574-11ef-a457-0242ac110005"},"cmd_line":"tools aluminium combinations","container":{"name":"diving invited scoring","runtime":"louise demanding pontiac","size":3349958052,"tag":"witness indicators oral","uid":"6356a234-5574-11ef-a31f-0242ac110005","image":{"name":"bag belief such","uid":"6356aaae-5574-11ef-80e9-0242ac110005","labels":["memorabilia","producers"]},"hash":{"value":"5EF93A057B5E36A7F6F0880E87F5CF4B","algorithm":"MD5","algorithm_id":1},"pod_uuid":"pp"},"created_time":1723114384296685,"namespace_pid":42,"parent_process":{"name":"Dead","pid":15,"file":{"name":"creations.ico","owner":{"name":"Answer","uid":"6356c534-5574-11ef-9ab7-0242ac110005","full_name":"Henry Tonja"},"type":"ti","path":"defining inch factors/ist.mpa/creations.ico","product":{"name":"amateur bristol cuba","version":"1.1.0","uid":"6356cfa2-5574-11ef-a798-0242ac110005","vendor_name":"gentleman quit confirm"},"type_id":99,"parent_folder":"defining inch factors/ist.mpa","created_time":1723114384297596,"hashes":[{"value":"0976ABA0D430405622A00981BC58C6F16D2A40F1","algorithm":"SHA-1","algorithm_id":2},{"value":"36324C961DBB9EF924720EB1C5F7E53B29AD9EF8D2A5A4CF1FD2686CCF8FC21A7A1368175B23CFFF36A4DB33D4F7C399148E923594A5667C996C53E9AB311088","algorithm":"SHA-512","algorithm_id":4}],"accessed_time_dt":"2024-08-08T10:53:04.297651Z","created_time_dt":"2024-08-08T10:53:04.297659Z"},"user":{"name":"Theatre","type":"Admin","uid":"6356e906-5574-11ef-bcbc-0242ac110005","type_id":2},"tid":82,"uid":"6356ef50-5574-11ef-9f3f-0242ac110005","cmd_line":"capable homepage reject","container":{"name":"slovenia anybody colors","runtime":"organic worked yn","size":420397581,"uid":"6356f91e-5574-11ef-ae76-0242ac110005","image":{"name":"sao naked toddler","uid":"635701a2-5574-11ef-bc46-0242ac110005","labels":["toolbox","taught"]},"hash":{"value":"E6E7B71309D96CA832137A8E06B9E34906F7A42708F8EBD9C2B75A423AC058A7F0DD0B2AB768E8090DF7E6E6C89E95D7D80DCC4FD0F84464C499AFA89D9AE294","algorithm":"quickXorHash","algorithm_id":7},"pod_uuid":"arranged"},"created_time":1723114384298907,"integrity":"System","integrity_id":5,"namespace_pid":34,"parent_process":{"name":"Whilst","pid":51,"file":{"name":"sitting.bmp","owner":{"name":"Excessive","type":"System","domain":"harmony served deadly","uid":"63572f2e-5574-11ef-80bc-0242ac110005","groups":[{"name":"recruiting member combine","uid":"635738e8-5574-11ef-b1ba-0242ac110005"}],"type_id":3,"full_name":"Mistie Belkis","account":{"type":"Mac OS Account","uid":"6357423e-5574-11ef-bd28-0242ac110005","type_id":7}},"type":"Local Socket","path":"everything packaging fears/sat.crdownload/sitting.bmp","uid":"635748e2-5574-11ef-9899-0242ac110005","type_id":5,"creator":{"name":"Health","type":"User","domain":"cabinet satisfaction excitement","uid":"635752c4-5574-11ef-9816-0242ac110005","type_id":1,"full_name":"Lauralee Thomasine","ldap_person":{"location":{"desc":"Serbia, Republic of","city":"Princeton judy","country":"RS","coordinates":[-170.2881,-62.2248],"continent":"Europe"},"ldap_dn":"roy noticed vertical","surname":"tract olympus editor","created_time_dt":"2024-08-08T10:53:04.301134Z"}},"parent_folder":"everything packaging fears/sat.crdownload","accessed_time":1723114384301146,"hashes":[{"value":"D496B4FAFB1139B1F80F1B60D5AB3A22EF18A1625889B6793BDD41EAF1EB68F093E7AF5254D7DB838F22711DAA2F5E3A0CA6BF5F983AAAC163D7D525C760277B","algorithm":"Unknown","algorithm_id":0}],"is_system":false,"modified_time":1723114384301182,"xattributes":{}},"user":{"name":"Pavilion","type":"Unknown","uid":"63576804-5574-11ef-9ed9-0242ac110005","type_id":0,"credential_uid":"63576e4e-5574-11ef-85ed-0242ac110005"},"group":{"name":"sale point solutions","uid":"6357784e-5574-11ef-9c0c-0242ac110005"},"tid":93,"uid":"63577e16-5574-11ef-8086-0242ac110005","cmd_line":"consists posters menus","container":{"name":"loving revealed remarkable","size":2152153573,"uid":"6357871c-5574-11ef-9b53-0242ac110005","image":{"name":"lots time boolean","uid":"63578f78-5574-11ef-83eb-0242ac110005"},"hash":{"value":"EA7F1EC6B430560FE1BA023D62E5D33D29746DD5F0355FB118B1E4536D6230111964615215FCE2BE609D341EACB3B42869EE304F80BBAEC3F6720FA8FD50AD97","algorithm":"CTPH","algorithm_id":5},"orchestrator":"board luis adopted"},"created_time":1723114384302534,"parent_process":{"pid":93,"session":{"uid":"6357a396-5574-11ef-8ef4-0242ac110005","issuer":"demonstration holmes california","created_time":1723114384303010,"is_mfa":true,"is_remote":false},"file":{"name":"kerry.sdf","type":"terrorist","path":"pre memo parish/bibliographic.db/kerry.sdf","product":{"name":"forum activists cancelled","version":"1.1.0","uid":"6357b6b0-5574-11ef-9715-0242ac110005","cpe_name":"realty contributions melissa","vendor_name":"actress mess enjoyed"},"modifier":{"name":"Criterion","type":"System","domain":"theology suzuki inn","uid":"6357d28a-5574-11ef-b53e-0242ac110005","groups":[{"name":"meanwhile vid contributed"},{"name":"difference white sensors","type":"chef laos flat","desc":"undertake carried ones","uid":"6357dc9e-5574-11ef-a420-0242ac110005"}],"type_id":3,"account":{"name":"fans car enable","type":"Linux Account","type_id":9},"credential_uid":"6357e5f4-5574-11ef-8af6-0242ac110005","uid_alt":"repair trains victim"},"type_id":99,"creator":{"name":"Filme","type":"Unknown","uid":"6357f01c-5574-11ef-9c74-0242ac110005","type_id":0},"mime_type":"architecture/hall","parent_folder":"pre memo parish/bibliographic.db","hashes":[{"value":"35431593FE35166DB2935F72C55A3E0A8F8255878BACFF713A775559201158B2429DDF8B60D7FC65E8A640435ECA4BE8239A740FE91DA7560AC32207BF2F73AB","algorithm":"TLSH","algorithm_id":6},{"value":"BA2F52D229E66F7D965D4AAFDBB382D12FBA5669FBE91F4700E0B7A9355279E7FC2108CAA3AAB2AA5DDAD12B63AC6953845DD468A203773BE8FC734CE9FF93AB","algorithm":"CTPH","algorithm_id":5}],"security_descriptor":"volvo workflow pros"},"group":{"name":"mad integrity assessment","type":"glossary scotia pete","uid":"63580af2-5574-11ef-88eb-0242ac110005"},"uid":"63581182-5574-11ef-aeb6-0242ac110005","cmd_line":"mentor dust attending","container":{"name":"drill modern difference","size":3636193350,"uid":"63597a54-5574-11ef-acbb-0242ac110005","image":{"name":"hanging assume mill","uid":"63599c96-5574-11ef-8abe-0242ac110005"},"hash":{"value":"90C9EFE0343A584FD260823A0B266073C0E319EDC8D3C7CD2CCF69E236CF45D870E30646022FDB667F085AEA84B64830C3B3DC702C35A111DCCB3F05F05F9529","algorithm":"TLSH","algorithm_id":6}},"created_time":1723114384316151,"integrity":"delivering shaved mexico","namespace_pid":49,"parent_process":{"name":"Ft","pid":85,"file":{"name":"venice.pct","type":"Character Device","path":"proper unified cingular/outsourcing.cs/venice.pct","product":{"version":"1.1.0","vendor_name":"staying attachment med"},"desc":"advantage profit fall","type_id":3,"accessor":{"name":"Arlington","type":"Admin","uid":"635a477c-5574-11ef-8dd3-0242ac110005","type_id":2,"credential_uid":"635a4f2e-5574-11ef-b0c1-0242ac110005"},"parent_folder":"proper unified cingular/outsourcing.cs","accessed_time":1723114384320502,"created_time":1723114384320518,"hashes":[{"value":"5B54C0A045F179BCBBBC9ABCB8B5CD4C","algorithm":"MD5","algorithm_id":1},{"value":"B1A66BA2E7D51C706F9A2CA80905DF475AE44EDC79EC60CA4D7580FBD6548B91","algorithm":"magic","algorithm_id":99}],"modified_time_dt":"2024-08-08T10:53:04.320622Z"},"uid":"635a5c26-5574-11ef-8945-0242ac110005","cmd_line":"cup rights charger","container":{"name":"answers camera televisions","size":560452224,"uid":"635a7206-5574-11ef-b9d6-0242ac110005","image":{"uid":"635a8282-5574-11ef-8212-0242ac110005"},"hash":{"value":"FAF5EB7985BA4C9CBED8EED0D046F77F7C6ADCB15B9F3537256D717C2D370E448132CECC73264489D250CE463844ECFF1DC62C554DC6654B0C11659842BD7828","algorithm":"quickXorHash","algorithm_id":7}},"created_time":1723114384322300,"namespace_pid":14,"parent_process":{"pid":1,"file":{"attributes":8,"name":"stop.rom","size":184463636,"type":"Folder","path":"qc stunning upcoming/freelance.b/stop.rom","type_id":2,"creator":{"name":"Televisions","type":"restaurant","uid":"635ab20c-5574-11ef-8a49-0242ac110005","type_id":99,"ldap_person":{"modified_time":1723114384328321,"created_time_dt":"2024-08-08T10:53:04.328333Z"}},"parent_folder":"qc stunning upcoming/freelance.b","accessed_time":1723114384328345,"confidentiality":"dare assembly conflicts","hashes":[{"value":"D6DF1AB7AC275F8C7AFF9D010CCFD0DB08BBE2D8","algorithm":"SHA-1","algorithm_id":2},{"value":"A99E2AF60B8C1ACE6169FBA74BE6B9CB5ECA5D5A24F28F39E4EC50A265F7F5F4","algorithm":"SHA-256","algorithm_id":3}],"security_descriptor":"streets teacher movie","accessed_time_dt":"2024-08-08T10:53:04.328434Z","modified_time_dt":"2024-08-08T10:53:04.328440Z"},"user":{"name":"Fountain","type":"Admin","uid":"635b94ec-5574-11ef-90e7-0242ac110005","type_id":2},"group":{"name":"lang drivers mood","uid":"635baaf4-5574-11ef-8c3f-0242ac110005"},"uid":"635bb51c-5574-11ef-96c1-0242ac110005","cmd_line":"assignment position expression","container":{"name":"ink bio mileage","runtime":"effort des lu","size":1841031275,"uid":"635bd29a-5574-11ef-a523-0242ac110005","image":{"name":"junction naval insulation","tag":"watches wellington muscle","uid":"635c0198-5574-11ef-ba77-0242ac110005"},"hash":{"value":"FA987EC04918567E13A7554C7DDC4D86FB705EAD55207E05ED4E224FB0A9F1570BE1D51F9AE581D415E2D13894EECAEEF402D9901F8C9E70CD839691DD428BBD","algorithm":"CTPH","algorithm_id":5},"pod_uuid":"nuclear"},"created_time":1723114384332144,"integrity":"Low","integrity_id":2,"namespace_pid":91,"parent_process":{"name":"Surprise","pid":46,"file":{"name":"settled.exe","type":"Local Socket","version":"1.1.0","path":"justin jm kenya/acknowledged.cgi/settled.exe","signature":{"certificate":{"version":"1.1.0","uid":"635c43c4-5574-11ef-a8eb-0242ac110005","subject":"pets documentary mutual","issuer":"rounds eds contests","fingerprints":[{"value":"4D78419C492968B9564F7F87CEBFA246405627A31D833B60027D564FB453A9F76CDBDF3D6229EFE19244F6B38DC9C1E531EC641A042F38CE33A3E62DEEB1E115","algorithm":"quickXorHash","algorithm_id":7}],"created_time":1723114384334572,"expiration_time":1723114384334590,"serial_number":"anything repair rank","expiration_time_dt":"2024-08-08T10:53:04.334601Z"},"algorithm":"ECDSA","algorithm_id":3,"developer_uid":"635c7e16-5574-11ef-b814-0242ac110005"},"type_id":5,"accessor":{"name":"Contents","type":"Unknown","domain":"weighted organize jim","uid":"635cc204-5574-11ef-85ce-0242ac110005","type_id":0},"creator":{"name":"Heel","type":"System","uid":"635ce108-5574-11ef-b897-0242ac110005","type_id":3,"account":{"name":"discs sure enclosed","type":"AWS IAM Role","uid":"635d0a66-5574-11ef-bcd7-0242ac110005","type_id":4},"uid_alt":"rapidly specification instructional"},"parent_folder":"justin jm kenya/acknowledged.cgi","created_time":1723114384339821,"hashes":[{"value":"E3406337AAEB1C0AC1339EA8DBC6212C72E6551C007F921C64EADEDFC50CEAF2D661F48148C64A04B17DEC7D46C8D70913DA02218205F62B8170DF4110BEE8BE","algorithm":"Unknown","algorithm_id":0},{"value":"3F9D17F4A6D80A19A14E6E6464F3E85457666C674359CE0CCEBD5BF88B46CD79CC44F0213344FB06287280BC58AA62C13301DEC710F880AE66297C4F2F4477F4","algorithm":"quickXorHash","algorithm_id":7}],"modified_time":1723114384340026,"xattributes":{},"accessed_time_dt":"2024-08-08T10:53:04.340128Z","created_time_dt":"2024-08-08T10:53:04.340139Z"},"user":{"type":"Unknown","uid":"635d5bd8-5574-11ef-a7e3-0242ac110005","type_id":0,"uid_alt":"charging build burning"},"group":{"name":"pendant alike china","domain":"remove ix couple","uid":"635d7852-5574-11ef-8eaa-0242ac110005","privileges":["verbal spokesman stuart","audio mozambique mae"]},"uid":"635d7fa0-5574-11ef-9af0-0242ac110005","loaded_modules":["/desert/arch/conditional/mas/zinc.cgi","/direct/appendix/stated/partition/awareness.gam"],"cmd_line":"masters treatments custody","container":{"name":"ate worth powerpoint","runtime":"society mem dependence","size":175725837,"uid":"635d91e8-5574-11ef-bfc1-0242ac110005","image":{"name":"bring president swap","uid":"635dba88-5574-11ef-a7d2-0242ac110005"},"hash":{"value":"7D1BDD4F5CF16C23DEE15E0673B9B700804F55D5AC5DAA8E6A6F6DD1951AB502D960DF687EDC47B11A696C8F4A969208DFC7E3E4043EE2C907B4FCC244E9FD74","algorithm":"CTPH","algorithm_id":5},"network_driver":"crawford invitation pierce","orchestrator":"differences lycos cut"},"created_time":1723114384343050,"namespace_pid":17,"parent_process":{"name":"During","pid":22,"file":{"name":"earnings.otf","owner":{"name":"Tissue","type":"User","uid":"635ddb94-5574-11ef-ab3f-0242ac110005","org":{"name":"whom demand thereof","ou_name":"weighted fundraising drainage"},"type_id":1},"type":"Regular File","path":"commons employ nickel/humanity.swf/earnings.otf","type_id":1,"company_name":"Abby Cyrus","parent_folder":"commons employ nickel/humanity.swf","confidentiality":"Unknown","confidentiality_id":0,"hashes":[{"value":"EE1150845FA3041CEB3A3FCDBE42D68A","algorithm":"MD5","algorithm_id":1},{"value":"DC684E0A948E820C9B32AE34F0E147CCCAEAB3646C95D1FBF6E5EA257B9107251945EB892CD81A3750D89799ADF86C76382C60E73A85B10D110CE39164882C8F","algorithm":"quickXorHash","algorithm_id":7}],"is_system":false,"security_descriptor":"correctly screenshots reached","created_time_dt":"2024-08-08T10:53:04.344543Z","modified_time_dt":"2024-08-08T10:53:04.344556Z"},"user":{"name":"Greenhouse","uid":"635e09a2-5574-11ef-8b02-0242ac110005","uid_alt":"nu tiny challenging"},"group":{"name":"function bought terrace","desc":"oo phase relocation","uid":"635e1960-5574-11ef-bc86-0242ac110005"},"uid":"635e1f5a-5574-11ef-aad7-0242ac110005","cmd_line":"macedonia reid wanna","container":{"name":"dry age their","size":1634165265,"tag":"revised bytes swingers","uid":"635e290a-5574-11ef-8290-0242ac110005","image":{"tag":"developer characterized chelsea","uid":"635e31d4-5574-11ef-8b11-0242ac110005"},"hash":{"value":"D5F2E5C77054C44C2C72A1B017DECA06FC637C99","algorithm":"SHA-1","algorithm_id":2}},"created_time":1723114384346014,"parent_process":{"name":"Door","pid":15,"file":{"attributes":27,"name":"modification.php","type":"Regular File","path":"monkey refused genesis/pictures.cs/modification.php","type_id":1,"parent_folder":"monkey refused genesis/pictures.cs","confidentiality":"Not Confidential","confidentiality_id":1},"user":{"name":"Roller","type":"System","uid":"635e6e38-5574-11ef-9132-0242ac110005","type_id":3},"group":{"name":"dogs republic occurrence","type":"headers brunei ontario","uid":"635e79b4-5574-11ef-b9e2-0242ac110005","privileges":["later conversion foreign","shadows phpbb ate"]},"uid":"635e817a-5574-11ef-850e-0242ac110005","cmd_line":"rides vids label","container":{"name":"car ericsson vary","size":2909077433,"tag":"apparent philadelphia southern","uid":"635eaa7e-5574-11ef-99fc-0242ac110005","image":{"name":"carolina bio conversion","uid":"635eb3a2-5574-11ef-8a60-0242ac110005"},"hash":{"value":"62B8E80D982A1EF7D7764527C89E80FE2D9EFE4990B43078E143E4C6EDD2F407","algorithm":"SHA-256","algorithm_id":3},"orchestrator":"wto murray posted","pod_uuid":"designed"},"created_time":1723114384349350,"integrity":"ag disagree anymore","namespace_pid":5,"parent_process":{"name":"Lm","pid":58,"file":{"name":"closing.3ds","size":2333859778,"type":"Block Device","path":"newsletter tulsa locale/wait.cab/closing.3ds","signature":{"certificate":{"version":"1.1.0","subject":"durham sitting hiv","issuer":"eq designers loc","fingerprints":[{"value":"B133E6238B0833E7D12E8F6E64EABBFE2780E49FD028477670556B99E873D6C8CC7E38E25BAF9228F2324C513ECA25C63FF88415399CBD0FF61001ACC2BD0B10","algorithm":"TLSH","algorithm_id":6},{"value":"8B4AB0E3B292ED97FB8DCFB7C0267D1F7366F45CE8FDC2E3F0EAE57312A3F4D83BB72E25B072DF7E3416CF022B3276885495F9F245FE9CB67704AFD4B94EBF99","algorithm":"quickXorHash","algorithm_id":7}],"expiration_time":1723114384349769,"serial_number":"field geek theater"},"algorithm":"RSA","algorithm_id":2},"uid":"635ed24c-5574-11ef-9b19-0242ac110005","type_id":4,"mime_type":"radio/minolta","parent_folder":"newsletter tulsa locale/wait.cab","hashes":[{"value":"65BD10756687E64C347423BA3836F065","algorithm":"MD5","algorithm_id":1},{"value":"B3140286AC71AD2ACF69681F4F2A907B0B83D8EDFBFFDD4E0A38C05A23180495","algorithm":"SHA-256","algorithm_id":3}],"modified_time":1723114384350131,"security_descriptor":"went stick curious","xattributes":{}},"user":{"name":"Gossip","type":"System","uid":"635ee0e8-5574-11ef-ac61-0242ac110005","type_id":3,"credential_uid":"635ee75a-5574-11ef-ac0c-0242ac110005"},"group":{"name":"alcohol surprise http","desc":"wales if adams","uid":"635ef114-5574-11ef-8c2b-0242ac110005"},"uid":"635ef6dc-5574-11ef-a3ad-0242ac110005","cmd_line":"statutes columnists commerce","container":{"name":"thomson multi reliable","size":22516444,"uid":"635f000a-5574-11ef-bd88-0242ac110005","image":{"name":"procedures later palestinian","uid":"635f0898-5574-11ef-a44a-0242ac110005"},"hash":{"value":"B330ECA1D2F13AB95C1C8C41637D9CD297E8221B1DBE869BDE2ACD408F9548B864002FB987EEDA759EF00CDF20345836767C45CA1D40C2DCACE6B6A569E48F09","algorithm":"TLSH","algorithm_id":6},"orchestrator":"teens motion deaths"},"created_time":1723114384351625,"namespace_pid":7,"parent_process":{"name":"Gen","pid":86,"file":{"name":"offered.avi","type":"Folder","path":"sports amp assess/explosion.sln/offered.avi","type_id":2,"parent_folder":"sports amp assess/explosion.sln","accessed_time":1723114384352980,"security_descriptor":"salmon sister tucson"},"user":{"name":"Rest","type":"Unknown","uid":"635f51c2-5574-11ef-bad8-0242ac110005","type_id":0},"group":{"name":"produces consequence selling","uid":"635f5d02-5574-11ef-be03-0242ac110005","privileges":["seasonal railroad already"]},"uid":"635f63d8-5574-11ef-8afe-0242ac110005","cmd_line":"reflects champion naughty","container":{"name":"inquire justice risks","runtime":"fragrance instances sun","size":574926482,"uid":"635f7e18-5574-11ef-84ec-0242ac110005","image":{"name":"packs auction technical","uid":"635f891c-5574-11ef-9147-0242ac110005"}},"created_time":1723114384354756,"integrity":"deutsche what indians","lineage":["lying advertisements renew","buf prescribed puerto"],"namespace_pid":80,"parent_process":{"name":"Blogger","pid":77,"user":{"name":"Lenses","type":"dairy","uid":"635f9c7c-5574-11ef-b4d1-0242ac110005","type_id":99,"uid_alt":"penalty spray weight"},"uid":"635fa406-5574-11ef-809b-0242ac110005","cmd_line":"information propecia md","lineage":["trees saving alias","ssl september rack"],"namespace_pid":50,"parent_process":{"name":"Defense","pid":15,"file":{"attributes":31,"name":"lotus.pkg","type":"Local Socket","path":"seem party existence/buried.3dm/lotus.pkg","type_id":5,"parent_folder":"seem party existence/buried.3dm","confidentiality":"belief hard romania","created_time":1723114384355919,"hashes":[{"value":"921DB9BE9AB2B726859E733D87A56CDEB799FBC45281315CFE4A7BAAF6BB9A1DD4359096B697BBB33B1DCA573CD79CB87614124DFA2B3C79768B3F29A7DBF0EF","algorithm":"CTPH","algorithm_id":5},{"value":"E9C848387AB1784EBC52FD937D18A8D44D2CF6BDBEB2BAB7B04E28413AE39FA4C07EAFA782325DD3B65A30B4AE8538D0ACCE7FC48BF1A3AB1B4651A5CFB050AA","algorithm":"quickXorHash","algorithm_id":7}],"is_system":true,"accessed_time_dt":"2024-08-08T10:53:04.355980Z"},"user":{"name":"Blogs","type":"novel","uid":"635fca94-5574-11ef-82f0-0242ac110005","groups":[{"type":"buyer spirit webcam","uid":"635fd57a-5574-11ef-84bc-0242ac110005"},{"name":"cooperation meditation memo","desc":"discretion fantastic tactics","uid":"635fe13c-5574-11ef-85a3-0242ac110005"}],"type_id":99,"credential_uid":"635fe862-5574-11ef-ba0c-0242ac110005","ldap_person":{"email_addrs":["Kimberley@sip.int"],"leave_time":1723114384357313,"modified_time_dt":"2024-08-08T10:53:04.357320Z"}},"group":{"name":"care viii external","type":"right crowd crops","desc":"appointed opponent written","uid":"635ff8a2-5574-11ef-af7e-0242ac110005"},"tid":26,"uid":"635ffed8-5574-11ef-b0fd-0242ac110005","cmd_line":"gamecube forbes described","container":{"name":"homes commonwealth recall","size":3538073681,"uid":"63600950-5574-11ef-aae8-0242ac110005","image":{"name":"jersey elected projector","tag":"members breathing powers","path":"trades mess wishlist","uid":"6360136e-5574-11ef-8aec-0242ac110005"}},"created_time":1723114384358291,"integrity":"High","integrity_id":4,"namespace_pid":6,"parent_process":{"pid":31,"file":{"name":"patches.tar","type":"Unknown","path":"throws additions myspace/jackets.b/patches.tar","signature":{"certificate":{"version":"1.1.0","subject":"donate tons media","issuer":"italic hamburg judges","fingerprints":[{"value":"F13F9E344F8839E5D7D17303ABAE106FC66E7D519B232C80C8D6066EF1A5148A796818425ED64282D159C7D8749343FBF193D9C83256C16B72857EBE0151F543","algorithm":"CTPH","algorithm_id":5}],"created_time":1723114384358869,"expiration_time":1723114384358874,"serial_number":"fell lab weddings"},"algorithm":"DSA","algorithm_id":1,"developer_uid":"63603196-5574-11ef-ac47-0242ac110005"},"uid":"636040d2-5574-11ef-965c-0242ac110005","type_id":0,"parent_folder":"throws additions myspace/jackets.b","confidentiality":"Top Secret","confidentiality_id":4,"hashes":[{"value":"04ACD168BF6D98D85736E4DB0EF815B53830AF1882C47ABFC357172729DFCD84EF6553958C4CB4593A3844E5D7FC9136FDDF5C82B1171ACAD84F52F7F133AA21","algorithm":"SHA-512","algorithm_id":4},{"value":"6B85712C92509BE057A8284F4CBF4868755DC0FFB2611096D26209767429967390E3CADE2D1733A0C8D9217CFF1BFA985A184E36695A411B7DEAC20411C9DED8","algorithm":"quickXorHash","algorithm_id":7}],"modified_time_dt":"2024-08-08T10:53:04.359528Z"},"group":{"name":"recommends pollution humans","uid":"63604e4c-5574-11ef-9f32-0242ac110005"},"uid":"636054f0-5574-11ef-8588-0242ac110005","cmd_line":"swingers centers burke","container":{"name":"heather troubleshooting considerable","size":119356271,"image":{"name":"listing hardwood defined","uid":"636066de-5574-11ef-9bc9-0242ac110005"},"hash":{"value":"F0F33A03B88C641E422DA78295DB088A0C19D463F4BD44A1CE20D3BB9892A0063ABB61D6124EB7D79EF56FC55ADEFAF30542712C4C8D0A1B952AFB4A346C0876","algorithm":"SHA-512","algorithm_id":4},"orchestrator":"australian future sponsor"},"created_time":1723114384360489,"lineage":["seeds spouse noble","lifestyle fault floors"],"namespace_pid":18,"parent_process":{"pid":42,"file":{"name":"implemented.rom","type":"Unknown","path":"calcium amateur harmony/ltd.toast/implemented.rom","modifier":{"type":"Admin","uid":"6360b08a-5574-11ef-ae8e-0242ac110005","type_id":2,"ldap_person":{"location":{"desc":"Croatia, Republic of","city":"Regulations technician","country":"HR","coordinates":[-57.4552,63.8901],"continent":"Europe"},"cost_center":"verify nut levels","ldap_cn":"racing morgan volt","ldap_dn":"census doors though","modified_time_dt":"2024-08-08T10:53:04.363022Z"}},"type_id":0,"creator":{"name":"With","type":"Unknown","domain":"adjustment container harris","uid":"6360d920-5574-11ef-a83a-0242ac110005","type_id":0,"account":{"name":"europe eating mailing","type":"Linux Account","uid":"6360e442-5574-11ef-9167-0242ac110005","type_id":9}},"parent_folder":"calcium amateur harmony/ltd.toast","hashes":[{"value":"19C64195EB8F22C39B4BAD63078823DDD82E6D61847B25F1F5B969BE6C891661","algorithm":"SHA-256","algorithm_id":3},{"value":"652D75F9BAFB25E55C0E8DB77C3A9EA11F87C5167431C08F827375741D1B0C2F","algorithm":"SHA-256","algorithm_id":3}],"modified_time_dt":"2024-08-08T10:53:04.363717Z"},"user":{"name":"Satisfaction","type":"System","uid":"6360f752-5574-11ef-a1db-0242ac110005","type_id":3,"account":{"type":"LDAP Account","uid":"636119d0-5574-11ef-a86d-0242ac110005","type_id":1},"credential_uid":"6361204c-5574-11ef-8854-0242ac110005"},"group":{"name":"flags gang blow","desc":"mistakes prediction toy","uid":"63612c22-5574-11ef-800b-0242ac110005","privileges":["joining boots aw","gang robust transport"]},"uid":"636132c6-5574-11ef-83af-0242ac110005","cmd_line":"psp bush feet","container":{"name":"obligation catalyst concentrations","runtime":"tex strings mounted","size":1952448709,"uid":"63613c44-5574-11ef-bd50-0242ac110005","image":{"name":"rate ben fish","uid":"63614568-5574-11ef-bf7a-0242ac110005"},"hash":{"value":"43CF305C9FBAF25955B6B640407705DE473A6AECC1D3684D43A7E6E113AD35E3","algorithm":"magic","algorithm_id":99}},"created_time":1723114384366178,"namespace_pid":17,"parent_process":{"name":"Versions","pid":16,"session":{"uid":"6361567a-5574-11ef-b26b-0242ac110005","issuer":"level boc morrison","created_time":1723114384366575,"credential_uid":"63615e22-5574-11ef-b196-0242ac110005","is_remote":false},"file":{"name":"python.bin","owner":{"name":"Yoga","type":"Admin","type_id":2},"type":"afghanistan","path":"variable their precipitation/moving.sql/python.bin","signature":{"certificate":{"version":"1.1.0","subject":"x tide described","issuer":"equations different edward","fingerprints":[{"value":"90290C4ADF68C053210274BB5414BED2BC4FCB71C37F521FF4EDBF5AFF66421A60FED68A12C81359536FCF2B89DB3463979F17F089E68FEA0B179D5DEF6F3A00","algorithm":"TLSH","algorithm_id":6}],"created_time":1723114384368646,"expiration_time":1723114384368652,"serial_number":"ultimate nervous george"},"algorithm":"Authenticode","algorithm_id":4},"type_id":99,"accessor":{"name":"Jd","type":"deviant","domain":"elizabeth cheapest solution","uid":"6361bec6-5574-11ef-81b5-0242ac110005","type_id":99},"mime_type":"personnel/bids","parent_folder":"variable their precipitation/moving.sql","hashes":[{"value":"2056009EE1A3B111E2E00906EDA7AD1AAC1EF242387CFB2CEE5B57763863C0EF228A7536B36C462A03C687D2F886BE6C218F00A2FC11674F8FF5454966830CB3","algorithm":"CTPH","algorithm_id":5}]},"user":{"name":"Spring","type":"nu","uid":"6361cccc-5574-11ef-994f-0242ac110005","org":{"name":"watts desktop hong","uid":"6361d546-5574-11ef-b2b3-0242ac110005"},"type_id":99,"account":{"name":"bd atom berkeley","type":"Apple Account","uid":"6361dec4-5574-11ef-80de-0242ac110005","type_id":8},"email_addr":"Kristin@tion.net"},"group":{"name":"academics secondary simon","uid":"6361ef22-5574-11ef-8892-0242ac110005"},"uid":"6361f634-5574-11ef-87d8-0242ac110005","cmd_line":"distances participating maintenance","container":{"name":"waste counties homepage","size":3565502421,"uid":"63620160-5574-11ef-b37a-0242ac110005","image":{"name":"apt lp screen","path":"gulf brian arrow","uid":"63620bec-5574-11ef-8f30-0242ac110005"},"network_driver":"ks field roger","pod_uuid":"breathing"},"created_time":1723114384371224,"namespace_pid":72,"parent_process":{"name":"Definitely","pid":14,"file":{"attributes":39,"name":"wing.crdownload","type":"Folder","path":"regularly drivers sacred/rational.fla/wing.crdownload","product":{"name":"cr fat generators","version":"1.1.0","uid":"636288ba-5574-11ef-b671-0242ac110005","lang":"en","vendor_name":"conflicts feed receivers"},"type_id":2,"parent_folder":"regularly drivers sacred/rational.fla","created_time":1723114384374429,"hashes":[{"value":"140C02576C0D51BBE84B1C70EEE68AD61D116AA6E8F7BBD899753EB4599951C5E2DF128141610C2F838E0C7181B50795297C0E8D1398FDAD5ED2095EA783FC02","algorithm":"quickXorHash","algorithm_id":7},{"value":"E405FA83FE9CFE003B49FD852D4429D0EFF2F914","algorithm":"SHA-1","algorithm_id":2}],"modified_time":1723114384374497,"xattributes":{},"created_time_dt":"2024-08-08T10:53:04.374525Z"},"user":{"name":"Influenced","type":"User","domain":"adding merit extend","uid":"63629a58-5574-11ef-8c2b-0242ac110005","type_id":1,"credential_uid":"6362a124-5574-11ef-a23f-0242ac110005"},"group":{"domain":"enterprises civil knowledge","desc":"patch celebration lancaster","uid":"6362ab10-5574-11ef-adda-0242ac110005"},"uid":"6362b0ec-5574-11ef-bb67-0242ac110005","loaded_modules":["/fri/tall/bit/rap/meyer.hqx"],"cmd_line":"railway filling consistent","container":{"name":"calvin actor describe","size":1384069832,"tag":"automobiles gratuit tower","uid":"6362bb3c-5574-11ef-8a12-0242ac110005","image":{"name":"pi churches es","uid":"6362c56e-5574-11ef-8c25-0242ac110005"},"hash":{"value":"67C09C289C121B7595556E03199ABF1EC4E85049DC99DB50BBB35FD8B5E2636C89497184BE8F2ED184301E2A5411B5565E97D87BCC951CB5F2CA9C8E696E6341","algorithm":"CTPH","algorithm_id":5},"orchestrator":"asking jerry namespace"},"created_time":1723114384376016,"integrity":"System","integrity_id":5,"namespace_pid":67,"parent_process":{"name":"Animal","pid":95,"file":{"attributes":1,"name":"tennessee.wsf","type":"Folder","path":"pennsylvania matthew somewhere/saw.dbf/tennessee.wsf","uid":"6362dc0c-5574-11ef-b631-0242ac110005","type_id":2,"creator":{"name":"Cognitive","type":"User","uid":"6362e6ac-5574-11ef-a13c-0242ac110005","type_id":1,"email_addr":"Lorretta@components.nato"},"parent_folder":"pennsylvania matthew somewhere/saw.dbf","hashes":[{"value":"1701CFB023A18B1534D60983D25660944BF18C8928D27C2658306664990BC734","algorithm":"SHA-256","algorithm_id":3},{"value":"DEF35473338568D93D88C11638B8777B05D03931E8939FF2B7E675DB82DA9434","algorithm":"magic","algorithm_id":99}],"is_system":false,"security_descriptor":"lcd elementary surround"},"user":{"name":"Guys","type":"Unknown","uid":"63630eca-5574-11ef-b29c-0242ac110005","org":{"name":"mighty thou ff","uid":"636317ee-5574-11ef-b39a-0242ac110005","ou_name":"companies functions hockey"},"groups":[{"name":"hood powers merely","domain":"parties entertainment lemon","uid":"636321d0-5574-11ef-ae4b-0242ac110005"},{"name":"rise parcel bookmarks","privileges":["etc survey at","cohen mails bio"]}],"type_id":0,"email_addr":"Classie@municipality.pro"},"group":{"name":"legislature normal lectures","uid":"63632d38-5574-11ef-85c8-0242ac110005"},"uid":"63633300-5574-11ef-80ee-0242ac110005","cmd_line":"magazines spin aaron","container":{"name":"deputy mirror eagle","size":2004032787,"tag":"magazine looking deemed","uid":"63633e40-5574-11ef-9825-0242ac110005","image":{"uid":"6363469c-5574-11ef-9299-0242ac110005"},"hash":{"value":"55601A1804A5DD2CDDC702A8DBFD7D6EF6FB18BBD4EF25B7BA0FDF2AF274DC5BDD0AA03C3DF2E03891033BB6780C2DFC3D777203E7CC6D1D1B6AAA24A5B53037","algorithm":"SHA-512","algorithm_id":4}},"created_time":1723114384379317,"namespace_pid":66,"parent_process":{"name":"Delight","file":{"name":"plasma.3dm","type":"Folder","path":"important companion consultancy/wallpaper.drv/plasma.3dm","signature":{"certificate":{"version":"1.1.0","subject":"assuming remarks brass","issuer":"sheet registry concord","fingerprints":[{"value":"EC6B1A9A8BA16A6F215D2D1F3906D6499B49BE59A250E976C526E3C93470BEAF","algorithm":"SHA-256","algorithm_id":3},{"value":"E8F0948E22757C48DC176AC0971E4DC26962E907CD0016E2D3F3F85B10496DB3ADA83ABE28D5C02C0E75801F09CE16ECBC57DC728CA43C1AF4A195603D2E9D59","algorithm":"CTPH","algorithm_id":5}],"created_time":1723114384380115,"expiration_time":1723114384380123,"serial_number":"provinces medicine it"},"algorithm":"Unknown","algorithm_id":0},"type_id":2,"parent_folder":"important companion consultancy/wallpaper.drv","confidentiality":"Secret","confidentiality_id":3,"hashes":[{"value":"9159E7F170D8AC61900DA4485A05F8FA752EBB6B1271EB39B603C7BD22C9F591","algorithm":"SHA-256","algorithm_id":3},{"value":"208252F637543172F0D9AA5A077FB15DC8E779E2AB911FADCC37F9C807EB56EFBAC0FC78C2916944595F6C58BE380B5BA4AC2E0A76A1D10091E0847D61B627D5","algorithm":"TLSH","algorithm_id":6}]},"user":{"name":"Focused","type":"Admin","type_id":2,"email_addr":"Numbers@si.coop","uid_alt":"biggest stupid linking"},"group":{"name":"jar transparency sing","privileges":["costs anthropology nickname","nbc dns flex"]},"tid":66,"uid":"63637afe-5574-11ef-b99b-0242ac110005","cmd_line":"felt essay relax","container":{"name":"contain accepted gba","runtime":"admin hammer variance","tag":"geographical registered suspension","uid":"63638544-5574-11ef-bbd6-0242ac110005","image":{"name":"exist acceptance britney","uid":"63638df0-5574-11ef-8d90-0242ac110005"},"hash":{"value":"83D3D1C470830C64B9B04152B2CD1D11DD99205143049050D298FD7C21CC125A","algorithm":"magic","algorithm_id":99},"network_driver":"shops congratulations variance"},"created_time":1723114384381145,"integrity":"Protected","integrity_id":6,"namespace_pid":1,"parent_process":{"pid":44,"file":{"attributes":2,"name":"fits.cfm","type":"Symbolic Link","path":"watts leave ukraine/ringtones.rtf/fits.cfm","type_id":7,"parent_folder":"watts leave ukraine/ringtones.rtf","confidentiality":"Confidential","confidentiality_id":2,"hashes":[{"value":"B90D6FEF7CE6A21866AE315B5A971CA7C32531C74C5A720508ED5490C80E51AF7F2194E67D30333457C00E700B4CAACF979ECA995DF46837A0D1ED6847A7CE7E","algorithm":"SHA-512","algorithm_id":4},{"value":"3F2C9248EE951C2D98A3CD5B4AF06BD317DB2124","algorithm":"SHA-1","algorithm_id":2}],"is_system":true,"security_descriptor":"selling dt few","accessed_time_dt":"2024-08-08T10:53:04.381694Z","created_time_dt":"2024-08-08T10:53:04.381707Z"},"user":{"name":"Edgar","uid":"6363b992-5574-11ef-9143-0242ac110005","ldap_person":{"email_addrs":["Mariann@routine.net"],"job_title":"alto languages tanks","deleted_time_dt":"2024-08-08T10:53:04.382339Z"}},"group":{"name":"thinking offices worcester","uid":"6363ca0e-5574-11ef-837d-0242ac110005","privileges":["ingredients pins connector"]},"uid":"6363d120-5574-11ef-b647-0242ac110005","cmd_line":"effects day pocket","container":{"name":"astronomy routing grocery","size":2306842201,"tag":"exchange timber candles","uid":"6363dbde-5574-11ef-a3c5-0242ac110005","image":{"name":"errors request zdnet","uid":"6363e57a-5574-11ef-8bf7-0242ac110005"},"hash":{"value":"237ED8923CABFCED8263F1C5E537EDA9F4C9DF97C64000C74437C23D8564FDCB9AB6A7D16DD6E62D0915824B5BFF1CF112DD0BAEAA89171E14E068515290265E","algorithm":"SHA-512","algorithm_id":4},"orchestrator":"viral lindsay intellectual"},"created_time":1723114384383389,"namespace_pid":39,"parent_process":{"name":"Vessels","pid":73,"file":{"name":"photo.gadget","owner":{"name":"Priorities","type":"uploaded","uid":"63640244-5574-11ef-864e-0242ac110005","type_id":99,"account":{"name":"charles verification grave","type":"Unknown","uid":"63640bea-5574-11ef-881a-0242ac110005","type_id":0}},"type":"Symbolic Link","version":"1.1.0","path":"alter checked emperor/toner.htm/photo.gadget","type_id":7,"parent_folder":"alter checked emperor/toner.htm","confidentiality":"Not Confidential","confidentiality_id":1,"created_time":1723114384384361,"hashes":[{"value":"DB52AE7062C6819F07456657BE8F96A41BD461DAB2FF0DB18FF7DFABECA6AB0522C141821715890230BE5D35FDE767FE5CB592C5B2A8CD9CE93B3396F2701EA0","algorithm":"SHA-512","algorithm_id":4},{"value":"5CC3F82838BA7260203E4590CE03D00E1663D41F6A5167144F5C95D6BE2166A0","algorithm":"SHA-256","algorithm_id":3}]},"user":{"type":"carmen","uid":"63641a22-5574-11ef-8919-0242ac110005","type_id":99,"account":{"name":"reef terrorist graduation","type":"AWS Account","uid":"636423be-5574-11ef-8304-0242ac110005","type_id":10},"email_addr":"Lauryn@reliance.travel"},"cmd_line":"lung mega nn","container":{"name":"texas comments creator","size":639972788,"uid":"63642e36-5574-11ef-aac4-0242ac110005","hash":{"value":"1C073A2AE40F35C9E559128C518EF6BB606F87F47F7A6D8AF51E96DEBBDCF7E746F35B0E8CF42CF24B80034B359D710FF883F08C153BB4B4717E83FAED4E08A6","algorithm":"quickXorHash","algorithm_id":7},"orchestrator":"preview contractors helps"},"created_time":1723114384385246,"namespace_pid":8,"parent_process":{"name":"Scott","pid":56,"file":{"name":"ba.3ds","type":"Block Device","path":"diagnosis angeles portsmouth/travels.mpa/ba.3ds","type_id":4,"parent_folder":"diagnosis angeles portsmouth/travels.mpa","accessed_time":1723114384386177,"created_time":1723114384386185,"hashes":[{"value":"50D299D6D7966A2DC1E0CF7FEB739E33","algorithm":"MD5","algorithm_id":1},{"value":"328AFE7E94B22225322E3B4913F934C50B1CBF2E70837C0DC87BE27DA150B3EBA052395D9A4CC1FB7FC4E8C89E2EFEB5DF2FD8EC79D5A1215267ABF6EE2505F9","algorithm":"TLSH","algorithm_id":6}],"created_time_dt":"2024-08-08T10:53:04.386239Z"},"user":{"name":"Kit","type":"Admin","domain":"amendment spot sudan","type_id":2},"group":{"name":"passed rankings affects","uid":"63646496-5574-11ef-bfc5-0242ac110005"},"uid":"63646b44-5574-11ef-a77a-0242ac110005","cmd_line":"notre cameras draw","container":{"name":"katrina commonly sweet","uid":"636474e0-5574-11ef-bca8-0242ac110005","image":{"name":"advertisement metabolism bound","tag":"parent prostores taste","path":"advantage bm record","uid":"63647df0-5574-11ef-b02b-0242ac110005"},"hash":{"value":"36604EB0C3355689302D7694E45FA957071097E28B061276AABCBAC610B98FCE4F7A18C5D7566551D4EBC9F0E6D2EE5157C288FE26459003392E240F8FBEB605","algorithm":"Unknown","algorithm_id":0},"orchestrator":"child railroad thehun"},"created_time":1723114384387286,"namespace_pid":4,"parent_process":{"name":"Burning","pid":34,"session":{"issuer":"mounts burns budgets","created_time":1723114384387484,"is_remote":true,"is_vpn":true},"file":{"attributes":97,"name":"employment.wma","owner":{"name":"Nov","type":"User","uid":"6364960a-5574-11ef-ad32-0242ac110005","org":{"name":"arrive protecting fy","uid":"6364a60e-5574-11ef-aaf1-0242ac110005","ou_name":"cat saints infringement","ou_uid":"6364acb2-5574-11ef-b1ce-0242ac110005"},"groups":[{"name":"head state rubber","uid":"6364d64c-5574-11ef-a880-0242ac110005"},{"name":"catalyst strong mins","desc":"consortium bald removing","uid":"6364de3a-5574-11ef-9448-0242ac110005"}],"type_id":1},"type":"Symbolic Link","version":"1.1.0","path":"executed removal years/among.yuv/employment.wma","product":{"version":"1.1.0","path":"internship progress gun","lang":"en","vendor_name":"sp protection requests"},"type_id":7,"mime_type":"medal/nearly","parent_folder":"executed removal years/among.yuv","hashes":[{"value":"5E759101C609F4B740EF80E765AE365B2AF502D28946FFDB14A008BA3B8F3B38D22724597DB1A2727631E47BE95BF3DBC91421426B178885ABB756996AA2ED28","algorithm":"CTPH","algorithm_id":5},{"value":"BA5273E243BB87B0BDE0E2E45609708C95F1B8CD05342C435BFE11DDFE05790E8640967A0D5DB90EE7DC886350B9345D9484533BB633B821A82462D74B3318A8","algorithm":"TLSH","algorithm_id":6}],"accessed_time_dt":"2024-08-08T10:53:04.389945Z","created_time_dt":"2024-08-08T10:53:04.389957Z"},"user":{"name":"Without","type":"celebs","uid":"6364f62c-5574-11ef-be1d-0242ac110005","type_id":99},"group":{"desc":"allowance vacation ae"},"tid":42,"uid":"636504b4-5574-11ef-af4a-0242ac110005","cmd_line":"macintosh enjoying disposal","container":{"size":117561636,"image":{"name":"federation technical rally","uid":"636511ac-5574-11ef-b939-0242ac110005"},"hash":{"value":"1C6EE66D49C991A2FC79EC6D6B64F4AB5B8E29D3C774F3B6DD10F3A024271023CD29C66DA147EADA969690FFC2FA73C8B9EC6C4377580CF3CE89AEF8A8136657","algorithm":"SHA-512","algorithm_id":4},"orchestrator":"winning business collaborative"},"created_time":1723114384391076,"parent_process":{"name":"Vic","pid":16,"session":{"count":58,"uid":"636527dc-5574-11ef-a1e5-0242ac110005","issuer":"petition disclaimer clara","created_time":1723114384391616,"expiration_reason":"declined attorney sunday","is_remote":false,"is_vpn":false,"uid_alt":"sim yorkshire adaptation","expiration_time_dt":"2024-08-08T10:53:04.391655Z"},"file":{"name":"medication.pdf","owner":{"type":"System","domain":"affiliation arab invision","uid":"63653dee-5574-11ef-8c70-0242ac110005","type_id":3,"ldap_person":{"created_time":1723114384392352,"email_addrs":["Olympia@jesse.travel","Mina@seeking.com"],"employee_uid":"63654de8-5574-11ef-a8ac-0242ac110005","given_name":"pulse waiver footwear","ldap_cn":"professionals worm eng","leave_time":1723114384392577}},"size":1001943972,"type":"Folder","version":"1.1.0","path":"gotten unique thereafter/championship.deskthemepack/medication.pdf","product":{"name":"mumbai determined nobody","version":"1.1.0","uid":"6365590a-5574-11ef-aaa7-0242ac110005","lang":"en","vendor_name":"infected listen uk"},"uid":"63655f9a-5574-11ef-add1-0242ac110005","type_id":2,"creator":{"name":"Kurt","type":"examines","uid":"636569d6-5574-11ef-bef4-0242ac110005","type_id":99,"account":{"name":"petite suggestions british","type":"AWS Account","uid":"63657340-5574-11ef-b69a-0242ac110005","type_id":10},"uid_alt":"rack fake bleeding"},"parent_folder":"gotten unique thereafter/championship.deskthemepack","confidentiality":"Secret","confidentiality_id":3,"hashes":[{"value":"C67541E14008D6AF094C938459E575DFB5FA24FD50ADAFC615DB56E4A773FD0BEBA072C2A8F3ECB17D4CBB51818B31ECE4F0A810CB8E5C42C622592DB55DA0A1","algorithm":"quickXorHash","algorithm_id":7}],"is_system":true},"user":{"type":"recent","uid":"6365822c-5574-11ef-95fb-0242ac110005","org":{"name":"jerry calling mardi","uid":"63658ac4-5574-11ef-bea5-0242ac110005","ou_name":"motion ampland acknowledged"},"type_id":99,"credential_uid":"63659186-5574-11ef-a13d-0242ac110005","email_addr":"Lynetta@lib.jobs"},"group":{"name":"phys dollar not","type":"foster prefer phys","domain":"explicitly retreat de","uid":"63659b86-5574-11ef-ac1a-0242ac110005"},"uid":"6365a1b2-5574-11ef-847c-0242ac110005","cmd_line":"sorts sites obtained","container":{"name":"hack aud canadian","size":2490340163,"uid":"6365ab4e-5574-11ef-a5b2-0242ac110005","image":{"name":"graphs uni learned","uid":"6365b47c-5574-11ef-94cc-0242ac110005"},"hash":{"value":"1348CB592CE159B2F0A3E0A0B20233BF7F40585376BD14ED638003DF65CE6028072010B42D85244F83CA87E928EA1C229FCDC44AFE29B22E34B99D3C8B26EB98","algorithm":"TLSH","algorithm_id":6},"network_driver":"nh essentials blogs","pod_uuid":"automobiles"},"created_time":1723114384395481,"namespace_pid":90,"parent_process":{"name":"Offline","pid":2,"session":{"uuid":"6365e014-5574-11ef-a98e-0242ac110005","issuer":"bluetooth raise shopping","created_time":1723114384396317,"expiration_reason":"politics nt username","expiration_time":1723114384396336,"is_remote":true,"expiration_time_dt":"2024-08-08T10:53:04.396343Z"},"file":{"name":"atlantic.icns","type":"Symbolic Link","path":"rear biology finest/nintendo.class/atlantic.icns","signature":{"certificate":{"version":"1.1.0","subject":"national garmin even","issuer":"cut duo agencies","fingerprints":[{"value":"E8D8654C197E7B3BEED4D69E3EDD3A5B","algorithm":"MD5","algorithm_id":1},{"value":"75529D527C6CDFA48546F9F7ED5AFD587F24AB584370D91EBFC1743E519B936C7780070A7709D4FECA4C639302E40E1BD1F842B3613B900269D77BEA17429361","algorithm":"Unknown","algorithm_id":0}],"expiration_time":1723114384396755,"serial_number":"rhode realty talented"},"algorithm":"vendor","algorithm_id":99},"desc":"specific aside io","type_id":7,"parent_folder":"rear biology finest/nintendo.class","confidentiality":"freelance pty ferrari","created_time":1723114384396786,"hashes":[{"value":"0C900BDED46D1122DBC26B7D537D76633CD9937DF7B4C9C56ECFC151D2E269764BD92568B8FFD9877177AA338BB4EEE65DC5AE4D07BE354D503F9D3EF0B36007","algorithm":"Unknown","algorithm_id":0},{"value":"D0278DE5F6E5DF29D9C928BCB6D5A285EA17CE11","algorithm":"SHA-1","algorithm_id":2}],"modified_time":1723114384396821,"xattributes":{},"modified_time_dt":"2024-08-08T10:53:04.396853Z"},"user":{"name":"Collectables","type":"User","domain":"crops midi hope","uid":"6366010c-5574-11ef-bfe7-0242ac110005","type_id":1,"uid_alt":"thunder pickup tab"},"group":{"desc":"muze comply jets"},"uid":"63660b34-5574-11ef-bbcf-0242ac110005","cmd_line":"canada federation computational","container":{"name":"barriers cheaper logged","runtime":"logos drilling schools","uid":"636616ce-5574-11ef-bd26-0242ac110005","image":{"name":"handy derek tb","uid":"63661fac-5574-11ef-9e80-0242ac110005"},"hash":{"value":"6F08C5DDCDD0BE06D83AA3E0E3D5A09E","algorithm":"MD5","algorithm_id":1}},"created_time":1723114384397969,"namespace_pid":82,"parent_process":{"name":"Recommendations","pid":76,"file":{"attributes":9,"name":"placement.3dm","type":"Symbolic Link","version":"1.1.0","path":"arizona concentrations widescreen/wire.tax2020/placement.3dm","modifier":{"name":"Incident","type":"Admin","uid":"63663aa0-5574-11ef-89ff-0242ac110005","groups":[{"name":"guest demographic terry","domain":"adventure charter tom","uid":"63665ca6-5574-11ef-abfa-0242ac110005"},{"name":"moderators broker asian","uid":"636664f8-5574-11ef-96ca-0242ac110005"}],"type_id":2,"account":{"type":"Windows Account","uid":"63666f0c-5574-11ef-98ef-0242ac110005","type_id":2},"uid_alt":"notre sponsorship elections"},"desc":"populations servers environments","type_id":7,"company_name":"Christa Marta","creator":{"name":"Quotes","type":"System","uid":"63667ca4-5574-11ef-a8ae-0242ac110005","groups":[{"name":"engineers constitute papers","uid":"636685fa-5574-11ef-8fd9-0242ac110005"},{"type":"introducing amendments portuguese","uid":"63668c80-5574-11ef-bd3d-0242ac110005"}],"type_id":3,"account":{"name":"hewlett beats hit","type":"GCP Account","uid":"636695b8-5574-11ef-8e13-0242ac110005","type_id":5},"ldap_person":{"location":{"desc":"Cyprus, Republic of","city":"Bibliographic selections","country":"CY","coordinates":[-120.1139,17.5612],"continent":"Asia"},"modified_time":1723114384401210,"office_location":"dl td transition","last_login_time_dt":"2024-08-08T10:53:04.401225Z"}},"parent_folder":"arizona concentrations widescreen/wire.tax2020","accessed_time":1723114384401235,"hashes":[{"value":"5509CE62AD4908E35D559F0487FCFAFEAA7A7AA2B4771FF42C45FF34397DF6E1F848AF224697A1C8BB77C1A81AFAA825437582905189C5346490D5121B91F366","algorithm":"quickXorHash","algorithm_id":7},{"value":"E2A4DD55AA0F76F85A047DAF5B859095","algorithm":"MD5","algorithm_id":1}],"xattributes":{},"created_time_dt":"2024-08-08T10:53:04.401316Z"},"user":{"name":"Taxes","type":"System","uid":"6366aed6-5574-11ef-855a-0242ac110005","type_id":3},"group":{"name":"split viking nike","domain":"apollo clicking incorrect","uid":"6366b8c2-5574-11ef-a4e8-0242ac110005"},"uid":"6366be8a-5574-11ef-a313-0242ac110005","cmd_line":"accessible annotated plus","container":{"name":"butter repeated annie","size":1994539178,"uid":"6366e1b2-5574-11ef-a230-0242ac110005","image":{"name":"newspapers marriage translations","uid":"6366ed6a-5574-11ef-9f59-0242ac110005"},"hash":{"value":"E94025BE336B1F89159AF64B1F6EDA5D470AC8D6","algorithm":"SHA-1","algorithm_id":2}},"created_time":1723114384403255,"integrity":"applying observe nba","namespace_pid":98,"parent_process":{"name":"Exotic","pid":64,"session":{"uid":"636701d8-5574-11ef-a4f1-0242ac110005","credential_uid":"6367082c-5574-11ef-aaa8-0242ac110005","expiration_reason":"washing sunday reaching","expiration_time":1723114384403944,"is_remote":true,"created_time_dt":"2024-08-08T10:53:04.403955Z","expiration_time_dt":"2024-08-08T10:53:04.403964Z"},"file":{"name":"accuracy.kmz","type":"Character Device","version":"1.1.0","path":"breast enjoying verbal/assure.gam/accuracy.kmz","signature":{"certificate":{"version":"1.1.0","subject":"lion struggle widespread","issuer":"clocks suppose products","fingerprints":[{"value":"83624D02DEDBF131BC80643811BDE31BB6FCBCDD128849E01A630F99100E4AEE2BF55A6610961457C3AA9B403628F34BC835B62EC068589F520AB344681A174E","algorithm":"TLSH","algorithm_id":6}],"created_time":1723114384404438,"expiration_time":1723114384404443,"serial_number":"negotiation feel cole"},"algorithm":"gotten","algorithm_id":99},"product":{"version":"1.1.0","uid":"6367296a-5574-11ef-8136-0242ac110005","lang":"en","vendor_name":"cindy specifications frontpage"},"uid":"63673090-5574-11ef-ad66-0242ac110005","type_id":3,"parent_folder":"breast enjoying verbal/assure.gam","confidentiality":"Top Secret","confidentiality_id":4,"hashes":[{"value":"D02BCEDE7EF63722B56FD76E6C3E0C74E72D5B9C169DE7BA9712A1EAEF0C13F59F27BBFC33274C80889426EB38A8D191AB7B08FE9397BF0BE4D5B4C08CF7956C","algorithm":"quickXorHash","algorithm_id":7},{"value":"990D4710B15458E3EDAA8601CDF5B44648B4FC61","algorithm":"SHA-1","algorithm_id":2}],"is_system":false,"accessed_time_dt":"2024-08-08T10:53:04.404997Z"},"user":{"name":"Saver","type":"Admin","uid":"6367417a-5574-11ef-8cd6-0242ac110005","groups":[{"name":"guyana applied attribute","domain":"identification browsing structures","uid":"63676952-5574-11ef-a883-0242ac110005"}],"type_id":2,"full_name":"Mayme Lurline"},"group":{"name":"executive mathematical signals","uid":"63677460-5574-11ef-a07f-0242ac110005"},"tid":41,"uid":"63677a6e-5574-11ef-9578-0242ac110005","cmd_line":"mere loaded similar","created_time":1723114384406818,"lineage":["operational pilot citysearch"]},"auid":58,"euid":32,"created_time_dt":"2024-08-08T10:53:04.406843Z"},"terminated_time":1723114384406852}},"xattributes":{},"auid":30},"xattributes":{},"euid":78,"terminated_time_dt":"2024-08-08T10:53:04.406915Z"},"sandbox":"challenged profiles family","xattributes":{}},"sandbox":"declare indication occupations","xattributes":{}},"sandbox":"delays fighting soonest","euid":11},"created_time_dt":"2024-08-08T10:53:04.406974Z"},"terminated_time":1723114384406979},"euid":20},"auid":5},"sandbox":"representing stationery affiliated"},"euid":92},"auid":32}},"sandbox":"em therefore spoke","xattributes":{},"created_time_dt":"2024-08-08T10:53:04.407027Z"},"xattributes":{},"euid":11,"terminated_time_dt":"2024-08-08T10:53:04.407047Z"},"terminated_time_dt":"2024-08-08T10:53:04.407054Z"},"sandbox":"conversations poker oriented","auid":31,"euid":40,"terminated_time_dt":"2024-08-08T10:53:04.407066Z"},"terminated_time":1723114384407071,"euid":45},"egid":67},"xattributes":{},"euid":77,"egid":31},"auid":39}},"egid":16},"created_time_dt":"2024-08-08T10:53:04.407101Z"},"sandbox":"numbers audience guard","auid":45,"terminated_time_dt":"2024-08-08T10:53:04.407112Z"},"user":{"name":"Boy","type":"Admin","domain":"distance predicted facilities","uid":"63679120-5574-11ef-be81-0242ac110005","type_id":2},"invoked_by":"popularity puzzle provides"},"cloud":{"provider":"diabetes gaps ag","region":"act ran entity"},"dst_endpoint":{"name":"full essentials size","port":55506,"type":"ssl","os":{"name":"mailing possibilities either","type":"AIX","version":"1.1.0","build":"walking thermal neck","type_id":401},"ip":"226.140.221.18","uid":"635383ba-5574-11ef-bd0d-0242ac110005","type_id":99,"container":{"name":"twelve will royalty","runtime":"lopez bulletin thru","size":2829011720,"tag":"grain alert score","uid":"63539300-5574-11ef-82a9-0242ac110005","image":{"name":"routing playback sb","uid":"63539e90-5574-11ef-9508-0242ac110005"},"hash":{"value":"4447CDB3261C7AE4F053DC296FEE1093F25F731D23A692D5819318F1901FDEC79EB2CA760BABCD759285BAE417ACD21FC64BB623583834C076F16FA9A53F1107","algorithm":"Unknown","algorithm_id":0},"orchestrator":"georgia rr scheduled","pod_uuid":"municipality"},"instance_uid":"6353a91c-5574-11ef-b5fc-0242ac110005","interface_name":"ideas utility possible","interface_uid":"6353afd4-5574-11ef-b86c-0242ac110005","namespace_pid":72,"proxy_endpoint":{"name":"lit canberra terminology","port":64602,"type":"IOT","ip":"35.105.135.121","location":{"desc":"Guadeloupe","city":"Establishment kind","country":"GP","coordinates":[90.6576,-34.4194],"continent":"North America"},"hostname":"guided.name","uid":"6353bf1a-5574-11ef-be0c-0242ac110005","type_id":7,"container":{"name":"programmes relevance boot","size":2534954875,"image":{"name":"weblogs grad offices","uid":"6353ca32-5574-11ef-8405-0242ac110005","labels":["commit","walter"]},"hash":{"value":"71FAFC4E2FC1E47E234762A96B80512B6B5534C2","algorithm":"SHA-1","algorithm_id":2},"orchestrator":"mic waiting gains"},"instance_uid":"6353d496-5574-11ef-ba97-0242ac110005","interface_name":"nato pray consult","interface_uid":"6353db12-5574-11ef-861d-0242ac110005","namespace_pid":17,"proxy_endpoint":{"name":"slides weird discussion","port":38178,"type":"Server","domain":"equipped disagree kevin","ip":"114.100.167.141","hostname":"challenged.travel","uid":"6353ed14-5574-11ef-a94e-0242ac110005","type_id":1,"container":{"name":"produces integrate invitation","size":3462840380,"tag":"locks circuit hindu","uid":"6353f70a-5574-11ef-a129-0242ac110005","image":{"name":"amount dividend oregon","uid":"6353ff98-5574-11ef-8eac-0242ac110005"},"hash":{"value":"555F45D31B82ABEEDB74D75EACB96817602160400F9A16B894CB77D68292FE96CFDCF573199918FB36F17CCC5B1B99A9ABBB62D931C518CC5D6A05A5659B534C","algorithm":"CTPH","algorithm_id":5}},"hw_info":{"cpu_cores":9,"cpu_count":87,"cpu_speed":32,"keyboard_info":{"keyboard_type":"tries dramatically undo"}},"instance_uid":"63540c0e-5574-11ef-98f2-0242ac110005","interface_name":"detroit handbags discuss","interface_uid":"63541294-5574-11ef-aa42-0242ac110005","namespace_pid":67,"svc_name":"discovered occurs presidential","zone":"little tucson operations"},"svc_name":"history it exp","zone":"join your encourage"},"svc_name":"gl dropped workforce"},"severity_id":2,"src_endpoint":{"name":"allah pain blues","type":"Hub","ip":"175.16.199.0","hostname":"generic.edu","uid":"63552c6a-5574-11ef-847f-0242ac110005","mac":"E4:C5:2D:FD:E6:16:2B:96","type_id":11,"container":{"name":"involvement buses bowling","size":509766084,"tag":"lawyers genre trained","uid":"635539f8-5574-11ef-b41d-0242ac110005","image":{"name":"clause material fort","uid":"635540f6-5574-11ef-bbdd-0242ac110005","labels":["difficulties","confusion"]},"hash":{"value":"6DE8A320862880F35A99FE4448414E898831DCCD","algorithm":"SHA-1","algorithm_id":2}},"instance_uid":"63554826-5574-11ef-973b-0242ac110005","interface_name":"collections setting twelve","interface_uid":"63554c86-5574-11ef-90cb-0242ac110005","svc_name":"welding minute invention"},"status_id":0} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json index 470f79bf9237..7506f05dd7f7 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-application-activity.log-expected.json @@ -501,6 +501,2568 @@ "preserve_original_event", "preserve_duplicate_custom_fields" ] + }, + { + "@timestamp": "2024-08-06T12:02:54.073Z", + "cloud": { + "availability_zone": "raised expert baseball", + "provider": "experimental mac seconds", + "region": "debate population smithsonian" + }, + "container": { + "id": "cfd0b25e-53eb-11ef-aab1-0242ac110005", + "image": { + "name": "number serial patients" + } + }, + "data_stream": { + "dataset": "amazon_security_lake.application_activity", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "write", + "duration": 38000000, + "end": "2024-08-06T12:02:54.073Z", + "kind": "event", + "original": "{\"message\":\"routing rosa speeds\",\"status\":\"Failure\",\"type\":\"loc\",\"time\":1722945774073580,\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"nightlife joint talked\",\"version\":\"1.1.0\",\"path\":\"roulette covered encryption\",\"uid\":\"cfcfc1aa-53eb-11ef-80a9-0242ac110005\",\"vendor_name\":\"rainbow league closure\"},\"extensions\":[{\"name\":\"importantly identifying causing\",\"version\":\"1.1.0\",\"uid\":\"cfcfce02-53eb-11ef-a17b-0242ac110005\"},{\"name\":\"feof nightlife dans\",\"version\":\"1.1.0\",\"uid\":\"cfcfd5d2-53eb-11ef-acdf-0242ac110005\"}],\"labels\":[\"dominant\"],\"log_level\":\"consult supplements external\",\"profiles\":[\"cloud\",\"container\",\"datetime\",\"host\",\"linux/linux_users\",\"load_balancer\",\"network_proxy\",\"security_control\"],\"log_name\":\"ottawa triumph analysis\",\"log_provider\":\"medal removing losses\",\"original_time\":\"families batman star\",\"tenant_uid\":\"cfcfde4c-53eb-11ef-9b9b-0242ac110005\"},\"severity\":\"Informational\",\"duration\":38,\"type_name\":\"Datastore Activity: Write\",\"activity_id\":5,\"type_uid\":600505,\"category_name\":\"Application Activity\",\"class_uid\":6005,\"category_uid\":6,\"class_name\":\"Datastore Activity\",\"type_id\":99,\"end_time_dt\":\"2024-08-06T12:02:54.073562Z\",\"activity_name\":\"Write\",\"actor\":{\"process\":{\"name\":\"Flashing\",\"pid\":98,\"file\":{\"name\":\"senegal.dcr\",\"type\":\"Folder\",\"path\":\"stock armstrong ie/bobby.m3u/senegal.dcr\",\"type_id\":2,\"creator\":{\"name\":\"Slight\",\"type\":\"System\",\"domain\":\"dedicated smile macintosh\",\"uid\":\"cfd08748-53eb-11ef-8545-0242ac110005\",\"type_id\":3},\"parent_folder\":\"stock armstrong ie/bobby.m3u\",\"confidentiality\":\"Top Secret\",\"confidentiality_id\":4,\"hashes\":[{\"value\":\"6AC2AD2B6F5A51A33103412CB1C13FA5FDB24737666758DD9FDD8402BB9D2A43\",\"algorithm\":\"magic\",\"algorithm_id\":99},{\"value\":\"7B849A50DA92F39D6AF294B10E0B93F5\",\"algorithm\":\"MD5\",\"algorithm_id\":1}],\"modified_time_dt\":\"2024-08-06T12:02:54.074547Z\"},\"user\":{\"name\":\"Contamination\",\"type\":\"Admin\",\"uid\":\"cfd09666-53eb-11ef-9cc7-0242ac110005\",\"type_id\":2},\"group\":{\"name\":\"desired administration quotations\",\"desc\":\"mime counsel uses\",\"uid\":\"cfd0a0f2-53eb-11ef-a02f-0242ac110005\"},\"uid\":\"cfd0a73c-53eb-11ef-9622-0242ac110005\",\"loaded_modules\":[\"/chronicle/initiated/hormone/surprise/corps.html\",\"/allan/appearance/viruses/college/naughty.rom\"],\"cmd_line\":\"associate directions partly\",\"container\":{\"size\":2753478121,\"uid\":\"cfd0b25e-53eb-11ef-aab1-0242ac110005\",\"image\":{\"name\":\"number serial patients\",\"uid\":\"cfd0bb46-53eb-11ef-b743-0242ac110005\"},\"hash\":{\"value\":\"D908A0C6E33ABAEF5F1C8D9658E99DF9714CFF289FCE29B9DD5A362475554AF2\",\"algorithm\":\"magic\",\"algorithm_id\":99}},\"created_time\":1722945774075951,\"namespace_pid\":78,\"parent_process\":{\"name\":\"Basin\",\"pid\":63,\"file\":{\"attributes\":67,\"name\":\"spirituality.mid\",\"type\":\"Character Device\",\"path\":\"analyzed election throws/composition.tax2020/spirituality.mid\",\"uid\":\"cfd0d964-53eb-11ef-9f61-0242ac110005\",\"type_id\":3,\"company_name\":\"Norberto Vena\",\"parent_folder\":\"analyzed election throws/composition.tax2020\",\"confidentiality\":\"Secret\",\"confidentiality_id\":3,\"hashes\":[{\"value\":\"8C8D9D64A77C351C6AAFF4C0EF9B436F904638B7\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}],\"security_descriptor\":\"nor treasury uri\",\"xattributes\":{}},\"user\":{\"name\":\"Revisions\",\"type\":\"Admin\",\"type_id\":2,\"ldap_person\":{\"created_time\":1722945774077119,\"hire_time\":1722945774077128,\"hire_time_dt\":\"2024-08-06T12:02:54.077132Z\"}},\"group\":{\"name\":\"adolescent antigua ui\",\"domain\":\"detail blah motels\",\"uid\":\"cfd0fa70-53eb-11ef-9120-0242ac110005\"},\"cmd_line\":\"hash unknown meters\",\"container\":{\"name\":\"gnome face decisions\",\"size\":411217035,\"uid\":\"cfd10448-53eb-11ef-8948-0242ac110005\",\"image\":{\"name\":\"climbing quickly lonely\",\"uid\":\"cfd10d12-53eb-11ef-8fcb-0242ac110005\"},\"hash\":{\"value\":\"48324C16BF85398DE1219E9270E663A1CCB2438C617A716A5F0F8D44034D7294\",\"algorithm\":\"magic\",\"algorithm_id\":99}},\"created_time\":1722945774077934,\"lineage\":[\"off disturbed bidding\",\"validity requested without\"],\"namespace_pid\":60,\"parent_process\":{\"name\":\"Zus\",\"session\":{\"issuer\":\"informal witnesses endif\",\"created_time\":1722945774078143,\"is_remote\":false},\"file\":{\"attributes\":46,\"name\":\"invite.flv\",\"type\":\"Folder\",\"path\":\"mobiles at hazards/feels.b/invite.flv\",\"product\":{\"name\":\"executives dell bands\",\"version\":\"1.1.0\",\"uid\":\"cfd14174-53eb-11ef-ad92-0242ac110005\",\"url_string\":\"divx\",\"vendor_name\":\"neighbor advise animal\"},\"modifier\":{\"name\":\"Bang\",\"type\":\"wicked\",\"uid\":\"cfd14d0e-53eb-11ef-8822-0242ac110005\",\"org\":{\"name\":\"snake dam rapidly\",\"uid\":\"cfd155ba-53eb-11ef-9ea1-0242ac110005\",\"ou_name\":\"photo acrylic highway\"},\"groups\":[{\"name\":\"wales indoor speaking\",\"uid\":\"cfd160be-53eb-11ef-8f19-0242ac110005\"},{\"name\":\"mongolia records suffer\",\"desc\":\"bathrooms transfers diego\",\"uid\":\"cfd167da-53eb-11ef-b5a7-0242ac110005\"}],\"type_id\":99,\"full_name\":\"Etha Roy\"},\"uid\":\"cfd16ece-53eb-11ef-92bb-0242ac110005\",\"type_id\":2,\"company_name\":\"Christian Cinda\",\"parent_folder\":\"mobiles at hazards/feels.b\",\"confidentiality\":\"promise\",\"confidentiality_id\":99,\"hashes\":[{\"value\":\"CE59D0F436DBA3BA0A6A76043041A5E787C3B835\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2},{\"value\":\"5DC822DDEFF863F87504863C2926EFADEA58E6CC12C9913FBF94816997FDAA2115104F362F7481BCFA8296CDB2EF69ABFF1D22A64E0B6F5D7B8BB6BDF0485F77\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}],\"modified_time\":1722945774080462,\"security_descriptor\":\"allen mba skating\"},\"user\":{\"name\":\"Bernard\",\"type\":\"Admin\",\"type_id\":2,\"uid_alt\":\"denmark day sir\"},\"group\":{\"desc\":\"times substitute plasma\",\"uid\":\"cfd17fa4-53eb-11ef-bb39-0242ac110005\"},\"tid\":63,\"uid\":\"cfd185c6-53eb-11ef-85ca-0242ac110005\",\"loaded_modules\":[\"/hotels/stream/anchor/ted/ghost.zipx\",\"/secure/proprietary/execute/medicine/hl.dwg\"],\"cmd_line\":\"capabilities major outline\",\"container\":{\"name\":\"ul primary rivers\",\"size\":4147443008,\"uid\":\"cfd19624-53eb-11ef-b555-0242ac110005\",\"image\":{\"name\":\"objectives cooper expenses\",\"tag\":\"flashers incurred visiting\",\"uid\":\"cfd19f5c-53eb-11ef-b6a5-0242ac110005\"},\"hash\":{\"value\":\"32F556C7248E9893205497FAD5588B52A815C9A2008D165B36C015A90F534BFA\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3}},\"created_time\":1722945774081680,\"lineage\":[\"feed prozac starring\"],\"parent_process\":{\"name\":\"Keep\",\"pid\":75,\"file\":{\"name\":\"shirts.pct\",\"type\":\"Folder\",\"path\":\"reporters schools bermuda/investigations.apk/shirts.pct\",\"modifier\":{\"name\":\"Drivers\",\"type\":\"Admin\",\"uid\":\"cfd1b884-53eb-11ef-9e17-0242ac110005\",\"type_id\":2,\"credential_uid\":\"cfd1bf00-53eb-11ef-9ae0-0242ac110005\"},\"type_id\":2,\"parent_folder\":\"reporters schools bermuda/investigations.apk\",\"confidentiality\":\"Secret\",\"confidentiality_id\":3,\"hashes\":[{\"value\":\"8D99573EF8E69D00FAE94C1020E9BCDEAB0B2381D11507174E58B253935B16A8391E07FE4DDCFBC6B4EE66C04EB617345B997605559139B9986AC27695ACE216\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}]},\"user\":{\"name\":\"Northeast\",\"type\":\"Admin\",\"uid\":\"cfd1cbbc-53eb-11ef-86e4-0242ac110005\",\"org\":{\"name\":\"demo dressing bloggers\",\"ou_name\":\"infection replace kingdom\"},\"groups\":[{\"type\":\"multi extension th\",\"domain\":\"rolled womens allowed\",\"uid\":\"cfd1de54-53eb-11ef-9548-0242ac110005\"},{\"name\":\"shorter hydrocodone obtaining\",\"type\":\"jenny version diploma\"}],\"type_id\":2,\"credential_uid\":\"cfd1e638-53eb-11ef-acdc-0242ac110005\",\"email_addr\":\"Timika@starsmerchant.store\",\"uid_alt\":\"jr participants illustration\"},\"group\":{\"name\":\"easily strengthening concept\",\"type\":\"claimed farms dressed\",\"domain\":\"jim presents tire\",\"uid\":\"cfd1f0b0-53eb-11ef-a5b6-0242ac110005\"},\"tid\":93,\"uid\":\"cfd1f6b4-53eb-11ef-88fe-0242ac110005\",\"container\":{\"name\":\"travesti borough biggest\",\"size\":3355225968,\"uid\":\"cfd201c2-53eb-11ef-86c9-0242ac110005\",\"hash\":{\"value\":\"A241B037A73C6DEFF4F66BAE284A4B2AEA05ACD3\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}},\"created_time\":1722945774084196,\"namespace_pid\":63,\"parent_process\":{\"name\":\"Acres\",\"pid\":41,\"file\":{\"name\":\"cafe.fon\",\"type\":\"Local Socket\",\"path\":\"microwave cir nails/gtk.dmg/cafe.fon\",\"uid\":\"cfd23214-53eb-11ef-aaf5-0242ac110005\",\"type_id\":5,\"creator\":{\"name\":\"Soa\",\"ldap_person\":{\"manager\":{\"name\":\"Arrangements\",\"type\":\"bunch\",\"domain\":\"permission eu anonymous\",\"uid\":\"cfd25802-53eb-11ef-bc5e-0242ac110005\",\"org\":{\"name\":\"positioning sending donald\",\"uid\":\"cfd261e4-53eb-11ef-8e64-0242ac110005\",\"ou_name\":\"americans pee mixed\"},\"type_id\":99},\"cost_center\":\"char immigration blue\",\"employee_uid\":\"cfd269b4-53eb-11ef-862f-0242ac110005\",\"job_title\":\"tm payday needed\",\"office_location\":\"hack maintains suit\",\"hire_time_dt\":\"2024-08-06T12:02:54.086830Z\"}},\"parent_folder\":\"microwave cir nails/gtk.dmg\",\"security_descriptor\":\"hour rca writes\"},\"user\":{\"name\":\"Defence\",\"type\":\"Admin\",\"uid\":\"cfd27814-53eb-11ef-91f4-0242ac110005\",\"groups\":[{\"name\":\"suppliers returns jewellery\",\"uid\":\"cfd28336-53eb-11ef-a671-0242ac110005\"},{\"name\":\"archive honolulu restricted\",\"uid\":\"cfd28a84-53eb-11ef-a27d-0242ac110005\"}],\"type_id\":2,\"account\":{\"name\":\"engage subscribe fireplace\",\"type\":\"Unknown\",\"uid\":\"cfd298e4-53eb-11ef-9fc1-0242ac110005\",\"type_id\":0},\"ldap_person\":{\"manager\":{\"name\":\"Lucia\",\"domain\":\"sides sheet lt\",\"uid\":\"cfd2a640-53eb-11ef-b33d-0242ac110005\",\"credential_uid\":\"cfd2ac3a-53eb-11ef-89b0-0242ac110005\",\"email_addr\":\"Dodie@soundtrack.firm\"},\"modified_time\":1722945774088534,\"leave_time_dt\":\"2024-08-06T12:02:54.088544Z\",\"last_login_time_dt\":\"2024-08-06T12:02:54.088552Z\"},\"uid_alt\":\"trustee tree normally\"},\"group\":{\"name\":\"income bridges uruguay\",\"uid\":\"cfd2b96e-53eb-11ef-b3a0-0242ac110005\"},\"tid\":47,\"uid\":\"cfd2bf72-53eb-11ef-96ff-0242ac110005\",\"loaded_modules\":[\"/counters/kentucky/proceeding/yo/norwegian.mp3\",\"/indianapolis/sega/statutes/java/purple.bat\"],\"cmd_line\":\"calibration signature temp\",\"container\":{\"name\":\"begins magnetic inn\",\"size\":83122349,\"uid\":\"cfd2ca08-53eb-11ef-af87-0242ac110005\",\"image\":{\"name\":\"pot pulse ser\",\"path\":\"seat employers licenses\",\"uid\":\"cfd2d638-53eb-11ef-a4c4-0242ac110005\"},\"hash\":{\"value\":\"CEEA7A4A0C43E8765267E8AEF5F074E2D83C2B387ED111EB0F9E903BB79DFACD26A958A69404A2C9ACFC06C590DF12DFF79EAED625E9EE1BB25727BC3398F838\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},\"orchestrator\":\"essay brother facility\",\"pod_uuid\":\"bachelor\"},\"created_time\":1722945774089651,\"integrity\":\"Protected\",\"integrity_id\":6,\"namespace_pid\":96,\"parent_process\":{\"name\":\"Nationwide\",\"pid\":28,\"file\":{\"name\":\"fragrance.otf\",\"owner\":{\"name\":\"Does\",\"type\":\"Admin\",\"uid\":\"cfd2f1c2-53eb-11ef-9117-0242ac110005\",\"type_id\":2,\"email_addr\":\"Patrina@prototype.gov\",\"ldap_person\":{\"cost_center\":\"permits interact afternoon\",\"deleted_time\":1722945774090716,\"ldap_dn\":\"renaissance exhibition far\",\"leave_time_dt\":\"2024-08-06T12:02:54.090731Z\",\"last_login_time_dt\":\"2024-08-06T12:02:54.090739Z\"}},\"type\":\"Block Device\",\"path\":\"thumbzilla sir drawings/clicking.ico/fragrance.otf\",\"modifier\":{\"name\":\"Romania\",\"type\":\"Unknown\",\"uid\":\"cfd30dd8-53eb-11ef-a1d7-0242ac110005\",\"groups\":[{\"name\":\"boat generate canadian\",\"type\":\"breast brave sacramento\",\"domain\":\"mostly third hats\",\"desc\":\"york yours falls\",\"uid\":\"cfd317ec-53eb-11ef-b8c7-0242ac110005\",\"privileges\":[\"queries meyer wellness\"]},{\"name\":\"considerations wants books\",\"uid\":\"cfd31f1c-53eb-11ef-8b0c-0242ac110005\"}],\"type_id\":0},\"type_id\":4,\"parent_folder\":\"thumbzilla sir drawings/clicking.ico\",\"confidentiality\":\"Unknown\",\"confidentiality_id\":0,\"created_time\":1722945774091482,\"hashes\":[{\"value\":\"8C4977626121F73FAF30273CA0604C3B2C1207E04716722E66C667D788C6F874\",\"algorithm\":\"magic\",\"algorithm_id\":99},{\"value\":\"A541714A17804AC281E6DDDA5B707952\",\"algorithm\":\"MD5\",\"algorithm_id\":1}],\"modified_time\":1722945774091552,\"xattributes\":{}},\"user\":{\"name\":\"Semester\",\"type\":\"Unknown\",\"uid\":\"cfd34d66-53eb-11ef-852b-0242ac110005\",\"groups\":[{\"name\":\"ellis methods congratulations\",\"uid\":\"cfd3572a-53eb-11ef-8889-0242ac110005\",\"privileges\":[\"deck version bathroom\"]},{\"name\":\"proposed margin drug\",\"desc\":\"race pg usps\",\"uid\":\"cfd35e64-53eb-11ef-8d1c-0242ac110005\"}],\"type_id\":0,\"email_addr\":\"Birdie@candle.edu\",\"ldap_person\":{},\"uid_alt\":\"protein clubs membership\"},\"group\":{\"name\":\"blessed operates rug\",\"uid\":\"cfd36e5e-53eb-11ef-9d98-0242ac110005\"},\"uid\":\"cfd374da-53eb-11ef-a5ba-0242ac110005\",\"cmd_line\":\"vaccine l vegetarian\",\"container\":{\"name\":\"matter venues paxil\",\"size\":3925402475,\"uid\":\"cfd37e94-53eb-11ef-b3b8-0242ac110005\",\"image\":{\"name\":\"troy when advertisers\",\"path\":\"knife aluminum connectivity\",\"uid\":\"cfd3879a-53eb-11ef-b5b2-0242ac110005\"},\"hash\":{\"value\":\"9B88DFD0CFCEDCD1108BAC8D96F5E7576E8AA5EFEE6228DEE92628994C808FA83487125996422844E815E8321734322E728259C00D5FC302552A542C80FC26DE\",\"algorithm\":\"Unknown\",\"algorithm_id\":0},\"pod_uuid\":\"examined\"},\"created_time\":1722945774094193,\"lineage\":[\"relationship closed gathered\",\"ment tu other\"],\"namespace_pid\":26,\"parent_process\":{\"name\":\"Pixel\",\"pid\":10,\"session\":{\"uid\":\"cfd3a202-53eb-11ef-8e19-0242ac110005\",\"issuer\":\"recognize lobby mon\",\"created_time\":1722945774095984,\"is_remote\":false},\"file\":{\"name\":\"jane.m4a\",\"type\":\"Folder\",\"path\":\"living marsh smilies/turner.mim/jane.m4a\",\"modifier\":{\"type\":\"System\",\"uid\":\"cfd3e9ec-53eb-11ef-a8dd-0242ac110005\",\"type_id\":3,\"uid_alt\":\"account qld kim\"},\"type_id\":2,\"parent_folder\":\"living marsh smilies/turner.mim\",\"confidentiality\":\"auburn\",\"confidentiality_id\":99,\"hashes\":[{\"value\":\"C6316326E7128B9D69A3C004DC06AF4240FCBE9CE2D36D76A6074A15DA9E1E5469C37D1BDEE8EB2EA2E4A0E20A366B43DB7C9529A7DFB7719025662F5B1B2868\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7},{\"value\":\"9ED2837AE1C9BF010E3821339FB9B60585584E697B0670BC2E532228F4DD9251B11715FE20D50FF600E1ED5B5BBA4637AF874B0CC900680B7ECDACBAD07624FD\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}],\"modified_time\":1722945774096743,\"security_descriptor\":\"ticket vegas generates\",\"created_time_dt\":\"2024-08-06T12:02:54.096759Z\"},\"group\":{\"name\":\"bean learners accepting\",\"type\":\"dietary firms hotels\",\"uid\":\"cfd3fbe4-53eb-11ef-bdb1-0242ac110005\"},\"uid\":\"cfd40206-53eb-11ef-a429-0242ac110005\",\"cmd_line\":\"initiative step gathered\",\"container\":{\"name\":\"hundred central hrs\",\"size\":724491757,\"uid\":\"cfd40e22-53eb-11ef-afb2-0242ac110005\",\"image\":{\"name\":\"food qatar brain\",\"uid\":\"cfd41700-53eb-11ef-a54d-0242ac110005\"},\"hash\":{\"value\":\"1C89EFCEB73F4433865E95F1BF2AB892DA6B9AA1C0205D1A8087C101B7AF953BE2F34683E786B31F4344403F35885F4D105EF2E764F6D299E44E31D284DBD5E3\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}},\"created_time\":1722945774097846,\"namespace_pid\":45,\"parent_process\":{\"name\":\"Yield\",\"pid\":82,\"file\":{\"name\":\"apartments.py\",\"size\":524979186,\"type\":\"Named Pipe\",\"path\":\"fig kelly companion/attorneys.com/apartments.py\",\"uid\":\"cfd42dd0-53eb-11ef-8dc9-0242ac110005\",\"type_id\":6,\"parent_folder\":\"fig kelly companion/attorneys.com\",\"hashes\":[{\"value\":\"EBF49DCD836F810084C14E0F2DAB4DC1768BBDC5980481BF201FCF76771DFF7A\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3},{\"value\":\"C2EB02DC35DC77D3373542631011FFD4C933AF5C6676646BAFB85126C8652AB679884C90C91E3109A28812D07AAC8C0DADDCF3DC7C86FAD4FBA91A1401900947\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}],\"security_descriptor\":\"avoiding bear incoming\"},\"user\":{\"name\":\"Fatal\",\"type\":\"Unknown\",\"type_id\":0},\"group\":{\"name\":\"cam empirical path\",\"uid\":\"cfd43d52-53eb-11ef-8205-0242ac110005\"},\"uid\":\"cfd4436a-53eb-11ef-84cf-0242ac110005\",\"cmd_line\":\"pix potential mardi\",\"container\":{\"name\":\"kerry courier tony\",\"runtime\":\"ben dynamics vienna\",\"size\":3164331564,\"image\":{\"name\":\"celebrities sensitive manufacture\",\"tag\":\"staff ericsson duty\",\"path\":\"selling rocky projection\",\"uid\":\"cfd450d0-53eb-11ef-83f3-0242ac110005\",\"labels\":[\"healing\",\"avoiding\"]},\"hash\":{\"value\":\"A9DCE75FB9B7C3AD1CCBE9A3001619DE593186058F77799D91C1413A074FDE187FE7C8719F8A94FA0453F77D76EB8AF6CC9074BABB51EAFF5476F9D169C724A7\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},\"orchestrator\":\"dui expansion focus\"},\"created_time\":1722945774099345,\"integrity\":\"g manner mambo\",\"namespace_pid\":96,\"parent_process\":{\"name\":\"Organ\",\"pid\":90,\"session\":{\"uid\":\"cfd469b2-53eb-11ef-8a8a-0242ac110005\",\"issuer\":\"lyric fujitsu timber\",\"created_time\":1722945774099934,\"is_remote\":true,\"created_time_dt\":\"2024-08-06T12:02:54.099943Z\",\"expiration_time_dt\":\"2024-08-06T12:02:54.099951Z\"},\"file\":{\"name\":\"mothers.com\",\"type\":\"Symbolic Link\",\"version\":\"1.1.0\",\"path\":\"wal quiz worker/skin.plugin/mothers.com\",\"type_id\":7,\"company_name\":\"Delora Edyth\",\"parent_folder\":\"wal quiz worker/skin.plugin\",\"hashes\":[{\"value\":\"02799F801AA43966F78CC2C403CE6F0AB37F05D3AF823C0AEEDE58090A622F10470F614F19B68FE2CEFC4B1BEAFF7589FDF5E4DF0A47FF29700DA72C1E4A7966\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"805FAE387ABCC95FB8B74AD92202D2F367255E57291D4C54514FE11EB086C85E7B879FBC13E3405E1C6D5D663F69CD4F509A28B7F2BD0B7F57F71E31C52E2280\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}]},\"user\":{\"type\":\"Unknown\",\"uid\":\"cfd47e3e-53eb-11ef-a1ef-0242ac110005\",\"type_id\":0,\"full_name\":\"Thuy Kristin\"},\"group\":{\"type\":\"figured eyes microphone\",\"desc\":\"comparable likelihood jeep\",\"uid\":\"cfd48fb4-53eb-11ef-bbb9-0242ac110005\"},\"uid\":\"cfd495e0-53eb-11ef-b81b-0242ac110005\",\"cmd_line\":\"welding viewpicture sampling\",\"container\":{\"name\":\"iii accessories ddr\",\"size\":3779122986,\"uid\":\"cfd4a166-53eb-11ef-97e4-0242ac110005\",\"image\":{\"name\":\"beach omaha protest\",\"uid\":\"cfd4aa76-53eb-11ef-a970-0242ac110005\"},\"hash\":{\"value\":\"917004FD903B196255A9B56D08246E5E9FC34E38BC01CADD52A3ADABEB309DA5\",\"algorithm\":\"magic\",\"algorithm_id\":99}},\"created_time\":1722945774101623,\"namespace_pid\":90,\"parent_process\":{\"name\":\"Arrange\",\"pid\":5,\"file\":{\"attributes\":76,\"name\":\"elizabeth.sln\",\"size\":1485425900,\"type\":\"Folder\",\"path\":\"kai surname approach/xp.wpd/elizabeth.sln\",\"desc\":\"member dogs ports\",\"type_id\":2,\"company_name\":\"Claudio Alejandra\",\"parent_folder\":\"kai surname approach/xp.wpd\",\"confidentiality\":\"says\",\"confidentiality_id\":99,\"created_time_dt\":\"2024-08-06T12:02:54.102808Z\"},\"user\":{\"name\":\"Night\",\"type\":\"Unknown\",\"type_id\":0,\"ldap_person\":{\"manager\":{\"name\":\"Merchandise\",\"type\":\"System\",\"uid\":\"cfd4ff76-53eb-11ef-9efb-0242ac110005\",\"org\":{\"name\":\"belief billion talented\",\"ou_name\":\"volkswagen africa respect\"},\"groups\":[{\"name\":\"pos constraints inkjet\",\"type\":\"stat tray charitable\"},{\"name\":\"yemen happiness theft\"}],\"type_id\":3,\"full_name\":\"Janiece Jon\",\"credential_uid\":\"cfd50fd4-53eb-11ef-83d7-0242ac110005\",\"ldap_person\":{\"surname\":\"cancelled present faced\",\"modified_time_dt\":\"2024-08-06T12:02:54.104306Z\"},\"uid_alt\":\"fraud answers loved\"},\"email_addrs\":[\"Sharonda@helena.name\",\"Caroline@consent.mil\"],\"hire_time\":1722945774104346,\"office_location\":\"ways statement ni\",\"surname\":\"cio evaluating bc\",\"last_login_time_dt\":\"2024-08-06T12:02:54.104363Z\"}},\"group\":{\"name\":\"majority scores surveillance\",\"desc\":\"bearing return gt\",\"uid\":\"cfd52f3c-53eb-11ef-bb53-0242ac110005\",\"privileges\":[\"kansas religions cgi\"]},\"uid\":\"cfd53608-53eb-11ef-92de-0242ac110005\",\"loaded_modules\":[\"/save/tt/places/ballet/exclusive.psd\",\"/administered/herbs/discrete/katie/rl.ttf\"],\"cmd_line\":\"visual dated alpha\",\"container\":{\"name\":\"footwear checkout march\",\"size\":1641826457,\"uid\":\"cfd542ec-53eb-11ef-be38-0242ac110005\",\"image\":{\"name\":\"concentrations deck created\",\"uid\":\"cfd54bf2-53eb-11ef-b477-0242ac110005\"},\"hash\":{\"value\":\"03C6D52314CF55EC4DFDAE665DC2100E56F08F7599D9B87FD76B0AF55FA44C4F3A7B4204C517E201F9326306ECC712A0CE46D93B7B4A03AAFDBDFAE7BD9A7471\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}},\"created_time\":1722945774105758,\"integrity\":\"Unknown\",\"integrity_id\":0,\"lineage\":[\"length apr charm\",\"farm chaos overseas\"],\"namespace_pid\":33,\"sandbox\":\"mexican mixer g\",\"euid\":59,\"terminated_time_dt\":\"2024-08-06T12:02:54.105788Z\"},\"egid\":49,\"terminated_time_dt\":\"2024-08-06T12:02:54.105798Z\"},\"sandbox\":\"variance volleyball compile\"},\"auid\":38,\"terminated_time_dt\":\"2024-08-06T12:02:54.105811Z\"}},\"created_time_dt\":\"2024-08-06T12:02:54.105819Z\"},\"xattributes\":{},\"euid\":32},\"terminated_time\":1722945774105859,\"auid\":17},\"sandbox\":\"frequent dining arguments\",\"xattributes\":{},\"created_time_dt\":\"2024-08-06T12:02:54.105883Z\",\"terminated_time_dt\":\"2024-08-06T12:02:54.105888Z\"},\"euid\":93,\"terminated_time_dt\":\"2024-08-06T12:02:54.105894Z\"},\"user\":{\"name\":\"Ok\",\"type\":\"System\",\"domain\":\"rpm particular mae\",\"uid\":\"cfd57668-53eb-11ef-ad7f-0242ac110005\",\"groups\":[{\"name\":\"numbers nextel globe\",\"type\":\"debug carpet per\",\"domain\":\"indexed email mardi\",\"uid\":\"cfd58068-53eb-11ef-b081-0242ac110005\"},{\"name\":\"fitting personalized estimation\",\"uid\":\"cfd58ae0-53eb-11ef-850c-0242ac110005\"}],\"type_id\":3}},\"cloud\":{\"provider\":\"experimental mac seconds\",\"region\":\"debate population smithsonian\",\"zone\":\"raised expert baseball\"},\"database\":{\"name\":\"laden confidence arabic\",\"type\":\"Object Oriented\",\"uid\":\"cfcf8aaa-53eb-11ef-835d-0242ac110005\",\"type_id\":3,\"created_time_dt\":\"2024-08-06T12:02:54.068006Z\"},\"databucket\":{\"name\":\"facts drug laos\",\"type\":\"GCP Bucket\",\"type_id\":3},\"severity_id\":1,\"src_endpoint\":{\"port\":47139,\"type\":\"Laptop\",\"ip\":\"175.16.199.0\",\"hostname\":\"thank.coop\",\"uid\":\"cfcfee32-53eb-11ef-b8c3-0242ac110005\",\"type_id\":3,\"container\":{\"name\":\"detect drop hobbies\",\"size\":2933944469,\"tag\":\"together own republicans\",\"uid\":\"cfd0401c-53eb-11ef-b764-0242ac110005\",\"image\":{\"path\":\"constraint explosion ge\",\"uid\":\"cfd04b5c-53eb-11ef-a7db-0242ac110005\",\"labels\":[\"er\",\"distances\"]}},\"hw_info\":{\"cpu_count\":74,\"cpu_speed\":92},\"instance_uid\":\"cfd0555c-53eb-11ef-82ff-0242ac110005\",\"interface_uid\":\"cfd05bd8-53eb-11ef-864c-0242ac110005\",\"namespace_pid\":25,\"svc_name\":\"further compressed twisted\",\"vlan_uid\":\"cfd06344-53eb-11ef-9b92-0242ac110005\"},\"status_id\":2}", + "outcome": "failure", + "provider": "medal removing losses", + "severity": 1, + "type": [ + "info" + ] + }, + "file": { + "directory": "stock armstrong ie/bobby.m3u", + "hash": { + "md5": [ + "7B849A50DA92F39D6AF294B10E0B93F5" + ] + }, + "mtime": "2024-08-06T12:02:54.074Z", + "name": "senegal.dcr", + "path": "stock armstrong ie/bobby.m3u/senegal.dcr", + "type": "Folder" + }, + "message": "routing rosa speeds", + "network": { + "application": [ + "further compressed twisted" + ] + }, + "ocsf": { + "activity_id": "5", + "activity_name": "Write", + "actor": { + "process": { + "cmd_line": "associate directions partly", + "container": { + "hash": { + "algorithm": "magic", + "algorithm_id": "99", + "value": "D908A0C6E33ABAEF5F1C8D9658E99DF9714CFF289FCE29B9DD5A362475554AF2" + }, + "image": { + "name": "number serial patients", + "uid": "cfd0bb46-53eb-11ef-b743-0242ac110005" + }, + "size": 2753478121, + "uid": "cfd0b25e-53eb-11ef-aab1-0242ac110005" + }, + "created_time": "2024-08-06T12:02:54.075Z", + "euid": "93", + "file": { + "confidentiality": "Top Secret", + "confidentiality_id": "4", + "creator": { + "domain": "dedicated smile macintosh", + "name": "Slight", + "type": "System", + "type_id": "3", + "uid": "cfd08748-53eb-11ef-8545-0242ac110005" + }, + "hashes": [ + { + "algorithm": "magic", + "algorithm_id": "99", + "value": "6AC2AD2B6F5A51A33103412CB1C13FA5FDB24737666758DD9FDD8402BB9D2A43" + }, + { + "algorithm": "MD5", + "algorithm_id": "1", + "value": "7B849A50DA92F39D6AF294B10E0B93F5" + } + ], + "modified_time_dt": "2024-08-06T12:02:54.074Z", + "name": "senegal.dcr", + "parent_folder": "stock armstrong ie/bobby.m3u", + "path": "stock armstrong ie/bobby.m3u/senegal.dcr", + "type": "Folder", + "type_id": "2" + }, + "group": { + "desc": "mime counsel uses", + "name": "desired administration quotations", + "uid": "cfd0a0f2-53eb-11ef-a02f-0242ac110005" + }, + "loaded_modules": [ + "/chronicle/initiated/hormone/surprise/corps.html", + "/allan/appearance/viruses/college/naughty.rom" + ], + "name": "Flashing", + "namespace_pid": 78, + "parent_process": { + "cmd_line": "hash unknown meters", + "container": { + "hash": { + "algorithm": "magic", + "algorithm_id": "99", + "value": "48324C16BF85398DE1219E9270E663A1CCB2438C617A716A5F0F8D44034D7294" + }, + "image": { + "name": "climbing quickly lonely", + "uid": "cfd10d12-53eb-11ef-8fcb-0242ac110005" + }, + "name": "gnome face decisions", + "size": 411217035, + "uid": "cfd10448-53eb-11ef-8948-0242ac110005" + }, + "created_time": "2024-08-06T12:02:54.077Z", + "created_time_dt": "2024-08-06T12:02:54.105Z", + "file": { + "attributes": 67, + "company_name": "Norberto Vena", + "confidentiality": "Secret", + "confidentiality_id": "3", + "hashes": [ + { + "algorithm": "SHA-1", + "algorithm_id": "2", + "value": "8C8D9D64A77C351C6AAFF4C0EF9B436F904638B7" + } + ], + "name": "spirituality.mid", + "parent_folder": "analyzed election throws/composition.tax2020", + "path": "analyzed election throws/composition.tax2020/spirituality.mid", + "security_descriptor": "nor treasury uri", + "type": "Character Device", + "type_id": "3", + "uid": "cfd0d964-53eb-11ef-9f61-0242ac110005" + }, + "group": { + "domain": "detail blah motels", + "name": "adolescent antigua ui", + "uid": "cfd0fa70-53eb-11ef-9120-0242ac110005" + }, + "lineage": [ + "off disturbed bidding", + "validity requested without" + ], + "name": "Basin", + "namespace_pid": 60, + "parent_process": { + "auid": 17, + "cmd_line": "capabilities major outline", + "container": { + "hash": { + "algorithm": "SHA-256", + "algorithm_id": 3, + "value": "32F556C7248E9893205497FAD5588B52A815C9A2008D165B36C015A90F534BFA" + }, + "image": { + "name": "objectives cooper expenses", + "tag": "flashers incurred visiting", + "uid": "cfd19f5c-53eb-11ef-b6a5-0242ac110005" + }, + "name": "ul primary rivers", + "size": 4147443008, + "uid": "cfd19624-53eb-11ef-b555-0242ac110005" + }, + "created_time": 1722945774081, + "file": { + "attributes": 46, + "company_name": "Christian Cinda", + "confidentiality": "promise", + "confidentiality_id": 99, + "hashes": [ + { + "algorithm": "SHA-1", + "algorithm_id": 2, + "value": "CE59D0F436DBA3BA0A6A76043041A5E787C3B835" + }, + { + "algorithm": "CTPH", + "algorithm_id": 5, + "value": "5DC822DDEFF863F87504863C2926EFADEA58E6CC12C9913FBF94816997FDAA2115104F362F7481BCFA8296CDB2EF69ABFF1D22A64E0B6F5D7B8BB6BDF0485F77" + } + ], + "modified_time": 1722945774080, + "modifier": { + "full_name": "Etha Roy", + "groups": [ + { + "name": "wales indoor speaking", + "uid": "cfd160be-53eb-11ef-8f19-0242ac110005" + }, + { + "desc": "bathrooms transfers diego", + "name": "mongolia records suffer", + "uid": "cfd167da-53eb-11ef-b5a7-0242ac110005" + } + ], + "name": "Bang", + "org": { + "name": "snake dam rapidly", + "ou_name": "photo acrylic highway", + "uid": "cfd155ba-53eb-11ef-9ea1-0242ac110005" + }, + "type": "wicked", + "type_id": 99, + "uid": "cfd14d0e-53eb-11ef-8822-0242ac110005" + }, + "name": "invite.flv", + "parent_folder": "mobiles at hazards/feels.b", + "path": "mobiles at hazards/feels.b/invite.flv", + "product": { + "name": "executives dell bands", + "uid": "cfd14174-53eb-11ef-ad92-0242ac110005", + "url_string": "divx", + "vendor_name": "neighbor advise animal", + "version": "1.1.0" + }, + "security_descriptor": "allen mba skating", + "type": "Folder", + "type_id": 2, + "uid": "cfd16ece-53eb-11ef-92bb-0242ac110005" + }, + "group": { + "desc": "times substitute plasma", + "uid": "cfd17fa4-53eb-11ef-bb39-0242ac110005" + }, + "lineage": [ + "feed prozac starring" + ], + "loaded_modules": [ + "/hotels/stream/anchor/ted/ghost.zipx", + "/secure/proprietary/execute/medicine/hl.dwg" + ], + "name": "Zus", + "parent_process": { + "container": { + "hash": { + "algorithm": "SHA-1", + "algorithm_id": 2, + "value": "A241B037A73C6DEFF4F66BAE284A4B2AEA05ACD3" + }, + "name": "travesti borough biggest", + "size": 3355225968, + "uid": "cfd201c2-53eb-11ef-86c9-0242ac110005" + }, + "created_time": 1722945774084, + "euid": 32, + "file": { + "confidentiality": "Secret", + "confidentiality_id": 3, + "hashes": [ + { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "8D99573EF8E69D00FAE94C1020E9BCDEAB0B2381D11507174E58B253935B16A8391E07FE4DDCFBC6B4EE66C04EB617345B997605559139B9986AC27695ACE216" + } + ], + "modifier": { + "credential_uid": "cfd1bf00-53eb-11ef-9ae0-0242ac110005", + "name": "Drivers", + "type": "Admin", + "type_id": 2, + "uid": "cfd1b884-53eb-11ef-9e17-0242ac110005" + }, + "name": "shirts.pct", + "parent_folder": "reporters schools bermuda/investigations.apk", + "path": "reporters schools bermuda/investigations.apk/shirts.pct", + "type": "Folder", + "type_id": 2 + }, + "group": { + "domain": "jim presents tire", + "name": "easily strengthening concept", + "type": "claimed farms dressed", + "uid": "cfd1f0b0-53eb-11ef-a5b6-0242ac110005" + }, + "name": "Keep", + "namespace_pid": 63, + "parent_process": { + "cmd_line": "calibration signature temp", + "container": { + "hash": { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "CEEA7A4A0C43E8765267E8AEF5F074E2D83C2B387ED111EB0F9E903BB79DFACD26A958A69404A2C9ACFC06C590DF12DFF79EAED625E9EE1BB25727BC3398F838" + }, + "image": { + "name": "pot pulse ser", + "path": "seat employers licenses", + "uid": "cfd2d638-53eb-11ef-a4c4-0242ac110005" + }, + "name": "begins magnetic inn", + "orchestrator": "essay brother facility", + "pod_uuid": "bachelor", + "size": 83122349, + "uid": "cfd2ca08-53eb-11ef-af87-0242ac110005" + }, + "created_time": 1722945774089, + "created_time_dt": "2024-08-06T12:02:54.105819Z", + "file": { + "creator": { + "ldap_person": { + "cost_center": "char immigration blue", + "employee_uid": "cfd269b4-53eb-11ef-862f-0242ac110005", + "hire_time_dt": "2024-08-06T12:02:54.086830Z", + "job_title": "tm payday needed", + "manager": { + "domain": "permission eu anonymous", + "name": "Arrangements", + "org": { + "name": "positioning sending donald", + "ou_name": "americans pee mixed", + "uid": "cfd261e4-53eb-11ef-8e64-0242ac110005" + }, + "type": "bunch", + "type_id": 99, + "uid": "cfd25802-53eb-11ef-bc5e-0242ac110005" + }, + "office_location": "hack maintains suit" + }, + "name": "Soa" + }, + "name": "cafe.fon", + "parent_folder": "microwave cir nails/gtk.dmg", + "path": "microwave cir nails/gtk.dmg/cafe.fon", + "security_descriptor": "hour rca writes", + "type": "Local Socket", + "type_id": 5, + "uid": "cfd23214-53eb-11ef-aaf5-0242ac110005" + }, + "group": { + "name": "income bridges uruguay", + "uid": "cfd2b96e-53eb-11ef-b3a0-0242ac110005" + }, + "integrity": "Protected", + "integrity_id": 6, + "loaded_modules": [ + "/counters/kentucky/proceeding/yo/norwegian.mp3", + "/indianapolis/sega/statutes/java/purple.bat" + ], + "name": "Acres", + "namespace_pid": 96, + "parent_process": { + "cmd_line": "vaccine l vegetarian", + "container": { + "hash": { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "9B88DFD0CFCEDCD1108BAC8D96F5E7576E8AA5EFEE6228DEE92628994C808FA83487125996422844E815E8321734322E728259C00D5FC302552A542C80FC26DE" + }, + "image": { + "name": "troy when advertisers", + "path": "knife aluminum connectivity", + "uid": "cfd3879a-53eb-11ef-b5b2-0242ac110005" + }, + "name": "matter venues paxil", + "pod_uuid": "examined", + "size": 3925402475, + "uid": "cfd37e94-53eb-11ef-b3b8-0242ac110005" + }, + "created_time": 1722945774094, + "file": { + "confidentiality": "Unknown", + "confidentiality_id": 0, + "created_time": 1722945774091, + "hashes": [ + { + "algorithm": "magic", + "algorithm_id": 99, + "value": "8C4977626121F73FAF30273CA0604C3B2C1207E04716722E66C667D788C6F874" + }, + { + "algorithm": "MD5", + "algorithm_id": 1, + "value": "A541714A17804AC281E6DDDA5B707952" + } + ], + "modified_time": 1722945774091, + "modifier": { + "groups": [ + { + "desc": "york yours falls", + "domain": "mostly third hats", + "name": "boat generate canadian", + "privileges": [ + "queries meyer wellness" + ], + "type": "breast brave sacramento", + "uid": "cfd317ec-53eb-11ef-b8c7-0242ac110005" + }, + { + "name": "considerations wants books", + "uid": "cfd31f1c-53eb-11ef-8b0c-0242ac110005" + } + ], + "name": "Romania", + "type": "Unknown", + "type_id": 0, + "uid": "cfd30dd8-53eb-11ef-a1d7-0242ac110005" + }, + "name": "fragrance.otf", + "owner": { + "email_addr": "Patrina@prototype.gov", + "ldap_person": { + "cost_center": "permits interact afternoon", + "deleted_time": 1722945774090, + "last_login_time_dt": "2024-08-06T12:02:54.090739Z", + "ldap_dn": "renaissance exhibition far", + "leave_time_dt": "2024-08-06T12:02:54.090731Z" + }, + "name": "Does", + "type": "Admin", + "type_id": 2, + "uid": "cfd2f1c2-53eb-11ef-9117-0242ac110005" + }, + "parent_folder": "thumbzilla sir drawings/clicking.ico", + "path": "thumbzilla sir drawings/clicking.ico/fragrance.otf", + "type": "Block Device", + "type_id": 4 + }, + "group": { + "name": "blessed operates rug", + "uid": "cfd36e5e-53eb-11ef-9d98-0242ac110005" + }, + "lineage": [ + "relationship closed gathered", + "ment tu other" + ], + "name": "Nationwide", + "namespace_pid": 26, + "parent_process": { + "auid": 38, + "cmd_line": "initiative step gathered", + "container": { + "hash": { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "1C89EFCEB73F4433865E95F1BF2AB892DA6B9AA1C0205D1A8087C101B7AF953BE2F34683E786B31F4344403F35885F4D105EF2E764F6D299E44E31D284DBD5E3" + }, + "image": { + "name": "food qatar brain", + "uid": "cfd41700-53eb-11ef-a54d-0242ac110005" + }, + "name": "hundred central hrs", + "size": 724491757, + "uid": "cfd40e22-53eb-11ef-afb2-0242ac110005" + }, + "created_time": 1722945774097, + "file": { + "confidentiality": "auburn", + "confidentiality_id": 99, + "created_time_dt": "2024-08-06T12:02:54.096759Z", + "hashes": [ + { + "algorithm": "quickXorHash", + "algorithm_id": 7, + "value": "C6316326E7128B9D69A3C004DC06AF4240FCBE9CE2D36D76A6074A15DA9E1E5469C37D1BDEE8EB2EA2E4A0E20A366B43DB7C9529A7DFB7719025662F5B1B2868" + }, + { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "9ED2837AE1C9BF010E3821339FB9B60585584E697B0670BC2E532228F4DD9251B11715FE20D50FF600E1ED5B5BBA4637AF874B0CC900680B7ECDACBAD07624FD" + } + ], + "modified_time": 1722945774096, + "modifier": { + "type": "System", + "type_id": 3, + "uid": "cfd3e9ec-53eb-11ef-a8dd-0242ac110005", + "uid_alt": "account qld kim" + }, + "name": "jane.m4a", + "parent_folder": "living marsh smilies/turner.mim", + "path": "living marsh smilies/turner.mim/jane.m4a", + "security_descriptor": "ticket vegas generates", + "type": "Folder", + "type_id": 2 + }, + "group": { + "name": "bean learners accepting", + "type": "dietary firms hotels", + "uid": "cfd3fbe4-53eb-11ef-bdb1-0242ac110005" + }, + "name": "Pixel", + "namespace_pid": 45, + "parent_process": { + "cmd_line": "pix potential mardi", + "container": { + "hash": { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "A9DCE75FB9B7C3AD1CCBE9A3001619DE593186058F77799D91C1413A074FDE187FE7C8719F8A94FA0453F77D76EB8AF6CC9074BABB51EAFF5476F9D169C724A7" + }, + "image": { + "labels": [ + "healing", + "avoiding" + ], + "name": "celebrities sensitive manufacture", + "path": "selling rocky projection", + "tag": "staff ericsson duty", + "uid": "cfd450d0-53eb-11ef-83f3-0242ac110005" + }, + "name": "kerry courier tony", + "orchestrator": "dui expansion focus", + "runtime": "ben dynamics vienna", + "size": 3164331564 + }, + "created_time": 1722945774099, + "file": { + "hashes": [ + { + "algorithm": "SHA-256", + "algorithm_id": 3, + "value": "EBF49DCD836F810084C14E0F2DAB4DC1768BBDC5980481BF201FCF76771DFF7A" + }, + { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "C2EB02DC35DC77D3373542631011FFD4C933AF5C6676646BAFB85126C8652AB679884C90C91E3109A28812D07AAC8C0DADDCF3DC7C86FAD4FBA91A1401900947" + } + ], + "name": "apartments.py", + "parent_folder": "fig kelly companion/attorneys.com", + "path": "fig kelly companion/attorneys.com/apartments.py", + "security_descriptor": "avoiding bear incoming", + "size": 524979186, + "type": "Named Pipe", + "type_id": 6, + "uid": "cfd42dd0-53eb-11ef-8dc9-0242ac110005" + }, + "group": { + "name": "cam empirical path", + "uid": "cfd43d52-53eb-11ef-8205-0242ac110005" + }, + "integrity": "g manner mambo", + "name": "Yield", + "namespace_pid": 96, + "parent_process": { + "cmd_line": "welding viewpicture sampling", + "container": { + "hash": { + "algorithm": "magic", + "algorithm_id": 99, + "value": "917004FD903B196255A9B56D08246E5E9FC34E38BC01CADD52A3ADABEB309DA5" + }, + "image": { + "name": "beach omaha protest", + "uid": "cfd4aa76-53eb-11ef-a970-0242ac110005" + }, + "name": "iii accessories ddr", + "size": 3779122986, + "uid": "cfd4a166-53eb-11ef-97e4-0242ac110005" + }, + "created_time": 1722945774101, + "egid": 49, + "file": { + "company_name": "Delora Edyth", + "hashes": [ + { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "02799F801AA43966F78CC2C403CE6F0AB37F05D3AF823C0AEEDE58090A622F10470F614F19B68FE2CEFC4B1BEAFF7589FDF5E4DF0A47FF29700DA72C1E4A7966" + }, + { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "805FAE387ABCC95FB8B74AD92202D2F367255E57291D4C54514FE11EB086C85E7B879FBC13E3405E1C6D5D663F69CD4F509A28B7F2BD0B7F57F71E31C52E2280" + } + ], + "name": "mothers.com", + "parent_folder": "wal quiz worker/skin.plugin", + "path": "wal quiz worker/skin.plugin/mothers.com", + "type": "Symbolic Link", + "type_id": 7, + "version": "1.1.0" + }, + "group": { + "desc": "comparable likelihood jeep", + "type": "figured eyes microphone", + "uid": "cfd48fb4-53eb-11ef-bbb9-0242ac110005" + }, + "name": "Organ", + "namespace_pid": 90, + "parent_process": { + "cmd_line": "visual dated alpha", + "container": { + "hash": { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "03C6D52314CF55EC4DFDAE665DC2100E56F08F7599D9B87FD76B0AF55FA44C4F3A7B4204C517E201F9326306ECC712A0CE46D93B7B4A03AAFDBDFAE7BD9A7471" + }, + "image": { + "name": "concentrations deck created", + "uid": "cfd54bf2-53eb-11ef-b477-0242ac110005" + }, + "name": "footwear checkout march", + "size": 1641826457, + "uid": "cfd542ec-53eb-11ef-be38-0242ac110005" + }, + "created_time": 1722945774105, + "euid": 59, + "file": { + "attributes": 76, + "company_name": "Claudio Alejandra", + "confidentiality": "says", + "confidentiality_id": 99, + "created_time_dt": "2024-08-06T12:02:54.102808Z", + "desc": "member dogs ports", + "name": "elizabeth.sln", + "parent_folder": "kai surname approach/xp.wpd", + "path": "kai surname approach/xp.wpd/elizabeth.sln", + "size": 1485425900, + "type": "Folder", + "type_id": 2 + }, + "group": { + "desc": "bearing return gt", + "name": "majority scores surveillance", + "privileges": [ + "kansas religions cgi" + ], + "uid": "cfd52f3c-53eb-11ef-bb53-0242ac110005" + }, + "integrity": "Unknown", + "integrity_id": 0, + "lineage": [ + "length apr charm", + "farm chaos overseas" + ], + "loaded_modules": [ + "/save/tt/places/ballet/exclusive.psd", + "/administered/herbs/discrete/katie/rl.ttf" + ], + "name": "Arrange", + "namespace_pid": 33, + "pid": 5, + "sandbox": "mexican mixer g", + "terminated_time_dt": "2024-08-06T12:02:54.105788Z", + "uid": "cfd53608-53eb-11ef-92de-0242ac110005", + "user": { + "ldap_person": { + "email_addrs": [ + "Sharonda@helena.name", + "Caroline@consent.mil" + ], + "hire_time": 1722945774104, + "last_login_time_dt": "2024-08-06T12:02:54.104363Z", + "manager": { + "credential_uid": "cfd50fd4-53eb-11ef-83d7-0242ac110005", + "full_name": "Janiece Jon", + "groups": [ + { + "name": "pos constraints inkjet", + "type": "stat tray charitable" + }, + { + "name": "yemen happiness theft" + } + ], + "ldap_person": { + "modified_time_dt": "2024-08-06T12:02:54.104306Z", + "surname": "cancelled present faced" + }, + "name": "Merchandise", + "org": { + "name": "belief billion talented", + "ou_name": "volkswagen africa respect" + }, + "type": "System", + "type_id": 3, + "uid": "cfd4ff76-53eb-11ef-9efb-0242ac110005", + "uid_alt": "fraud answers loved" + }, + "office_location": "ways statement ni", + "surname": "cio evaluating bc" + }, + "name": "Night", + "type": "Unknown", + "type_id": 0 + } + }, + "pid": 90, + "session": { + "created_time": 1722945774099, + "created_time_dt": "2024-08-06T12:02:54.099943Z", + "expiration_time_dt": "2024-08-06T12:02:54.099951Z", + "is_remote": true, + "issuer": "lyric fujitsu timber", + "uid": "cfd469b2-53eb-11ef-8a8a-0242ac110005" + }, + "terminated_time_dt": "2024-08-06T12:02:54.105798Z", + "uid": "cfd495e0-53eb-11ef-b81b-0242ac110005", + "user": { + "full_name": "Thuy Kristin", + "type": "Unknown", + "type_id": 0, + "uid": "cfd47e3e-53eb-11ef-a1ef-0242ac110005" + } + }, + "pid": 82, + "sandbox": "variance volleyball compile", + "uid": "cfd4436a-53eb-11ef-84cf-0242ac110005", + "user": { + "name": "Fatal", + "type": "Unknown", + "type_id": 0 + } + }, + "pid": 10, + "session": { + "created_time": 1722945774095, + "is_remote": false, + "issuer": "recognize lobby mon", + "uid": "cfd3a202-53eb-11ef-8e19-0242ac110005" + }, + "terminated_time_dt": "2024-08-06T12:02:54.105811Z", + "uid": "cfd40206-53eb-11ef-a429-0242ac110005" + }, + "pid": 28, + "uid": "cfd374da-53eb-11ef-a5ba-0242ac110005", + "user": { + "email_addr": "Birdie@candle.edu", + "groups": [ + { + "name": "ellis methods congratulations", + "privileges": [ + "deck version bathroom" + ], + "uid": "cfd3572a-53eb-11ef-8889-0242ac110005" + }, + { + "desc": "race pg usps", + "name": "proposed margin drug", + "uid": "cfd35e64-53eb-11ef-8d1c-0242ac110005" + } + ], + "name": "Semester", + "type": "Unknown", + "type_id": 0, + "uid": "cfd34d66-53eb-11ef-852b-0242ac110005", + "uid_alt": "protein clubs membership" + } + }, + "pid": 41, + "tid": 47, + "uid": "cfd2bf72-53eb-11ef-96ff-0242ac110005", + "user": { + "account": { + "name": "engage subscribe fireplace", + "type": "Unknown", + "type_id": 0, + "uid": "cfd298e4-53eb-11ef-9fc1-0242ac110005" + }, + "groups": [ + { + "name": "suppliers returns jewellery", + "uid": "cfd28336-53eb-11ef-a671-0242ac110005" + }, + { + "name": "archive honolulu restricted", + "uid": "cfd28a84-53eb-11ef-a27d-0242ac110005" + } + ], + "ldap_person": { + "last_login_time_dt": "2024-08-06T12:02:54.088552Z", + "leave_time_dt": "2024-08-06T12:02:54.088544Z", + "manager": { + "credential_uid": "cfd2ac3a-53eb-11ef-89b0-0242ac110005", + "domain": "sides sheet lt", + "email_addr": "Dodie@soundtrack.firm", + "name": "Lucia", + "uid": "cfd2a640-53eb-11ef-b33d-0242ac110005" + }, + "modified_time": 1722945774088 + }, + "name": "Defence", + "type": "Admin", + "type_id": 2, + "uid": "cfd27814-53eb-11ef-91f4-0242ac110005", + "uid_alt": "trustee tree normally" + } + }, + "pid": 75, + "tid": 93, + "uid": "cfd1f6b4-53eb-11ef-88fe-0242ac110005", + "user": { + "credential_uid": "cfd1e638-53eb-11ef-acdc-0242ac110005", + "email_addr": "Timika@starsmerchant.store", + "groups": [ + { + "domain": "rolled womens allowed", + "type": "multi extension th", + "uid": "cfd1de54-53eb-11ef-9548-0242ac110005" + }, + { + "name": "shorter hydrocodone obtaining", + "type": "jenny version diploma" + } + ], + "name": "Northeast", + "org": { + "name": "demo dressing bloggers", + "ou_name": "infection replace kingdom" + }, + "type": "Admin", + "type_id": 2, + "uid": "cfd1cbbc-53eb-11ef-86e4-0242ac110005", + "uid_alt": "jr participants illustration" + } + }, + "session": { + "created_time": 1722945774078, + "is_remote": false, + "issuer": "informal witnesses endif" + }, + "terminated_time": 1722945774105, + "tid": 63, + "uid": "cfd185c6-53eb-11ef-85ca-0242ac110005", + "user": { + "name": "Bernard", + "type": "Admin", + "type_id": 2, + "uid_alt": "denmark day sir" + } + }, + "pid": 63, + "sandbox": "frequent dining arguments", + "terminated_time_dt": "2024-08-06T12:02:54.105Z", + "user": { + "ldap_person": { + "created_time": 1722945774077, + "hire_time": 1722945774077, + "hire_time_dt": "2024-08-06T12:02:54.077132Z" + }, + "name": "Revisions", + "type": "Admin", + "type_id": "2" + } + }, + "pid": 98, + "terminated_time_dt": "2024-08-06T12:02:54.105Z", + "uid": "cfd0a73c-53eb-11ef-9622-0242ac110005", + "user": { + "name": "Contamination", + "type": "Admin", + "type_id": "2", + "uid": "cfd09666-53eb-11ef-9cc7-0242ac110005" + } + }, + "user": { + "domain": "rpm particular mae", + "groups": [ + { + "domain": "indexed email mardi", + "name": "numbers nextel globe", + "type": "debug carpet per", + "uid": "cfd58068-53eb-11ef-b081-0242ac110005" + }, + { + "name": "fitting personalized estimation", + "uid": "cfd58ae0-53eb-11ef-850c-0242ac110005" + } + ], + "name": "Ok", + "type": "System", + "type_id": "3", + "uid": "cfd57668-53eb-11ef-ad7f-0242ac110005" + } + }, + "category_name": "Application Activity", + "category_uid": "6", + "class_name": "Datastore Activity", + "class_uid": "6005", + "cloud": { + "provider": "experimental mac seconds", + "region": "debate population smithsonian", + "zone": "raised expert baseball" + }, + "database": { + "created_time_dt": "2024-08-06T12:02:54.068006Z", + "name": "laden confidence arabic", + "type": "Object Oriented", + "type_id": 3, + "uid": "cfcf8aaa-53eb-11ef-835d-0242ac110005" + }, + "databucket": { + "name": "facts drug laos", + "type": "GCP Bucket", + "type_id": 3 + }, + "duration": 38, + "end_time_dt": "2024-08-06T12:02:54.073Z", + "message": "routing rosa speeds", + "metadata": { + "extensions": [ + { + "name": "importantly identifying causing", + "uid": "cfcfce02-53eb-11ef-a17b-0242ac110005", + "version": "1.1.0" + }, + { + "name": "feof nightlife dans", + "uid": "cfcfd5d2-53eb-11ef-acdf-0242ac110005", + "version": "1.1.0" + } + ], + "labels": [ + "dominant" + ], + "log_level": "consult supplements external", + "log_name": "ottawa triumph analysis", + "log_provider": "medal removing losses", + "original_time": "families batman star", + "product": { + "name": "nightlife joint talked", + "path": "roulette covered encryption", + "uid": "cfcfc1aa-53eb-11ef-80a9-0242ac110005", + "vendor_name": "rainbow league closure", + "version": "1.1.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "linux/linux_users", + "load_balancer", + "network_proxy", + "security_control" + ], + "tenant_uid": "cfcfde4c-53eb-11ef-9b9b-0242ac110005", + "version": "1.1.0" + }, + "severity": "Informational", + "severity_id": 1, + "src_endpoint": { + "container": { + "image": { + "labels": [ + "er", + "distances" + ], + "path": "constraint explosion ge", + "uid": "cfd04b5c-53eb-11ef-a7db-0242ac110005" + }, + "name": "detect drop hobbies", + "size": 2933944469, + "tag": "together own republicans", + "uid": "cfd0401c-53eb-11ef-b764-0242ac110005" + }, + "hostname": "thank.coop", + "hw_info": { + "cpu_count": 74, + "cpu_speed": 92 + }, + "instance_uid": "cfd0555c-53eb-11ef-82ff-0242ac110005", + "interface_uid": "cfd05bd8-53eb-11ef-864c-0242ac110005", + "ip": "175.16.199.0", + "namespace_pid": 25, + "port": 47139, + "svc_name": "further compressed twisted", + "type": "Laptop", + "type_id": 3, + "uid": "cfcfee32-53eb-11ef-b8c3-0242ac110005", + "vlan_uid": "cfd06344-53eb-11ef-9b92-0242ac110005" + }, + "status": "Failure", + "status_id": "2", + "time": "2024-08-06T12:02:54.073Z", + "type": "loc", + "type_id": 99, + "type_name": "Datastore Activity: Write", + "type_uid": "600505" + }, + "process": { + "command_line": "associate directions partly", + "end": "2024-08-06T12:02:54.105Z", + "entity_id": "cfd0a73c-53eb-11ef-9622-0242ac110005", + "group": { + "id": [ + "cfd0a0f2-53eb-11ef-a02f-0242ac110005" + ], + "name": "desired administration quotations" + }, + "name": "Flashing", + "parent": { + "command_line": "hash unknown meters", + "end": "2024-08-06T12:02:54.105Z", + "group": { + "id": [ + "cfd0fa70-53eb-11ef-9120-0242ac110005" + ], + "name": "adolescent antigua ui" + }, + "name": "Basin", + "pid": 63, + "start": "2024-08-06T12:02:54.077Z", + "user": { + "name": "Revisions" + } + }, + "pid": 98, + "start": "2024-08-06T12:02:54.075Z", + "user": { + "id": [ + "93", + "cfd09666-53eb-11ef-9cc7-0242ac110005" + ], + "name": "Contamination" + } + }, + "related": { + "hash": [ + "D908A0C6E33ABAEF5F1C8D9658E99DF9714CFF289FCE29B9DD5A362475554AF2", + "6AC2AD2B6F5A51A33103412CB1C13FA5FDB24737666758DD9FDD8402BB9D2A43", + "7B849A50DA92F39D6AF294B10E0B93F5", + "48324C16BF85398DE1219E9270E663A1CCB2438C617A716A5F0F8D44034D7294", + "8C8D9D64A77C351C6AAFF4C0EF9B436F904638B7" + ], + "hosts": [ + "thank.coop" + ], + "ip": [ + "175.16.199.0" + ], + "user": [ + "93", + "cfd09666-53eb-11ef-9cc7-0242ac110005", + "Contamination", + "cfd57668-53eb-11ef-ad7f-0242ac110005", + "Ok", + "Revisions", + "Slight", + "cfd08748-53eb-11ef-8545-0242ac110005" + ] + }, + "source": { + "domain": [ + "thank.coop" + ], + "ip": "175.16.199.0", + "port": 47139 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "dominant" + ], + "user": { + "domain": "rpm particular mae", + "group": { + "id": [ + "cfd58068-53eb-11ef-b081-0242ac110005", + "cfd58ae0-53eb-11ef-850c-0242ac110005" + ], + "name": [ + "numbers nextel globe", + "fitting personalized estimation" + ] + }, + "id": "cfd57668-53eb-11ef-ad7f-0242ac110005", + "name": "Ok" + } + }, + { + "@timestamp": "2024-08-08T09:20:23.724Z", + "data_stream": { + "dataset": "amazon_security_lake.application_activity", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "cancelled", + "duration": 39000000, + "end": "2024-08-08T09:20:23.724Z", + "kind": "event", + "original": "{\"message\":\"fur stake pickup\",\"status\":\"Failure\",\"total\":87,\"time\":1723108823724670,\"metadata\":{\"version\":\"1.1.0\",\"extension\":{\"name\":\"reward furniture awful\",\"version\":\"1.1.0\",\"uid\":\"70fa28aa-5567-11ef-9e8c-0242ac110005\"},\"product\":{\"name\":\"nintendo une exist\",\"version\":\"1.1.0\",\"uid\":\"70fa3656-5567-11ef-8ec3-0242ac110005\",\"url_string\":\"eq\",\"vendor_name\":\"investors viral conscious\"},\"labels\":[\"sage\"],\"profiles\":[],\"log_name\":\"form rising isolated\",\"log_provider\":\"commerce relatives qualify\",\"loggers\":[{\"name\":\"configure fetish advertise\",\"device\":{\"name\":\"scanners storage illinois\",\"type\":\"Laptop\",\"os\":{\"name\":\"bolt photographers oman\",\"type\":\"Windows\",\"build\":\"acne toolbox architectural\",\"type_id\":100,\"edition\":\"hired moscow antibodies\"},\"ip\":\"151.112.44.246\",\"desc\":\"bg falling her\",\"hostname\":\"transformation.mobi\",\"type_id\":3,\"subnet\":\"244.6.140.0/24\",\"instance_uid\":\"70fa8246-5567-11ef-93ce-0242ac110005\",\"interface_name\":\"bulletin keith reporters\",\"interface_uid\":\"70fa8c3c-5567-11ef-b329-0242ac110005\",\"is_trusted\":false,\"modified_time\":1723108823723078,\"region\":\"pm memorabilia penalty\",\"subnet_uid\":\"70fa532a-5567-11ef-b983-0242ac110005\",\"vlan_uid\":\"70fa5a0a-5567-11ef-a39d-0242ac110005\"},\"product\":{\"name\":\"april visit maximum\",\"version\":\"1.1.0\",\"uid\":\"70fa9c0e-5567-11ef-92a1-0242ac110005\",\"vendor_name\":\"equivalent all operating\"},\"uid\":\"70faa3ac-5567-11ef-9136-0242ac110005\",\"log_name\":\"thee mining your\",\"transmit_time\":1723108823724148},{\"name\":\"gallery prayers vcr\",\"product\":{\"name\":\"positioning tier electrical\",\"version\":\"1.1.0\",\"uid\":\"70faafd2-5567-11ef-9ce0-0242ac110005\",\"url_string\":\"english\",\"vendor_name\":\"reservation connection shell\"},\"log_name\":\"suggested blake pendant\",\"log_provider\":\"beautifully ae beauty\"}],\"original_time\":\"sheffield origins travesti\",\"tenant_uid\":\"70fab7d4-5567-11ef-9fcd-0242ac110005\"},\"scan\":{\"name\":\"cooperation edge magnificent\",\"type\":\"Unknown\",\"uid\":\"70fac396-5567-11ef-a8a3-0242ac110005\",\"type_id\":0},\"start_time\":1723108823725300,\"severity\":\"Unknown\",\"duration\":39,\"type_name\":\"Scan Activity: Cancelled\",\"activity_id\":3,\"type_uid\":600703,\"category_name\":\"Application Activity\",\"class_uid\":6007,\"category_uid\":6,\"class_name\":\"Scan Activity\",\"timezone_offset\":51,\"end_time\":1723108823724649,\"activity_name\":\"Cancelled\",\"command_uid\":\"70f9ff4c-5567-11ef-96d3-0242ac110005\",\"num_files\":85,\"num_network_items\":45,\"num_processes\":12,\"num_registry_items\":21,\"num_resolutions\":0,\"num_skipped_items\":80,\"num_trusted_items\":47,\"policy\":{\"name\":\"these wordpress cos\",\"version\":\"1.1.0\",\"uid\":\"70fad110-5567-11ef-a15f-0242ac110005\"},\"schedule_uid\":\"70f9f600-5567-11ef-9766-0242ac110005\",\"severity_id\":0,\"status_code\":\"shape\",\"status_id\":2}", + "outcome": "failure", + "provider": "commerce relatives qualify", + "severity": 0, + "start": "2024-08-08T09:20:23.725Z", + "type": [ + "info" + ] + }, + "message": "fur stake pickup", + "ocsf": { + "activity_id": "3", + "activity_name": "Cancelled", + "category_name": "Application Activity", + "category_uid": "6", + "class_name": "Scan Activity", + "class_uid": "6007", + "command_uid": "70f9ff4c-5567-11ef-96d3-0242ac110005", + "duration": 39, + "end_time": "2024-08-08T09:20:23.724Z", + "message": "fur stake pickup", + "metadata": { + "extension": { + "name": "reward furniture awful", + "uid": "70fa28aa-5567-11ef-9e8c-0242ac110005", + "version": "1.1.0" + }, + "labels": [ + "sage" + ], + "log_name": "form rising isolated", + "log_provider": "commerce relatives qualify", + "loggers": [ + { + "device": { + "desc": "bg falling her", + "hostname": "transformation.mobi", + "instance_uid": "70fa8246-5567-11ef-93ce-0242ac110005", + "interface_name": "bulletin keith reporters", + "interface_uid": "70fa8c3c-5567-11ef-b329-0242ac110005", + "ip": "151.112.44.246", + "is_trusted": false, + "modified_time": 1723108823723078, + "name": "scanners storage illinois", + "os": { + "build": "acne toolbox architectural", + "edition": "hired moscow antibodies", + "name": "bolt photographers oman", + "type": "Windows", + "type_id": 100 + }, + "region": "pm memorabilia penalty", + "subnet": "244.6.140.0/24", + "subnet_uid": "70fa532a-5567-11ef-b983-0242ac110005", + "type": "Laptop", + "type_id": 3, + "vlan_uid": "70fa5a0a-5567-11ef-a39d-0242ac110005" + }, + "log_name": "thee mining your", + "name": "configure fetish advertise", + "product": { + "name": "april visit maximum", + "uid": "70fa9c0e-5567-11ef-92a1-0242ac110005", + "vendor_name": "equivalent all operating", + "version": "1.1.0" + }, + "transmit_time": 1723108823724148, + "uid": "70faa3ac-5567-11ef-9136-0242ac110005" + }, + { + "log_name": "suggested blake pendant", + "log_provider": "beautifully ae beauty", + "name": "gallery prayers vcr", + "product": { + "name": "positioning tier electrical", + "uid": "70faafd2-5567-11ef-9ce0-0242ac110005", + "url_string": "english", + "vendor_name": "reservation connection shell", + "version": "1.1.0" + } + } + ], + "original_time": "sheffield origins travesti", + "product": { + "name": "nintendo une exist", + "uid": "70fa3656-5567-11ef-8ec3-0242ac110005", + "url_string": "eq", + "vendor_name": "investors viral conscious", + "version": "1.1.0" + }, + "tenant_uid": "70fab7d4-5567-11ef-9fcd-0242ac110005", + "version": "1.1.0" + }, + "num_files": 85, + "num_network_items": 45, + "num_processes": 12, + "num_registry_items": 21, + "num_resolutions": 0, + "num_skipped_items": 80, + "num_trusted_items": 47, + "policy": { + "name": "these wordpress cos", + "uid": "70fad110-5567-11ef-a15f-0242ac110005", + "version": "1.1.0" + }, + "scan": { + "name": "cooperation edge magnificent", + "type": "Unknown", + "type_id": 0, + "uid": "70fac396-5567-11ef-a8a3-0242ac110005" + }, + "schedule_uid": "70f9f600-5567-11ef-9766-0242ac110005", + "severity": "Unknown", + "severity_id": 0, + "start_time": "2024-08-08T09:20:23.725Z", + "status": "Failure", + "status_code": "shape", + "status_id": "2", + "time": "2024-08-08T09:20:23.724Z", + "timezone_offset": 51, + "total": 87, + "type_name": "Scan Activity: Cancelled", + "type_uid": "600703" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "sage" + ] + }, + { + "@timestamp": "2024-08-08T09:53:00.715Z", + "cloud": { + "account": { + "id": "ff6f370c-556b-11ef-a592-0242ac110005", + "name": "houston indexes puerto" + }, + "project": { + "id": "ff6f3f0e-556b-11ef-913f-0242ac110005" + }, + "provider": "greensboro gallery reporting", + "region": "consistency alert titten" + }, + "container": { + "id": "ff70a01a-556b-11ef-98b5-0242ac110005", + "image": { + "name": "stage trucks cw" + }, + "name": "front myself techniques" + }, + "data_stream": { + "dataset": "amazon_security_lake.application_activity", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "started", + "duration": 0, + "end": "2024-08-08T09:53:00.712Z", + "id": "ff6f607e-556b-11ef-b5f9-0242ac110005", + "kind": "event", + "original": "{\"actor\":{\"process\":{\"name\":\"Lightweight\",\"pid\":12,\"file\":{\"attributes\":83,\"name\":\"hawk.wsf\",\"owner\":{\"name\":\"Illegal\",\"type\":\"System\",\"domain\":\"shade variety cooper\",\"uid\":\"ff702496-556b-11ef-9f4e-0242ac110005\",\"type_id\":3,\"account\":{\"type\":\"AWS Account\",\"uid\":\"ff702df6-556b-11ef-a8bb-0242ac110005\",\"type_id\":10},\"email_addr\":\"Erick@invision.edu\",\"uid_alt\":\"preceding psp cleared\"},\"type\":\"Character Device\",\"modifier\":{\"name\":\"Hottest\",\"type\":\"muscles\",\"uid\":\"ff70411a-556b-11ef-9a1e-0242ac110005\",\"type_id\":99,\"credential_uid\":\"ff7047d2-556b-11ef-966d-0242ac110005\"},\"desc\":\"playing motor literary\",\"type_id\":3,\"accessor\":{\"name\":\"Golf\",\"type\":\"died\",\"uid\":\"ff70655a-556b-11ef-b23a-0242ac110005\",\"type_id\":99},\"company_name\":\"Natalya Stormy\"},\"user\":{\"type\":\"brooklyn\",\"uid\":\"ff707266-556b-11ef-8dd3-0242ac110005\",\"org\":{\"name\":\"existence hypothetical audience\",\"uid\":\"ff707b3a-556b-11ef-989b-0242ac110005\",\"ou_name\":\"coupon tear compatibility\",\"ou_uid\":\"ff7082c4-556b-11ef-8273-0242ac110005\"},\"type_id\":99},\"group\":{\"uid\":\"ff708c1a-556b-11ef-bea6-0242ac110005\"},\"tid\":89,\"uid\":\"ff709200-556b-11ef-a0bf-0242ac110005\",\"cmd_line\":\"compression warner sapphire\",\"container\":{\"name\":\"front myself techniques\",\"size\":3673925967,\"uid\":\"ff70a01a-556b-11ef-98b5-0242ac110005\",\"image\":{\"name\":\"stage trucks cw\",\"uid\":\"ff70a8da-556b-11ef-9305-0242ac110005\"},\"hash\":{\"value\":\"892D74547E40E6FC23332CF6A88A2CAAC1D5BA6CF5201690F503FDE2B5717067D2C3B25EFEE63E1C5E5BCE1AF1F5A54076DCE0FDE9CDB56E3382C5F39AF3399B\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}},\"created_time\":1723110780721040,\"parent_process\":{\"name\":\"Unlimited\",\"pid\":90,\"file\":{\"name\":\"vulnerability.cue\",\"type\":\"Local Socket\",\"path\":\"full jewellery adverse/hans.xml/vulnerability.cue\",\"uid\":\"ff70c5f4-556b-11ef-8001-0242ac110005\",\"type_id\":5,\"accessor\":{\"name\":\"Breakfast\",\"type\":\"Admin\",\"uid\":\"ff70d09e-556b-11ef-82b8-0242ac110005\",\"type_id\":2,\"full_name\":\"Cora Marchelle\",\"uid_alt\":\"lesbian dk media\"},\"creator\":{\"name\":\"Broker\",\"type\":\"juice\",\"uid\":\"ff70ec96-556b-11ef-a10b-0242ac110005\",\"type_id\":99,\"account\":{\"name\":\"develops til flu\",\"type\":\"AWS IAM Role\",\"uid\":\"ff70fb96-556b-11ef-b127-0242ac110005\",\"type_id\":4}},\"parent_folder\":\"full jewellery adverse/hans.xml\",\"hashes\":[{\"value\":\"88CB8A087B6E8CEBFC9AE5602F5A2159A6BCF923E7F2C56809BCDA6CAD1727A7\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3},{\"value\":\"BFC7194DB6D123E245825AAF92C276855D32513520B471C67B94A62F46C8CBDB891CA09419FAD201F34F81C0CA0C72DCC1C4A68CFFFF5A7F0B629B35501E8EBA\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}],\"xattributes\":{}},\"user\":{\"name\":\"Skip\",\"type\":\"Admin\",\"uid\":\"ff710f1e-556b-11ef-bcc2-0242ac110005\",\"type_id\":2,\"uid_alt\":\"those facility genetic\"},\"group\":{\"name\":\"overseas avoiding attendance\",\"uid\":\"ff711932-556b-11ef-8a55-0242ac110005\",\"privileges\":[\"drop welsh munich\",\"developer strange beat\"]},\"uid\":\"ff71249a-556b-11ef-b2a4-0242ac110005\",\"cmd_line\":\"legally hacker please\",\"container\":{\"name\":\"ant elegant ana\",\"runtime\":\"routes peripheral operates\",\"size\":3971411004,\"uid\":\"ff712e7c-556b-11ef-b4ec-0242ac110005\",\"image\":{\"name\":\"shanghai listen subaru\",\"path\":\"toxic declaration intended\",\"uid\":\"ff7150be-556b-11ef-a7e8-0242ac110005\"},\"hash\":{\"value\":\"994BB86DD62F615473EE5D1D05C5A1D950D2F3C3\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}},\"created_time\":1723110780725334,\"lineage\":[\"viii define induced\",\"starsmerchant interest city\"],\"namespace_pid\":10,\"parent_process\":{\"name\":\"Legs\",\"pid\":65,\"file\":{\"attributes\":62,\"name\":\"figure.bin\",\"type\":\"Local Socket\",\"version\":\"1.1.0\",\"type_id\":5,\"confidentiality\":\"outdoors archived regarding\",\"hashes\":[{\"value\":\"AD6A21629A7DEABC182FDEA82DF619F693860085A862A8BFEE71FCD9BBAB45669A480AD8EDB096D0EAF29092215C7A39197EAC015A32E6D5957442A640C8ACDE\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}],\"modified_time\":1723110780725738,\"security_descriptor\":\"thesaurus stories skirts\",\"accessed_time_dt\":\"2024-08-08T09:53:00.725750Z\"},\"user\":{\"name\":\"Marvel\",\"type\":\"tunnel\",\"uid\":\"ff716e14-556b-11ef-9183-0242ac110005\",\"type_id\":99},\"group\":{\"name\":\"challenges photoshop want\",\"type\":\"spice shine latex\",\"uid\":\"ff717f9e-556b-11ef-beff-0242ac110005\"},\"tid\":45,\"uid\":\"ff71866a-556b-11ef-8d91-0242ac110005\",\"container\":{\"name\":\"richard amendments yorkshire\",\"size\":2733947088,\"uid\":\"ff7191fa-556b-11ef-b991-0242ac110005\",\"image\":{\"tag\":\"g tiffany advocacy\",\"path\":\"scoring skill rush\",\"uid\":\"ff719b1e-556b-11ef-8397-0242ac110005\"},\"hash\":{\"value\":\"8A988DC6210B348668CFB0C69FFC40C3952920BEE33BEF02302FB1E486274CE8F56F324032A0BA2B9661E57022A3AF5C085E63028B71E4D30A36264236D98E83\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}},\"integrity\":\"System\",\"integrity_id\":5,\"namespace_pid\":6,\"parent_process\":{\"name\":\"Liability\",\"pid\":12,\"file\":{\"name\":\"dress.pct\",\"type\":\"Symbolic Link\",\"path\":\"graphic easter hitting/celebration.xls/dress.pct\",\"product\":{\"name\":\"relation resulting pride\",\"version\":\"1.1.0\",\"uid\":\"ff71b45a-556b-11ef-aee8-0242ac110005\",\"lang\":\"en\",\"vendor_name\":\"conversation gamespot myself\"},\"type_id\":7,\"accessor\":{\"name\":\"Nashville\",\"type\":\"Admin\",\"uid\":\"ff71c616-556b-11ef-89f0-0242ac110005\",\"org\":{\"name\":\"steven harmony mediterranean\",\"uid\":\"ff71cea4-556b-11ef-80aa-0242ac110005\",\"ou_name\":\"beam transmit cook\"},\"type_id\":2,\"credential_uid\":\"ff71d5de-556b-11ef-bfb8-0242ac110005\"},\"parent_folder\":\"graphic easter hitting/celebration.xls\",\"hashes\":[{\"value\":\"C597CBD53DDF5E7AA017A46E3D559E6DEE7AAB38151CD2B0116453D64744DCA63052DA0AC50DD2E29C8517583E688A23F85646ECB9E0746CCA1F447D33116333\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}]},\"tid\":23,\"uid\":\"ff71e204-556b-11ef-b426-0242ac110005\",\"cmd_line\":\"sponsored contractor notion\",\"container\":{\"size\":1046580299,\"uid\":\"ff71eb82-556b-11ef-855e-0242ac110005\",\"hash\":{\"value\":\"175A141E2713D00975BC765F1C4FE4ECBC01D88B69A016EE442829C445B4EE2C4C0776FADB4939337B8D43C185078967BA4AC71DD1651A0ABA1143394106DE8A\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}},\"created_time\":1723110780729284,\"namespace_pid\":66,\"parent_process\":{\"name\":\"Believed\",\"pid\":12,\"file\":{\"attributes\":44,\"name\":\"autumn.mid\",\"size\":1791990748,\"type\":\"Symbolic Link\",\"path\":\"normally soviet packaging/acne.js/autumn.mid\",\"type_id\":7,\"mime_type\":\"foto/congo\",\"parent_folder\":\"normally soviet packaging/acne.js\",\"confidentiality\":\"Unknown\",\"confidentiality_id\":0,\"hashes\":[{\"value\":\"0F9ABBECBDEC7BA8948C5C34A6D1A65712B51F4DA69A43F4A55845FC98133C5422097F2AED463CBC2CC6EFD07AC9F6A0493E263E0AEC4CA93045EAF86AAE1527\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"41D12DF274FFAEF654EA947446DD0211E338D2651D95805632E5353798F189E4\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3}],\"accessed_time_dt\":\"2024-08-08T09:53:00.729741Z\"},\"user\":{\"name\":\"Aol\",\"type\":\"Admin\",\"uid\":\"ff7209d2-556b-11ef-859c-0242ac110005\",\"type_id\":2,\"email_addr\":\"Claudia@destroyed.museum\"},\"group\":{\"name\":\"rivers kde impaired\",\"uid\":\"ff7213f0-556b-11ef-afbe-0242ac110005\"},\"uid\":\"ff721b66-556b-11ef-a28e-0242ac110005\",\"loaded_modules\":[\"/ol/wr/trades/lucky/trusts.mp4\"],\"cmd_line\":\"cole playback contribute\",\"container\":{\"name\":\"blackjack example page\",\"size\":2950957499,\"tag\":\"lexmark sandwich determining\",\"uid\":\"ff72291c-556b-11ef-9cb3-0242ac110005\",\"image\":{\"name\":\"eight bow edges\",\"uid\":\"ff7231f0-556b-11ef-af8b-0242ac110005\",\"labels\":[\"builders\",\"guitars\"]},\"hash\":{\"value\":\"3D586550FC15946B6FC20EC2BB31B6CB2BF53F3AAD6565BC38B72776CE2784F7AD19E73C0313EA7A12AE3A664203FB3CE7759B22867BAEF1FD46FD0B20BB60F2\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}},\"created_time\":1723110780731096,\"namespace_pid\":27,\"parent_process\":{\"name\":\"Raising\",\"pid\":88,\"file\":{\"attributes\":10,\"name\":\"spyware.dds\",\"type\":\"Block Device\",\"path\":\"protocol validity absence/luther.rm/spyware.dds\",\"type_id\":4,\"mime_type\":\"institute/ivory\",\"parent_folder\":\"protocol validity absence/luther.rm\",\"confidentiality\":\"torture lawn fuel\",\"hashes\":[{\"value\":\"298388E81525736B459B8830EC555869E081200C11C67EFB7444F32DB67C39E4CBB72D5FDDB490B903D4435BA037DAB92B233C64B15D13C5E66D1461BF976D14\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"E1ACB66647F799D4BF5B74B3CECBB8400B1C392A7585421EC33809A31466BDB24362A4DF7E19777422B7C2665222458FC48C22B1BF26EA331DE6ECD557929101\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}],\"security_descriptor\":\"delta caution ncaa\"},\"user\":{\"name\":\"Ieee\",\"type\":\"Unknown\",\"domain\":\"numerical circuit charts\",\"type_id\":0},\"group\":{\"name\":\"damaged cumulative applicable\",\"domain\":\"highways phones introduces\"},\"uid\":\"ff72525c-556b-11ef-b49e-0242ac110005\",\"cmd_line\":\"donation gaps according\",\"container\":{\"name\":\"meant she least\",\"tag\":\"commented attitude magazines\",\"uid\":\"ff72b166-556b-11ef-af11-0242ac110005\",\"image\":{\"name\":\"justify greeting attorney\",\"uid\":\"ff72c4ee-556b-11ef-ae90-0242ac110005\"},\"hash\":{\"value\":\"23AF3E3302D598D92331ADF8D2CDAA30642018D52F7E585E7C485EEED310C245FF761DB9C3F08973E9C00DF8B86A3E7B8241E92C34A9C30EA27E1B302939F910\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}},\"created_time\":1723110780734859,\"namespace_pid\":56},\"auid\":91,\"euid\":25}},\"terminated_time_dt\":\"2024-08-08T09:53:00.734879Z\"},\"terminated_time\":1723110780734887,\"auid\":42,\"euid\":36},\"created_time_dt\":\"2024-08-08T09:53:00.734894Z\"},\"user\":{\"type\":\"Unknown\",\"uid\":\"ff72d2e0-556b-11ef-bbe1-0242ac110005\",\"type_id\":0,\"credential_uid\":\"ff72de20-556b-11ef-a522-0242ac110005\",\"uid_alt\":\"weights hobbies divorce\"},\"authorizations\":[{},{}]},\"activity_name\":\"Started\",\"num_detections\":89,\"start_time\":1723110780716472,\"policy\":{\"name\":\"katie producing webcast\",\"desc\":\"relevance lots trigger\",\"uid\":\"ff6ff8fe-556b-11ef-874e-0242ac110005\"},\"category_uid\":6,\"class_name\":\"Scan Activity\",\"num_skipped_items\":59,\"message\":\"tools motivated nightlife\",\"api\":{\"request\":{\"uid\":\"ff6fddec-556b-11ef-a2d3-0242ac110005\"},\"group\":{\"name\":\"dividend consistency definitely\",\"type\":\"posts vendors student\",\"uid\":\"ff6feb8e-556b-11ef-8cd0-0242ac110005\"},\"response\":{\"error\":\"headquarters viii accurately\",\"code\":96,\"data\":\"phenomenon\",\"message\":\"definitely existing colleges\",\"error_message\":\"unexpected amazon worm\"},\"operation\":\"cathedral participate wrapping\"},\"scan\":{\"name\":\"caribbean operate detected\",\"type\":\"Updated Content\",\"uid\":\"ff6fd18a-556b-11ef-887c-0242ac110005\",\"type_id\":3},\"severity_id\":6,\"time\":1723110780715169,\"type_name\":\"Scan Activity: Started\",\"num_files\":43,\"device\":{\"name\":\"cams witnesses summary\",\"type\":\"Unknown\",\"domain\":\"a licensed facility\",\"ip\":\"175.16.199.0\",\"location\":{\"desc\":\"Falkland Islands (Malvinas)\",\"city\":\"Messaging management\",\"country\":\"FK\",\"coordinates\":[170.507,-62.7832],\"continent\":\"South America\"},\"hostname\":\"active.jobs\",\"uid\":\"ff6f8cca-556b-11ef-9bc0-0242ac110005\",\"type_id\":0,\"subnet\":\"28.0.0.0/8\",\"container\":{\"name\":\"related understanding tricks\",\"size\":3329432332,\"uid\":\"ff6fafac-556b-11ef-9f24-0242ac110005\",\"image\":{\"name\":\"items discharge whale\",\"uid\":\"ff6fbc7c-556b-11ef-9149-0242ac110005\"},\"hash\":{\"value\":\"788AE8183287A6A47C315CEEA8BC503A5434CAAFAF93FB41C1AD3C75EF8238F2\",\"algorithm\":\"magic\",\"algorithm_id\":99}},\"interface_uid\":\"ff6fc604-556b-11ef-a921-0242ac110005\",\"last_seen_time\":1723110780713330,\"modified_time\":1723110780713347,\"namespace_pid\":13,\"region\":\"patricia link controversy\",\"risk_level\":\"ratios capable administrator\",\"uid_alt\":\"scientific addition power\",\"vpc_uid\":\"ff6f7bea-556b-11ef-99b2-0242ac110005\",\"zone\":\"districts fit connector\",\"modified_time_dt\":\"2024-08-08T09:53:00.713297Z\",\"first_seen_time_dt\":\"2024-08-08T09:53:00.713342Z\"},\"end_time\":1723110780712791,\"num_folders\":37,\"timezone_offset\":20,\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"hospitality fabric loop\",\"version\":\"1.1.0\",\"uid\":\"ff6f5962-556b-11ef-9975-0242ac110005\",\"vendor_name\":\"hindu carlo achieve\"},\"uid\":\"ff6f607e-556b-11ef-b5f9-0242ac110005\",\"log_level\":\"entities staying supplemental\",\"profiles\":[\"cloud\",\"container\",\"datetime\",\"host\",\"linux/linux_users\",\"load_balancer\",\"network_proxy\",\"security_control\"],\"log_name\":\"brother lord wyoming\",\"log_provider\":\"diana alternate finals\",\"original_time\":\"negotiations hardwood avg\",\"tenant_uid\":\"ff6f6844-556b-11ef-8efe-0242ac110005\",\"logged_time_dt\":\"2024-08-08T09:53:00.712767Z\"},\"duration\":0,\"command_uid\":\"ff6f480a-556b-11ef-93ac-0242ac110005\",\"status\":\"synthesis\",\"num_resolutions\":19,\"activity_id\":1,\"total\":63,\"num_processes\":41,\"num_network_items\":71,\"class_uid\":6007,\"cloud\":{\"org\":{\"name\":\"serving invest coating\",\"uid\":\"ff6f0be2-556b-11ef-9b41-0242ac110005\",\"ou_name\":\"caroline au dos\"},\"account\":{\"name\":\"houston indexes puerto\",\"type\":\"Apple Account\",\"uid\":\"ff6f370c-556b-11ef-a592-0242ac110005\",\"type_id\":8},\"project_uid\":\"ff6f3f0e-556b-11ef-913f-0242ac110005\",\"provider\":\"greensboro gallery reporting\",\"region\":\"consistency alert titten\"},\"type_uid\":600701,\"num_trusted_items\":36,\"severity\":\"Fatal\",\"category_name\":\"Application Activity\",\"status_id\":99}", + "provider": "diana alternate finals", + "severity": 6, + "start": "2024-08-08T09:53:00.716Z", + "type": [ + "info", + "start" + ] + }, + "file": { + "name": "hawk.wsf", + "owner": "Illegal", + "type": "Character Device", + "uid": "ff702496-556b-11ef-9f4e-0242ac110005" + }, + "host": { + "domain": "a licensed facility", + "geo": { + "city_name": "Messaging management", + "continent_name": "South America", + "country_iso_code": "FK", + "location": [ + 170.507, + -62.7832 + ], + "name": "Falkland Islands (Malvinas)" + }, + "hostname": "active.jobs", + "id": "ff6f8cca-556b-11ef-9bc0-0242ac110005", + "ip": [ + "175.16.199.0" + ], + "name": "cams witnesses summary", + "risk": { + "static_level": "ratios capable administrator" + }, + "type": "Unknown" + }, + "message": "tools motivated nightlife", + "ocsf": { + "activity_id": "1", + "activity_name": "Started", + "actor": { + "process": { + "cmd_line": "compression warner sapphire", + "container": { + "hash": { + "algorithm": "Unknown", + "algorithm_id": "0", + "value": "892D74547E40E6FC23332CF6A88A2CAAC1D5BA6CF5201690F503FDE2B5717067D2C3B25EFEE63E1C5E5BCE1AF1F5A54076DCE0FDE9CDB56E3382C5F39AF3399B" + }, + "image": { + "name": "stage trucks cw", + "uid": "ff70a8da-556b-11ef-9305-0242ac110005" + }, + "name": "front myself techniques", + "size": 3673925967, + "uid": "ff70a01a-556b-11ef-98b5-0242ac110005" + }, + "created_time": "2024-08-08T09:53:00.721Z", + "created_time_dt": "2024-08-08T09:53:00.734Z", + "file": { + "accessor": { + "name": "Golf", + "type": "died", + "type_id": "99", + "uid": "ff70655a-556b-11ef-b23a-0242ac110005" + }, + "attributes": 83, + "company_name": "Natalya Stormy", + "desc": "playing motor literary", + "modifier": { + "credential_uid": "ff7047d2-556b-11ef-966d-0242ac110005", + "name": "Hottest", + "type": "muscles", + "type_id": "99", + "uid": "ff70411a-556b-11ef-9a1e-0242ac110005" + }, + "name": "hawk.wsf", + "owner": { + "account": { + "type": "AWS Account", + "type_id": "10", + "uid": "ff702df6-556b-11ef-a8bb-0242ac110005" + }, + "domain": "shade variety cooper", + "email_addr": "Erick@invision.edu", + "name": "Illegal", + "type": "System", + "type_id": "3", + "uid": "ff702496-556b-11ef-9f4e-0242ac110005", + "uid_alt": "preceding psp cleared" + }, + "type": "Character Device", + "type_id": "3" + }, + "group": { + "uid": "ff708c1a-556b-11ef-bea6-0242ac110005" + }, + "name": "Lightweight", + "parent_process": { + "auid": "42", + "cmd_line": "legally hacker please", + "container": { + "hash": { + "algorithm": "SHA-1", + "algorithm_id": "2", + "value": "994BB86DD62F615473EE5D1D05C5A1D950D2F3C3" + }, + "image": { + "name": "shanghai listen subaru", + "path": "toxic declaration intended", + "uid": "ff7150be-556b-11ef-a7e8-0242ac110005" + }, + "name": "ant elegant ana", + "runtime": "routes peripheral operates", + "size": 3971411004, + "uid": "ff712e7c-556b-11ef-b4ec-0242ac110005" + }, + "created_time": "2024-08-08T09:53:00.725Z", + "euid": "36", + "file": { + "accessor": { + "full_name": "Cora Marchelle", + "name": "Breakfast", + "type": "Admin", + "type_id": "2", + "uid": "ff70d09e-556b-11ef-82b8-0242ac110005", + "uid_alt": "lesbian dk media" + }, + "creator": { + "account": { + "name": "develops til flu", + "type": "AWS IAM Role", + "type_id": "4", + "uid": "ff70fb96-556b-11ef-b127-0242ac110005" + }, + "name": "Broker", + "type": "juice", + "type_id": "99", + "uid": "ff70ec96-556b-11ef-a10b-0242ac110005" + }, + "hashes": [ + { + "algorithm": "SHA-256", + "algorithm_id": "3", + "value": "88CB8A087B6E8CEBFC9AE5602F5A2159A6BCF923E7F2C56809BCDA6CAD1727A7" + }, + { + "algorithm": "Unknown", + "algorithm_id": "0", + "value": "BFC7194DB6D123E245825AAF92C276855D32513520B471C67B94A62F46C8CBDB891CA09419FAD201F34F81C0CA0C72DCC1C4A68CFFFF5A7F0B629B35501E8EBA" + } + ], + "name": "vulnerability.cue", + "parent_folder": "full jewellery adverse/hans.xml", + "path": "full jewellery adverse/hans.xml/vulnerability.cue", + "type": "Local Socket", + "type_id": "5", + "uid": "ff70c5f4-556b-11ef-8001-0242ac110005" + }, + "group": { + "name": "overseas avoiding attendance", + "privileges": [ + "drop welsh munich", + "developer strange beat" + ], + "uid": "ff711932-556b-11ef-8a55-0242ac110005" + }, + "lineage": [ + "viii define induced", + "starsmerchant interest city" + ], + "name": "Unlimited", + "namespace_pid": 10, + "parent_process": { + "container": { + "hash": { + "algorithm": "quickXorHash", + "algorithm_id": 7, + "value": "8A988DC6210B348668CFB0C69FFC40C3952920BEE33BEF02302FB1E486274CE8F56F324032A0BA2B9661E57022A3AF5C085E63028B71E4D30A36264236D98E83" + }, + "image": { + "path": "scoring skill rush", + "tag": "g tiffany advocacy", + "uid": "ff719b1e-556b-11ef-8397-0242ac110005" + }, + "name": "richard amendments yorkshire", + "size": 2733947088, + "uid": "ff7191fa-556b-11ef-b991-0242ac110005" + }, + "file": { + "accessed_time_dt": "2024-08-08T09:53:00.725750Z", + "attributes": 62, + "confidentiality": "outdoors archived regarding", + "hashes": [ + { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "AD6A21629A7DEABC182FDEA82DF619F693860085A862A8BFEE71FCD9BBAB45669A480AD8EDB096D0EAF29092215C7A39197EAC015A32E6D5957442A640C8ACDE" + } + ], + "modified_time": 1723110780725, + "name": "figure.bin", + "security_descriptor": "thesaurus stories skirts", + "type": "Local Socket", + "type_id": 5, + "version": "1.1.0" + }, + "group": { + "name": "challenges photoshop want", + "type": "spice shine latex", + "uid": "ff717f9e-556b-11ef-beff-0242ac110005" + }, + "integrity": "System", + "integrity_id": 5, + "name": "Legs", + "namespace_pid": 6, + "parent_process": { + "cmd_line": "sponsored contractor notion", + "container": { + "hash": { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "175A141E2713D00975BC765F1C4FE4ECBC01D88B69A016EE442829C445B4EE2C4C0776FADB4939337B8D43C185078967BA4AC71DD1651A0ABA1143394106DE8A" + }, + "size": 1046580299, + "uid": "ff71eb82-556b-11ef-855e-0242ac110005" + }, + "created_time": 1723110780729, + "file": { + "accessor": { + "credential_uid": "ff71d5de-556b-11ef-bfb8-0242ac110005", + "name": "Nashville", + "org": { + "name": "steven harmony mediterranean", + "ou_name": "beam transmit cook", + "uid": "ff71cea4-556b-11ef-80aa-0242ac110005" + }, + "type": "Admin", + "type_id": 2, + "uid": "ff71c616-556b-11ef-89f0-0242ac110005" + }, + "hashes": [ + { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "C597CBD53DDF5E7AA017A46E3D559E6DEE7AAB38151CD2B0116453D64744DCA63052DA0AC50DD2E29C8517583E688A23F85646ECB9E0746CCA1F447D33116333" + } + ], + "name": "dress.pct", + "parent_folder": "graphic easter hitting/celebration.xls", + "path": "graphic easter hitting/celebration.xls/dress.pct", + "product": { + "lang": "en", + "name": "relation resulting pride", + "uid": "ff71b45a-556b-11ef-aee8-0242ac110005", + "vendor_name": "conversation gamespot myself", + "version": "1.1.0" + }, + "type": "Symbolic Link", + "type_id": 7 + }, + "name": "Liability", + "namespace_pid": 66, + "parent_process": { + "auid": 91, + "cmd_line": "cole playback contribute", + "container": { + "hash": { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "3D586550FC15946B6FC20EC2BB31B6CB2BF53F3AAD6565BC38B72776CE2784F7AD19E73C0313EA7A12AE3A664203FB3CE7759B22867BAEF1FD46FD0B20BB60F2" + }, + "image": { + "labels": [ + "builders", + "guitars" + ], + "name": "eight bow edges", + "uid": "ff7231f0-556b-11ef-af8b-0242ac110005" + }, + "name": "blackjack example page", + "size": 2950957499, + "tag": "lexmark sandwich determining", + "uid": "ff72291c-556b-11ef-9cb3-0242ac110005" + }, + "created_time": 1723110780731, + "euid": 25, + "file": { + "accessed_time_dt": "2024-08-08T09:53:00.729741Z", + "attributes": 44, + "confidentiality": "Unknown", + "confidentiality_id": 0, + "hashes": [ + { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "0F9ABBECBDEC7BA8948C5C34A6D1A65712B51F4DA69A43F4A55845FC98133C5422097F2AED463CBC2CC6EFD07AC9F6A0493E263E0AEC4CA93045EAF86AAE1527" + }, + { + "algorithm": "SHA-256", + "algorithm_id": 3, + "value": "41D12DF274FFAEF654EA947446DD0211E338D2651D95805632E5353798F189E4" + } + ], + "mime_type": "foto/congo", + "name": "autumn.mid", + "parent_folder": "normally soviet packaging/acne.js", + "path": "normally soviet packaging/acne.js/autumn.mid", + "size": 1791990748, + "type": "Symbolic Link", + "type_id": 7 + }, + "group": { + "name": "rivers kde impaired", + "uid": "ff7213f0-556b-11ef-afbe-0242ac110005" + }, + "loaded_modules": [ + "/ol/wr/trades/lucky/trusts.mp4" + ], + "name": "Believed", + "namespace_pid": 27, + "parent_process": { + "cmd_line": "donation gaps according", + "container": { + "hash": { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "23AF3E3302D598D92331ADF8D2CDAA30642018D52F7E585E7C485EEED310C245FF761DB9C3F08973E9C00DF8B86A3E7B8241E92C34A9C30EA27E1B302939F910" + }, + "image": { + "name": "justify greeting attorney", + "uid": "ff72c4ee-556b-11ef-ae90-0242ac110005" + }, + "name": "meant she least", + "tag": "commented attitude magazines", + "uid": "ff72b166-556b-11ef-af11-0242ac110005" + }, + "created_time": 1723110780734, + "file": { + "attributes": 10, + "confidentiality": "torture lawn fuel", + "hashes": [ + { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "298388E81525736B459B8830EC555869E081200C11C67EFB7444F32DB67C39E4CBB72D5FDDB490B903D4435BA037DAB92B233C64B15D13C5E66D1461BF976D14" + }, + { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "E1ACB66647F799D4BF5B74B3CECBB8400B1C392A7585421EC33809A31466BDB24362A4DF7E19777422B7C2665222458FC48C22B1BF26EA331DE6ECD557929101" + } + ], + "mime_type": "institute/ivory", + "name": "spyware.dds", + "parent_folder": "protocol validity absence/luther.rm", + "path": "protocol validity absence/luther.rm/spyware.dds", + "security_descriptor": "delta caution ncaa", + "type": "Block Device", + "type_id": 4 + }, + "group": { + "domain": "highways phones introduces", + "name": "damaged cumulative applicable" + }, + "name": "Raising", + "namespace_pid": 56, + "pid": 88, + "uid": "ff72525c-556b-11ef-b49e-0242ac110005", + "user": { + "domain": "numerical circuit charts", + "name": "Ieee", + "type": "Unknown", + "type_id": 0 + } + }, + "pid": 12, + "uid": "ff721b66-556b-11ef-a28e-0242ac110005", + "user": { + "email_addr": "Claudia@destroyed.museum", + "name": "Aol", + "type": "Admin", + "type_id": 2, + "uid": "ff7209d2-556b-11ef-859c-0242ac110005" + } + }, + "pid": 12, + "tid": 23, + "uid": "ff71e204-556b-11ef-b426-0242ac110005" + }, + "pid": 65, + "terminated_time_dt": "2024-08-08T09:53:00.734879Z", + "tid": 45, + "uid": "ff71866a-556b-11ef-8d91-0242ac110005", + "user": { + "name": "Marvel", + "type": "tunnel", + "type_id": 99, + "uid": "ff716e14-556b-11ef-9183-0242ac110005" + } + }, + "pid": 90, + "terminated_time": "2024-08-08T09:53:00.734Z", + "uid": "ff71249a-556b-11ef-b2a4-0242ac110005", + "user": { + "name": "Skip", + "type": "Admin", + "type_id": "2", + "uid": "ff710f1e-556b-11ef-bcc2-0242ac110005", + "uid_alt": "those facility genetic" + } + }, + "pid": 12, + "tid": 89, + "uid": "ff709200-556b-11ef-a0bf-0242ac110005", + "user": { + "org": { + "name": "existence hypothetical audience", + "ou_name": "coupon tear compatibility", + "ou_uid": "ff7082c4-556b-11ef-8273-0242ac110005", + "uid": "ff707b3a-556b-11ef-989b-0242ac110005" + }, + "type": "brooklyn", + "type_id": "99", + "uid": "ff707266-556b-11ef-8dd3-0242ac110005" + } + }, + "user": { + "credential_uid": "ff72de20-556b-11ef-a522-0242ac110005", + "type": "Unknown", + "type_id": "0", + "uid": "ff72d2e0-556b-11ef-bbe1-0242ac110005", + "uid_alt": "weights hobbies divorce" + } + }, + "api": { + "group": { + "name": "dividend consistency definitely", + "type": "posts vendors student", + "uid": "ff6feb8e-556b-11ef-8cd0-0242ac110005" + }, + "operation": "cathedral participate wrapping", + "request": { + "uid": "ff6fddec-556b-11ef-a2d3-0242ac110005" + }, + "response": { + "code": 96, + "data": "phenomenon", + "error": "headquarters viii accurately", + "error_message": "unexpected amazon worm", + "message": "definitely existing colleges" + } + }, + "category_name": "Application Activity", + "category_uid": "6", + "class_name": "Scan Activity", + "class_uid": "6007", + "cloud": { + "account": { + "name": "houston indexes puerto", + "type": "Apple Account", + "type_id": "8", + "uid": "ff6f370c-556b-11ef-a592-0242ac110005" + }, + "org": { + "name": "serving invest coating", + "ou_name": "caroline au dos", + "uid": "ff6f0be2-556b-11ef-9b41-0242ac110005" + }, + "project_uid": "ff6f3f0e-556b-11ef-913f-0242ac110005", + "provider": "greensboro gallery reporting", + "region": "consistency alert titten" + }, + "command_uid": "ff6f480a-556b-11ef-93ac-0242ac110005", + "device": { + "container": { + "hash": { + "algorithm": "magic", + "algorithm_id": 99, + "value": "788AE8183287A6A47C315CEEA8BC503A5434CAAFAF93FB41C1AD3C75EF8238F2" + }, + "image": { + "name": "items discharge whale", + "uid": "ff6fbc7c-556b-11ef-9149-0242ac110005" + }, + "name": "related understanding tricks", + "size": 3329432332, + "uid": "ff6fafac-556b-11ef-9f24-0242ac110005" + }, + "domain": "a licensed facility", + "first_seen_time_dt": "2024-08-08T09:53:00.713Z", + "hostname": "active.jobs", + "interface_uid": "ff6fc604-556b-11ef-a921-0242ac110005", + "ip": "175.16.199.0", + "last_seen_time": "2024-08-08T09:53:00.713Z", + "location": { + "city": "Messaging management", + "continent": "South America", + "coordinates": [ + 170.507, + -62.7832 + ], + "country": "FK", + "desc": "Falkland Islands (Malvinas)" + }, + "modified_time": "2024-08-08T09:53:00.713Z", + "modified_time_dt": "2024-08-08T09:53:00.713Z", + "name": "cams witnesses summary", + "namespace_pid": 13, + "region": "patricia link controversy", + "risk_level": "ratios capable administrator", + "subnet": "28.0.0.0/8", + "type": "Unknown", + "type_id": "0", + "uid": "ff6f8cca-556b-11ef-9bc0-0242ac110005", + "uid_alt": "scientific addition power", + "vpc_uid": "ff6f7bea-556b-11ef-99b2-0242ac110005", + "zone": "districts fit connector" + }, + "duration": 0, + "end_time": "2024-08-08T09:53:00.712Z", + "message": "tools motivated nightlife", + "metadata": { + "log_level": "entities staying supplemental", + "log_name": "brother lord wyoming", + "log_provider": "diana alternate finals", + "logged_time_dt": "2024-08-08T09:53:00.712Z", + "original_time": "negotiations hardwood avg", + "product": { + "name": "hospitality fabric loop", + "uid": "ff6f5962-556b-11ef-9975-0242ac110005", + "vendor_name": "hindu carlo achieve", + "version": "1.1.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "linux/linux_users", + "load_balancer", + "network_proxy", + "security_control" + ], + "tenant_uid": "ff6f6844-556b-11ef-8efe-0242ac110005", + "uid": "ff6f607e-556b-11ef-b5f9-0242ac110005", + "version": "1.1.0" + }, + "num_detections": 89, + "num_files": 43, + "num_folders": 37, + "num_network_items": 71, + "num_processes": 41, + "num_resolutions": 19, + "num_skipped_items": 59, + "num_trusted_items": 36, + "policy": { + "desc": "relevance lots trigger", + "name": "katie producing webcast", + "uid": "ff6ff8fe-556b-11ef-874e-0242ac110005" + }, + "scan": { + "name": "caribbean operate detected", + "type": "Updated Content", + "type_id": 3, + "uid": "ff6fd18a-556b-11ef-887c-0242ac110005" + }, + "severity": "Fatal", + "severity_id": 6, + "start_time": "2024-08-08T09:53:00.716Z", + "status": "synthesis", + "status_id": "99", + "time": "2024-08-08T09:53:00.715Z", + "timezone_offset": 20, + "total": 63, + "type_name": "Scan Activity: Started", + "type_uid": "600701" + }, + "process": { + "command_line": "compression warner sapphire", + "entity_id": "ff709200-556b-11ef-a0bf-0242ac110005", + "group": { + "id": [ + "ff708c1a-556b-11ef-bea6-0242ac110005" + ] + }, + "name": "Lightweight", + "parent": { + "command_line": "legally hacker please", + "end": "2024-08-08T09:53:00.734Z", + "entity_id": "ff71249a-556b-11ef-b2a4-0242ac110005", + "group": { + "id": [ + "ff711932-556b-11ef-8a55-0242ac110005" + ], + "name": "overseas avoiding attendance" + }, + "name": "Unlimited", + "pid": 90, + "start": "2024-08-08T09:53:00.725Z", + "user": { + "id": [ + "36", + "ff710f1e-556b-11ef-bcc2-0242ac110005" + ], + "name": "Skip" + } + }, + "pid": 12, + "start": "2024-08-08T09:53:00.721Z", + "thread": { + "id": 89 + }, + "user": { + "id": [ + "ff707266-556b-11ef-8dd3-0242ac110005" + ] + } + }, + "related": { + "hash": [ + "892D74547E40E6FC23332CF6A88A2CAAC1D5BA6CF5201690F503FDE2B5717067D2C3B25EFEE63E1C5E5BCE1AF1F5A54076DCE0FDE9CDB56E3382C5F39AF3399B", + "994BB86DD62F615473EE5D1D05C5A1D950D2F3C3", + "88CB8A087B6E8CEBFC9AE5602F5A2159A6BCF923E7F2C56809BCDA6CAD1727A7", + "BFC7194DB6D123E245825AAF92C276855D32513520B471C67B94A62F46C8CBDB891CA09419FAD201F34F81C0CA0C72DCC1C4A68CFFFF5A7F0B629B35501E8EBA" + ], + "hosts": [ + "a licensed facility", + "active.jobs", + "cams witnesses summary" + ], + "ip": [ + "175.16.199.0" + ], + "user": [ + "Illegal", + "ff702496-556b-11ef-9f4e-0242ac110005", + "ff707266-556b-11ef-8dd3-0242ac110005", + "ff72d2e0-556b-11ef-bbe1-0242ac110005", + "Golf", + "ff70655a-556b-11ef-b23a-0242ac110005", + "36", + "ff710f1e-556b-11ef-bcc2-0242ac110005", + "Skip", + "lesbian dk media", + "Cora Marchelle", + "Breakfast", + "ff70d09e-556b-11ef-82b8-0242ac110005", + "Broker", + "ff70ec96-556b-11ef-a10b-0242ac110005", + "those facility genetic", + "Hottest", + "ff70411a-556b-11ef-9a1e-0242ac110005", + "preceding psp cleared", + "Erick@invision.edu", + "weights hobbies divorce" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "id": "ff72d2e0-556b-11ef-bbe1-0242ac110005" + } + }, + { + "@timestamp": "2024-08-08T10:53:04.287Z", + "cloud": { + "provider": "diabetes gaps ag", + "region": "act ran entity" + }, + "container": { + "id": "63560cca-5574-11ef-8db7-0242ac110005", + "image": { + "hash": { + "all": [ + "sha1:10EFC79292FD96E5C3DDF56D50E2BF33CB5A2EC1" + ] + }, + "name": "technician rogers federal", + "tag": [ + "pub flexible interface" + ] + }, + "labels": [ + "pants", + "firewall" + ], + "name": "slim rehabilitation nest" + }, + "data_stream": { + "dataset": "amazon_security_lake.application_activity", + "namespace": "default", + "type": "logs" + }, + "destination": { + "ip": "226.140.221.18", + "port": 55506 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "move", + "category": [ + "file" + ], + "code": "sessions", + "kind": "event", + "original": "{\"message\":\"epa stanley speech\",\"status\":\"Unknown\",\"time\":1723114384287674,\"file\":{\"name\":\"ate.cue\",\"type\":\"Folder\",\"version\":\"1.1.0\",\"path\":\"wiki optimization counter/prohibited.ai/ate.cue\",\"signature\":{\"certificate\":{\"version\":\"1.1.0\",\"subject\":\"advised chess egyptian\",\"issuer\":\"warning cute armor\",\"fingerprints\":[{\"value\":\"367C62D5A1EE13A74F11A143DB9DD2389B73DE066483521D1905177739F6EB41DE30BDAFD42E95AF3306EF8BC6273C97A75C8276B592B1D5FCC7458F1EBBEB03\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"DEE5E5BE829C1FF9E773E27CDA4A8960CAB5C8A6F392DA6ACCBACB430B13B9BC64822221325357EAA87B60D5F4474090332CD89561EBEC061294834301DF9AE9\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}],\"created_time\":1723114384273661,\"expiration_time\":1723114384273675,\"serial_number\":\"qld undergraduate cowboy\",\"created_time_dt\":\"2024-08-08T10:53:04.273685Z\"},\"algorithm\":\"Unknown\",\"algorithm_id\":0,\"created_time\":1723114384273699},\"modifier\":{\"name\":\"Scenic\",\"type\":\"User\",\"uid\":\"63533b6c-5574-11ef-bfed-0242ac110005\",\"type_id\":1,\"account\":{\"name\":\"interactions minister lamps\",\"type\":\"Windows Account\",\"uid\":\"635347c4-5574-11ef-a25d-0242ac110005\",\"type_id\":2},\"credential_uid\":\"63534eea-5574-11ef-8a7c-0242ac110005\",\"ldap_person\":{\"created_time\":1723114384275284,\"email_addrs\":[\"Leonida@consoles.gov\"],\"given_name\":\"routines identical brunswick\",\"hire_time\":1723114384275320,\"job_title\":\"voted awareness pt\",\"modified_time\":1723114384275329,\"leave_time_dt\":\"2024-08-08T10:53:04.275331Z\"}},\"type_id\":2,\"parent_folder\":\"wiki optimization counter/prohibited.ai\",\"hashes\":[{\"value\":\"F6B8BFDD92E45272F30B728D921EF2A47DD9D950600D885830D30532F39E2A5688B4797CF0B172989E4C95B557B2497E98AC07417E8766E06BDFFEBDEBBE76C8\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},{\"value\":\"4A2B4592EAC6D75C3BD4FE50308A2316D54BC427F65F109C7EC4105B6467C984\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3}]},\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"cooling florist anna\",\"version\":\"1.1.0\",\"path\":\"avoid meeting appear\",\"uid\":\"63545eac-5574-11ef-8bb1-0242ac110005\",\"vendor_name\":\"buying fa joel\"},\"profiles\":[\"cloud\",\"container\",\"datetime\",\"host\",\"linux/linux_users\",\"load_balancer\",\"network_proxy\",\"security_control\"],\"correlation_uid\":\"635472c0-5574-11ef-8c5d-0242ac110005\",\"event_code\":\"sessions\",\"log_name\":\"standing band submission\",\"logged_time\":1723114384282107,\"original_time\":\"sum shipped decreased\"},\"severity\":\"Low\",\"type_name\":\"File Hosting Activity: Move\",\"activity_id\":7,\"type_uid\":600607,\"observables\":[{\"name\":\"affiliated fuji ralph\",\"type\":\"Hostname\",\"type_id\":1},{\"name\":\"sponsored fw illustrated\",\"type\":\"Hostname\",\"type_id\":1}],\"category_name\":\"Application Activity\",\"class_uid\":6006,\"category_uid\":6,\"class_name\":\"File Hosting Activity\",\"timezone_offset\":56,\"activity_name\":\"Move\",\"actor\":{\"process\":{\"name\":\"Eden\",\"pid\":95,\"file\":{\"attributes\":91,\"name\":\"physician.asf\",\"type\":\"Regular File\",\"path\":\"donors replied magazine/elder.accdb/physician.asf\",\"modifier\":{\"name\":\"Dimensional\",\"type\":\"System\",\"domain\":\"beneficial az attraction\",\"uid\":\"63556d6a-5574-11ef-ac26-0242ac110005\",\"type_id\":3,\"email_addr\":\"Lura@consolidated.mil\"},\"desc\":\"xp endif record\",\"type_id\":1,\"creator\":{\"name\":\"Resource\",\"type\":\"System\",\"uid\":\"6355ab18-5574-11ef-bc66-0242ac110005\",\"type_id\":3,\"full_name\":\"Melodee Norma\",\"email_addr\":\"Blaine@highlight.pro\"},\"mime_type\":\"incl/johnston\",\"parent_folder\":\"donors replied magazine/elder.accdb\",\"hashes\":[{\"value\":\"28E532D56B18548CC0B68A63311D2DCD2D258B2F\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2},{\"value\":\"695BF60E03F83A36699AF46519E8E584\",\"algorithm\":\"MD5\",\"algorithm_id\":1}],\"xattributes\":{}},\"user\":{\"type\":\"Unknown\",\"domain\":\"random john findlaw\",\"groups\":[{\"name\":\"rural legislature built\",\"type\":\"harm slovakia tone\",\"uid\":\"6355ca8a-5574-11ef-8efb-0242ac110005\",\"privileges\":[\"clearing transfer worthy\",\"jim pdas remind\"]},{\"domain\":\"seeing dynamics qualified\",\"uid\":\"6355d2aa-5574-11ef-8276-0242ac110005\"}],\"type_id\":0,\"full_name\":\"Alexander Helena\",\"credential_uid\":\"6355da02-5574-11ef-89ed-0242ac110005\",\"uid_alt\":\"providing arms servers\"},\"group\":{\"name\":\"manage livestock tribes\",\"domain\":\"problem choosing reform\",\"uid\":\"6355e5e2-5574-11ef-b983-0242ac110005\"},\"uid\":\"6355ece0-5574-11ef-9b58-0242ac110005\",\"loaded_modules\":[\"/sic/measurement/morrison/routing/classroom.class\",\"/projector/dare/dt/fancy/governance.wma\"],\"cmd_line\":\"syndication traveler charges\",\"container\":{\"name\":\"slim rehabilitation nest\",\"size\":2119671744,\"uid\":\"63560cca-5574-11ef-8db7-0242ac110005\",\"image\":{\"name\":\"technician rogers federal\",\"tag\":\"pub flexible interface\",\"uid\":\"63561756-5574-11ef-85d8-0242ac110005\",\"labels\":[\"pants\",\"firewall\"]},\"hash\":{\"value\":\"10EFC79292FD96E5C3DDF56D50E2BF33CB5A2EC1\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}},\"created_time\":1723114384292928,\"integrity\":\"cr darwin wearing\",\"namespace_pid\":27,\"parent_process\":{\"name\":\"Outreach\",\"pid\":24,\"session\":{\"uid\":\"63562c6e-5574-11ef-a07c-0242ac110005\",\"uuid\":\"635632b8-5574-11ef-8dc9-0242ac110005\",\"issuer\":\"watt ips cash\",\"created_time\":1723114384293568,\"expiration_time\":1723114384293578,\"is_remote\":false,\"expiration_time_dt\":\"2024-08-08T10:53:04.293582Z\"},\"file\":{\"attributes\":91,\"name\":\"engineers.png\",\"type\":\"Character Device\",\"path\":\"judgment entering hydrocodone/sharp.uue/engineers.png\",\"type_id\":3,\"accessor\":{\"type\":\"republican\",\"uid\":\"6356478a-5574-11ef-bd16-0242ac110005\",\"type_id\":99,\"email_addr\":\"Sunni@holders.jobs\"},\"parent_folder\":\"judgment entering hydrocodone/sharp.uue\"},\"user\":{\"type\":\"User\",\"domain\":\"shortly payments endorsement\",\"uid\":\"6356532e-5574-11ef-a4a6-0242ac110005\",\"type_id\":1,\"uid_alt\":\"mysql syria beaches\"},\"group\":{\"type\":\"savannah weapon canon\",\"desc\":\"rogers eco outlets\",\"uid\":\"63565dba-5574-11ef-80bf-0242ac110005\"},\"uid\":\"635663a0-5574-11ef-b2fa-0242ac110005\",\"cmd_line\":\"asks eight printed\",\"container\":{\"name\":\"te beginners geology\",\"size\":1467240565,\"uid\":\"63567160-5574-11ef-a13e-0242ac110005\",\"image\":{\"name\":\"abu collectables clinical\",\"uid\":\"63567a16-5574-11ef-8843-0242ac110005\"},\"hash\":{\"value\":\"D0A3630555BBEC7FC05A98D311C23B00FD1AB4D8296AC4A4125976D80B6A6959\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3}},\"created_time\":1723114384295435,\"integrity\":\"eternal reservation which\",\"namespace_pid\":73,\"parent_process\":{\"name\":\"Hung\",\"pid\":85,\"user\":{\"name\":\"Paint\",\"type\":\"creative\",\"uid\":\"63568cfe-5574-11ef-9336-0242ac110005\",\"type_id\":99,\"full_name\":\"Gussie Leila\",\"email_addr\":\"Claire@longitude.arpa\"},\"group\":{\"name\":\"prince enhance terrain\",\"desc\":\"dual yacht replace\",\"uid\":\"635698ac-5574-11ef-a457-0242ac110005\"},\"cmd_line\":\"tools aluminium combinations\",\"container\":{\"name\":\"diving invited scoring\",\"runtime\":\"louise demanding pontiac\",\"size\":3349958052,\"tag\":\"witness indicators oral\",\"uid\":\"6356a234-5574-11ef-a31f-0242ac110005\",\"image\":{\"name\":\"bag belief such\",\"uid\":\"6356aaae-5574-11ef-80e9-0242ac110005\",\"labels\":[\"memorabilia\",\"producers\"]},\"hash\":{\"value\":\"5EF93A057B5E36A7F6F0880E87F5CF4B\",\"algorithm\":\"MD5\",\"algorithm_id\":1},\"pod_uuid\":\"pp\"},\"created_time\":1723114384296685,\"namespace_pid\":42,\"parent_process\":{\"name\":\"Dead\",\"pid\":15,\"file\":{\"name\":\"creations.ico\",\"owner\":{\"name\":\"Answer\",\"uid\":\"6356c534-5574-11ef-9ab7-0242ac110005\",\"full_name\":\"Henry Tonja\"},\"type\":\"ti\",\"path\":\"defining inch factors/ist.mpa/creations.ico\",\"product\":{\"name\":\"amateur bristol cuba\",\"version\":\"1.1.0\",\"uid\":\"6356cfa2-5574-11ef-a798-0242ac110005\",\"vendor_name\":\"gentleman quit confirm\"},\"type_id\":99,\"parent_folder\":\"defining inch factors/ist.mpa\",\"created_time\":1723114384297596,\"hashes\":[{\"value\":\"0976ABA0D430405622A00981BC58C6F16D2A40F1\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2},{\"value\":\"36324C961DBB9EF924720EB1C5F7E53B29AD9EF8D2A5A4CF1FD2686CCF8FC21A7A1368175B23CFFF36A4DB33D4F7C399148E923594A5667C996C53E9AB311088\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}],\"accessed_time_dt\":\"2024-08-08T10:53:04.297651Z\",\"created_time_dt\":\"2024-08-08T10:53:04.297659Z\"},\"user\":{\"name\":\"Theatre\",\"type\":\"Admin\",\"uid\":\"6356e906-5574-11ef-bcbc-0242ac110005\",\"type_id\":2},\"tid\":82,\"uid\":\"6356ef50-5574-11ef-9f3f-0242ac110005\",\"cmd_line\":\"capable homepage reject\",\"container\":{\"name\":\"slovenia anybody colors\",\"runtime\":\"organic worked yn\",\"size\":420397581,\"uid\":\"6356f91e-5574-11ef-ae76-0242ac110005\",\"image\":{\"name\":\"sao naked toddler\",\"uid\":\"635701a2-5574-11ef-bc46-0242ac110005\",\"labels\":[\"toolbox\",\"taught\"]},\"hash\":{\"value\":\"E6E7B71309D96CA832137A8E06B9E34906F7A42708F8EBD9C2B75A423AC058A7F0DD0B2AB768E8090DF7E6E6C89E95D7D80DCC4FD0F84464C499AFA89D9AE294\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7},\"pod_uuid\":\"arranged\"},\"created_time\":1723114384298907,\"integrity\":\"System\",\"integrity_id\":5,\"namespace_pid\":34,\"parent_process\":{\"name\":\"Whilst\",\"pid\":51,\"file\":{\"name\":\"sitting.bmp\",\"owner\":{\"name\":\"Excessive\",\"type\":\"System\",\"domain\":\"harmony served deadly\",\"uid\":\"63572f2e-5574-11ef-80bc-0242ac110005\",\"groups\":[{\"name\":\"recruiting member combine\",\"uid\":\"635738e8-5574-11ef-b1ba-0242ac110005\"}],\"type_id\":3,\"full_name\":\"Mistie Belkis\",\"account\":{\"type\":\"Mac OS Account\",\"uid\":\"6357423e-5574-11ef-bd28-0242ac110005\",\"type_id\":7}},\"type\":\"Local Socket\",\"path\":\"everything packaging fears/sat.crdownload/sitting.bmp\",\"uid\":\"635748e2-5574-11ef-9899-0242ac110005\",\"type_id\":5,\"creator\":{\"name\":\"Health\",\"type\":\"User\",\"domain\":\"cabinet satisfaction excitement\",\"uid\":\"635752c4-5574-11ef-9816-0242ac110005\",\"type_id\":1,\"full_name\":\"Lauralee Thomasine\",\"ldap_person\":{\"location\":{\"desc\":\"Serbia, Republic of\",\"city\":\"Princeton judy\",\"country\":\"RS\",\"coordinates\":[-170.2881,-62.2248],\"continent\":\"Europe\"},\"ldap_dn\":\"roy noticed vertical\",\"surname\":\"tract olympus editor\",\"created_time_dt\":\"2024-08-08T10:53:04.301134Z\"}},\"parent_folder\":\"everything packaging fears/sat.crdownload\",\"accessed_time\":1723114384301146,\"hashes\":[{\"value\":\"D496B4FAFB1139B1F80F1B60D5AB3A22EF18A1625889B6793BDD41EAF1EB68F093E7AF5254D7DB838F22711DAA2F5E3A0CA6BF5F983AAAC163D7D525C760277B\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}],\"is_system\":false,\"modified_time\":1723114384301182,\"xattributes\":{}},\"user\":{\"name\":\"Pavilion\",\"type\":\"Unknown\",\"uid\":\"63576804-5574-11ef-9ed9-0242ac110005\",\"type_id\":0,\"credential_uid\":\"63576e4e-5574-11ef-85ed-0242ac110005\"},\"group\":{\"name\":\"sale point solutions\",\"uid\":\"6357784e-5574-11ef-9c0c-0242ac110005\"},\"tid\":93,\"uid\":\"63577e16-5574-11ef-8086-0242ac110005\",\"cmd_line\":\"consists posters menus\",\"container\":{\"name\":\"loving revealed remarkable\",\"size\":2152153573,\"uid\":\"6357871c-5574-11ef-9b53-0242ac110005\",\"image\":{\"name\":\"lots time boolean\",\"uid\":\"63578f78-5574-11ef-83eb-0242ac110005\"},\"hash\":{\"value\":\"EA7F1EC6B430560FE1BA023D62E5D33D29746DD5F0355FB118B1E4536D6230111964615215FCE2BE609D341EACB3B42869EE304F80BBAEC3F6720FA8FD50AD97\",\"algorithm\":\"CTPH\",\"algorithm_id\":5},\"orchestrator\":\"board luis adopted\"},\"created_time\":1723114384302534,\"parent_process\":{\"pid\":93,\"session\":{\"uid\":\"6357a396-5574-11ef-8ef4-0242ac110005\",\"issuer\":\"demonstration holmes california\",\"created_time\":1723114384303010,\"is_mfa\":true,\"is_remote\":false},\"file\":{\"name\":\"kerry.sdf\",\"type\":\"terrorist\",\"path\":\"pre memo parish/bibliographic.db/kerry.sdf\",\"product\":{\"name\":\"forum activists cancelled\",\"version\":\"1.1.0\",\"uid\":\"6357b6b0-5574-11ef-9715-0242ac110005\",\"cpe_name\":\"realty contributions melissa\",\"vendor_name\":\"actress mess enjoyed\"},\"modifier\":{\"name\":\"Criterion\",\"type\":\"System\",\"domain\":\"theology suzuki inn\",\"uid\":\"6357d28a-5574-11ef-b53e-0242ac110005\",\"groups\":[{\"name\":\"meanwhile vid contributed\"},{\"name\":\"difference white sensors\",\"type\":\"chef laos flat\",\"desc\":\"undertake carried ones\",\"uid\":\"6357dc9e-5574-11ef-a420-0242ac110005\"}],\"type_id\":3,\"account\":{\"name\":\"fans car enable\",\"type\":\"Linux Account\",\"type_id\":9},\"credential_uid\":\"6357e5f4-5574-11ef-8af6-0242ac110005\",\"uid_alt\":\"repair trains victim\"},\"type_id\":99,\"creator\":{\"name\":\"Filme\",\"type\":\"Unknown\",\"uid\":\"6357f01c-5574-11ef-9c74-0242ac110005\",\"type_id\":0},\"mime_type\":\"architecture/hall\",\"parent_folder\":\"pre memo parish/bibliographic.db\",\"hashes\":[{\"value\":\"35431593FE35166DB2935F72C55A3E0A8F8255878BACFF713A775559201158B2429DDF8B60D7FC65E8A640435ECA4BE8239A740FE91DA7560AC32207BF2F73AB\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},{\"value\":\"BA2F52D229E66F7D965D4AAFDBB382D12FBA5669FBE91F4700E0B7A9355279E7FC2108CAA3AAB2AA5DDAD12B63AC6953845DD468A203773BE8FC734CE9FF93AB\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}],\"security_descriptor\":\"volvo workflow pros\"},\"group\":{\"name\":\"mad integrity assessment\",\"type\":\"glossary scotia pete\",\"uid\":\"63580af2-5574-11ef-88eb-0242ac110005\"},\"uid\":\"63581182-5574-11ef-aeb6-0242ac110005\",\"cmd_line\":\"mentor dust attending\",\"container\":{\"name\":\"drill modern difference\",\"size\":3636193350,\"uid\":\"63597a54-5574-11ef-acbb-0242ac110005\",\"image\":{\"name\":\"hanging assume mill\",\"uid\":\"63599c96-5574-11ef-8abe-0242ac110005\"},\"hash\":{\"value\":\"90C9EFE0343A584FD260823A0B266073C0E319EDC8D3C7CD2CCF69E236CF45D870E30646022FDB667F085AEA84B64830C3B3DC702C35A111DCCB3F05F05F9529\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}},\"created_time\":1723114384316151,\"integrity\":\"delivering shaved mexico\",\"namespace_pid\":49,\"parent_process\":{\"name\":\"Ft\",\"pid\":85,\"file\":{\"name\":\"venice.pct\",\"type\":\"Character Device\",\"path\":\"proper unified cingular/outsourcing.cs/venice.pct\",\"product\":{\"version\":\"1.1.0\",\"vendor_name\":\"staying attachment med\"},\"desc\":\"advantage profit fall\",\"type_id\":3,\"accessor\":{\"name\":\"Arlington\",\"type\":\"Admin\",\"uid\":\"635a477c-5574-11ef-8dd3-0242ac110005\",\"type_id\":2,\"credential_uid\":\"635a4f2e-5574-11ef-b0c1-0242ac110005\"},\"parent_folder\":\"proper unified cingular/outsourcing.cs\",\"accessed_time\":1723114384320502,\"created_time\":1723114384320518,\"hashes\":[{\"value\":\"5B54C0A045F179BCBBBC9ABCB8B5CD4C\",\"algorithm\":\"MD5\",\"algorithm_id\":1},{\"value\":\"B1A66BA2E7D51C706F9A2CA80905DF475AE44EDC79EC60CA4D7580FBD6548B91\",\"algorithm\":\"magic\",\"algorithm_id\":99}],\"modified_time_dt\":\"2024-08-08T10:53:04.320622Z\"},\"uid\":\"635a5c26-5574-11ef-8945-0242ac110005\",\"cmd_line\":\"cup rights charger\",\"container\":{\"name\":\"answers camera televisions\",\"size\":560452224,\"uid\":\"635a7206-5574-11ef-b9d6-0242ac110005\",\"image\":{\"uid\":\"635a8282-5574-11ef-8212-0242ac110005\"},\"hash\":{\"value\":\"FAF5EB7985BA4C9CBED8EED0D046F77F7C6ADCB15B9F3537256D717C2D370E448132CECC73264489D250CE463844ECFF1DC62C554DC6654B0C11659842BD7828\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}},\"created_time\":1723114384322300,\"namespace_pid\":14,\"parent_process\":{\"pid\":1,\"file\":{\"attributes\":8,\"name\":\"stop.rom\",\"size\":184463636,\"type\":\"Folder\",\"path\":\"qc stunning upcoming/freelance.b/stop.rom\",\"type_id\":2,\"creator\":{\"name\":\"Televisions\",\"type\":\"restaurant\",\"uid\":\"635ab20c-5574-11ef-8a49-0242ac110005\",\"type_id\":99,\"ldap_person\":{\"modified_time\":1723114384328321,\"created_time_dt\":\"2024-08-08T10:53:04.328333Z\"}},\"parent_folder\":\"qc stunning upcoming/freelance.b\",\"accessed_time\":1723114384328345,\"confidentiality\":\"dare assembly conflicts\",\"hashes\":[{\"value\":\"D6DF1AB7AC275F8C7AFF9D010CCFD0DB08BBE2D8\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2},{\"value\":\"A99E2AF60B8C1ACE6169FBA74BE6B9CB5ECA5D5A24F28F39E4EC50A265F7F5F4\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3}],\"security_descriptor\":\"streets teacher movie\",\"accessed_time_dt\":\"2024-08-08T10:53:04.328434Z\",\"modified_time_dt\":\"2024-08-08T10:53:04.328440Z\"},\"user\":{\"name\":\"Fountain\",\"type\":\"Admin\",\"uid\":\"635b94ec-5574-11ef-90e7-0242ac110005\",\"type_id\":2},\"group\":{\"name\":\"lang drivers mood\",\"uid\":\"635baaf4-5574-11ef-8c3f-0242ac110005\"},\"uid\":\"635bb51c-5574-11ef-96c1-0242ac110005\",\"cmd_line\":\"assignment position expression\",\"container\":{\"name\":\"ink bio mileage\",\"runtime\":\"effort des lu\",\"size\":1841031275,\"uid\":\"635bd29a-5574-11ef-a523-0242ac110005\",\"image\":{\"name\":\"junction naval insulation\",\"tag\":\"watches wellington muscle\",\"uid\":\"635c0198-5574-11ef-ba77-0242ac110005\"},\"hash\":{\"value\":\"FA987EC04918567E13A7554C7DDC4D86FB705EAD55207E05ED4E224FB0A9F1570BE1D51F9AE581D415E2D13894EECAEEF402D9901F8C9E70CD839691DD428BBD\",\"algorithm\":\"CTPH\",\"algorithm_id\":5},\"pod_uuid\":\"nuclear\"},\"created_time\":1723114384332144,\"integrity\":\"Low\",\"integrity_id\":2,\"namespace_pid\":91,\"parent_process\":{\"name\":\"Surprise\",\"pid\":46,\"file\":{\"name\":\"settled.exe\",\"type\":\"Local Socket\",\"version\":\"1.1.0\",\"path\":\"justin jm kenya/acknowledged.cgi/settled.exe\",\"signature\":{\"certificate\":{\"version\":\"1.1.0\",\"uid\":\"635c43c4-5574-11ef-a8eb-0242ac110005\",\"subject\":\"pets documentary mutual\",\"issuer\":\"rounds eds contests\",\"fingerprints\":[{\"value\":\"4D78419C492968B9564F7F87CEBFA246405627A31D833B60027D564FB453A9F76CDBDF3D6229EFE19244F6B38DC9C1E531EC641A042F38CE33A3E62DEEB1E115\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}],\"created_time\":1723114384334572,\"expiration_time\":1723114384334590,\"serial_number\":\"anything repair rank\",\"expiration_time_dt\":\"2024-08-08T10:53:04.334601Z\"},\"algorithm\":\"ECDSA\",\"algorithm_id\":3,\"developer_uid\":\"635c7e16-5574-11ef-b814-0242ac110005\"},\"type_id\":5,\"accessor\":{\"name\":\"Contents\",\"type\":\"Unknown\",\"domain\":\"weighted organize jim\",\"uid\":\"635cc204-5574-11ef-85ce-0242ac110005\",\"type_id\":0},\"creator\":{\"name\":\"Heel\",\"type\":\"System\",\"uid\":\"635ce108-5574-11ef-b897-0242ac110005\",\"type_id\":3,\"account\":{\"name\":\"discs sure enclosed\",\"type\":\"AWS IAM Role\",\"uid\":\"635d0a66-5574-11ef-bcd7-0242ac110005\",\"type_id\":4},\"uid_alt\":\"rapidly specification instructional\"},\"parent_folder\":\"justin jm kenya/acknowledged.cgi\",\"created_time\":1723114384339821,\"hashes\":[{\"value\":\"E3406337AAEB1C0AC1339EA8DBC6212C72E6551C007F921C64EADEDFC50CEAF2D661F48148C64A04B17DEC7D46C8D70913DA02218205F62B8170DF4110BEE8BE\",\"algorithm\":\"Unknown\",\"algorithm_id\":0},{\"value\":\"3F9D17F4A6D80A19A14E6E6464F3E85457666C674359CE0CCEBD5BF88B46CD79CC44F0213344FB06287280BC58AA62C13301DEC710F880AE66297C4F2F4477F4\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}],\"modified_time\":1723114384340026,\"xattributes\":{},\"accessed_time_dt\":\"2024-08-08T10:53:04.340128Z\",\"created_time_dt\":\"2024-08-08T10:53:04.340139Z\"},\"user\":{\"type\":\"Unknown\",\"uid\":\"635d5bd8-5574-11ef-a7e3-0242ac110005\",\"type_id\":0,\"uid_alt\":\"charging build burning\"},\"group\":{\"name\":\"pendant alike china\",\"domain\":\"remove ix couple\",\"uid\":\"635d7852-5574-11ef-8eaa-0242ac110005\",\"privileges\":[\"verbal spokesman stuart\",\"audio mozambique mae\"]},\"uid\":\"635d7fa0-5574-11ef-9af0-0242ac110005\",\"loaded_modules\":[\"/desert/arch/conditional/mas/zinc.cgi\",\"/direct/appendix/stated/partition/awareness.gam\"],\"cmd_line\":\"masters treatments custody\",\"container\":{\"name\":\"ate worth powerpoint\",\"runtime\":\"society mem dependence\",\"size\":175725837,\"uid\":\"635d91e8-5574-11ef-bfc1-0242ac110005\",\"image\":{\"name\":\"bring president swap\",\"uid\":\"635dba88-5574-11ef-a7d2-0242ac110005\"},\"hash\":{\"value\":\"7D1BDD4F5CF16C23DEE15E0673B9B700804F55D5AC5DAA8E6A6F6DD1951AB502D960DF687EDC47B11A696C8F4A969208DFC7E3E4043EE2C907B4FCC244E9FD74\",\"algorithm\":\"CTPH\",\"algorithm_id\":5},\"network_driver\":\"crawford invitation pierce\",\"orchestrator\":\"differences lycos cut\"},\"created_time\":1723114384343050,\"namespace_pid\":17,\"parent_process\":{\"name\":\"During\",\"pid\":22,\"file\":{\"name\":\"earnings.otf\",\"owner\":{\"name\":\"Tissue\",\"type\":\"User\",\"uid\":\"635ddb94-5574-11ef-ab3f-0242ac110005\",\"org\":{\"name\":\"whom demand thereof\",\"ou_name\":\"weighted fundraising drainage\"},\"type_id\":1},\"type\":\"Regular File\",\"path\":\"commons employ nickel/humanity.swf/earnings.otf\",\"type_id\":1,\"company_name\":\"Abby Cyrus\",\"parent_folder\":\"commons employ nickel/humanity.swf\",\"confidentiality\":\"Unknown\",\"confidentiality_id\":0,\"hashes\":[{\"value\":\"EE1150845FA3041CEB3A3FCDBE42D68A\",\"algorithm\":\"MD5\",\"algorithm_id\":1},{\"value\":\"DC684E0A948E820C9B32AE34F0E147CCCAEAB3646C95D1FBF6E5EA257B9107251945EB892CD81A3750D89799ADF86C76382C60E73A85B10D110CE39164882C8F\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}],\"is_system\":false,\"security_descriptor\":\"correctly screenshots reached\",\"created_time_dt\":\"2024-08-08T10:53:04.344543Z\",\"modified_time_dt\":\"2024-08-08T10:53:04.344556Z\"},\"user\":{\"name\":\"Greenhouse\",\"uid\":\"635e09a2-5574-11ef-8b02-0242ac110005\",\"uid_alt\":\"nu tiny challenging\"},\"group\":{\"name\":\"function bought terrace\",\"desc\":\"oo phase relocation\",\"uid\":\"635e1960-5574-11ef-bc86-0242ac110005\"},\"uid\":\"635e1f5a-5574-11ef-aad7-0242ac110005\",\"cmd_line\":\"macedonia reid wanna\",\"container\":{\"name\":\"dry age their\",\"size\":1634165265,\"tag\":\"revised bytes swingers\",\"uid\":\"635e290a-5574-11ef-8290-0242ac110005\",\"image\":{\"tag\":\"developer characterized chelsea\",\"uid\":\"635e31d4-5574-11ef-8b11-0242ac110005\"},\"hash\":{\"value\":\"D5F2E5C77054C44C2C72A1B017DECA06FC637C99\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}},\"created_time\":1723114384346014,\"parent_process\":{\"name\":\"Door\",\"pid\":15,\"file\":{\"attributes\":27,\"name\":\"modification.php\",\"type\":\"Regular File\",\"path\":\"monkey refused genesis/pictures.cs/modification.php\",\"type_id\":1,\"parent_folder\":\"monkey refused genesis/pictures.cs\",\"confidentiality\":\"Not Confidential\",\"confidentiality_id\":1},\"user\":{\"name\":\"Roller\",\"type\":\"System\",\"uid\":\"635e6e38-5574-11ef-9132-0242ac110005\",\"type_id\":3},\"group\":{\"name\":\"dogs republic occurrence\",\"type\":\"headers brunei ontario\",\"uid\":\"635e79b4-5574-11ef-b9e2-0242ac110005\",\"privileges\":[\"later conversion foreign\",\"shadows phpbb ate\"]},\"uid\":\"635e817a-5574-11ef-850e-0242ac110005\",\"cmd_line\":\"rides vids label\",\"container\":{\"name\":\"car ericsson vary\",\"size\":2909077433,\"tag\":\"apparent philadelphia southern\",\"uid\":\"635eaa7e-5574-11ef-99fc-0242ac110005\",\"image\":{\"name\":\"carolina bio conversion\",\"uid\":\"635eb3a2-5574-11ef-8a60-0242ac110005\"},\"hash\":{\"value\":\"62B8E80D982A1EF7D7764527C89E80FE2D9EFE4990B43078E143E4C6EDD2F407\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3},\"orchestrator\":\"wto murray posted\",\"pod_uuid\":\"designed\"},\"created_time\":1723114384349350,\"integrity\":\"ag disagree anymore\",\"namespace_pid\":5,\"parent_process\":{\"name\":\"Lm\",\"pid\":58,\"file\":{\"name\":\"closing.3ds\",\"size\":2333859778,\"type\":\"Block Device\",\"path\":\"newsletter tulsa locale/wait.cab/closing.3ds\",\"signature\":{\"certificate\":{\"version\":\"1.1.0\",\"subject\":\"durham sitting hiv\",\"issuer\":\"eq designers loc\",\"fingerprints\":[{\"value\":\"B133E6238B0833E7D12E8F6E64EABBFE2780E49FD028477670556B99E873D6C8CC7E38E25BAF9228F2324C513ECA25C63FF88415399CBD0FF61001ACC2BD0B10\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},{\"value\":\"8B4AB0E3B292ED97FB8DCFB7C0267D1F7366F45CE8FDC2E3F0EAE57312A3F4D83BB72E25B072DF7E3416CF022B3276885495F9F245FE9CB67704AFD4B94EBF99\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}],\"expiration_time\":1723114384349769,\"serial_number\":\"field geek theater\"},\"algorithm\":\"RSA\",\"algorithm_id\":2},\"uid\":\"635ed24c-5574-11ef-9b19-0242ac110005\",\"type_id\":4,\"mime_type\":\"radio/minolta\",\"parent_folder\":\"newsletter tulsa locale/wait.cab\",\"hashes\":[{\"value\":\"65BD10756687E64C347423BA3836F065\",\"algorithm\":\"MD5\",\"algorithm_id\":1},{\"value\":\"B3140286AC71AD2ACF69681F4F2A907B0B83D8EDFBFFDD4E0A38C05A23180495\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3}],\"modified_time\":1723114384350131,\"security_descriptor\":\"went stick curious\",\"xattributes\":{}},\"user\":{\"name\":\"Gossip\",\"type\":\"System\",\"uid\":\"635ee0e8-5574-11ef-ac61-0242ac110005\",\"type_id\":3,\"credential_uid\":\"635ee75a-5574-11ef-ac0c-0242ac110005\"},\"group\":{\"name\":\"alcohol surprise http\",\"desc\":\"wales if adams\",\"uid\":\"635ef114-5574-11ef-8c2b-0242ac110005\"},\"uid\":\"635ef6dc-5574-11ef-a3ad-0242ac110005\",\"cmd_line\":\"statutes columnists commerce\",\"container\":{\"name\":\"thomson multi reliable\",\"size\":22516444,\"uid\":\"635f000a-5574-11ef-bd88-0242ac110005\",\"image\":{\"name\":\"procedures later palestinian\",\"uid\":\"635f0898-5574-11ef-a44a-0242ac110005\"},\"hash\":{\"value\":\"B330ECA1D2F13AB95C1C8C41637D9CD297E8221B1DBE869BDE2ACD408F9548B864002FB987EEDA759EF00CDF20345836767C45CA1D40C2DCACE6B6A569E48F09\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},\"orchestrator\":\"teens motion deaths\"},\"created_time\":1723114384351625,\"namespace_pid\":7,\"parent_process\":{\"name\":\"Gen\",\"pid\":86,\"file\":{\"name\":\"offered.avi\",\"type\":\"Folder\",\"path\":\"sports amp assess/explosion.sln/offered.avi\",\"type_id\":2,\"parent_folder\":\"sports amp assess/explosion.sln\",\"accessed_time\":1723114384352980,\"security_descriptor\":\"salmon sister tucson\"},\"user\":{\"name\":\"Rest\",\"type\":\"Unknown\",\"uid\":\"635f51c2-5574-11ef-bad8-0242ac110005\",\"type_id\":0},\"group\":{\"name\":\"produces consequence selling\",\"uid\":\"635f5d02-5574-11ef-be03-0242ac110005\",\"privileges\":[\"seasonal railroad already\"]},\"uid\":\"635f63d8-5574-11ef-8afe-0242ac110005\",\"cmd_line\":\"reflects champion naughty\",\"container\":{\"name\":\"inquire justice risks\",\"runtime\":\"fragrance instances sun\",\"size\":574926482,\"uid\":\"635f7e18-5574-11ef-84ec-0242ac110005\",\"image\":{\"name\":\"packs auction technical\",\"uid\":\"635f891c-5574-11ef-9147-0242ac110005\"}},\"created_time\":1723114384354756,\"integrity\":\"deutsche what indians\",\"lineage\":[\"lying advertisements renew\",\"buf prescribed puerto\"],\"namespace_pid\":80,\"parent_process\":{\"name\":\"Blogger\",\"pid\":77,\"user\":{\"name\":\"Lenses\",\"type\":\"dairy\",\"uid\":\"635f9c7c-5574-11ef-b4d1-0242ac110005\",\"type_id\":99,\"uid_alt\":\"penalty spray weight\"},\"uid\":\"635fa406-5574-11ef-809b-0242ac110005\",\"cmd_line\":\"information propecia md\",\"lineage\":[\"trees saving alias\",\"ssl september rack\"],\"namespace_pid\":50,\"parent_process\":{\"name\":\"Defense\",\"pid\":15,\"file\":{\"attributes\":31,\"name\":\"lotus.pkg\",\"type\":\"Local Socket\",\"path\":\"seem party existence/buried.3dm/lotus.pkg\",\"type_id\":5,\"parent_folder\":\"seem party existence/buried.3dm\",\"confidentiality\":\"belief hard romania\",\"created_time\":1723114384355919,\"hashes\":[{\"value\":\"921DB9BE9AB2B726859E733D87A56CDEB799FBC45281315CFE4A7BAAF6BB9A1DD4359096B697BBB33B1DCA573CD79CB87614124DFA2B3C79768B3F29A7DBF0EF\",\"algorithm\":\"CTPH\",\"algorithm_id\":5},{\"value\":\"E9C848387AB1784EBC52FD937D18A8D44D2CF6BDBEB2BAB7B04E28413AE39FA4C07EAFA782325DD3B65A30B4AE8538D0ACCE7FC48BF1A3AB1B4651A5CFB050AA\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}],\"is_system\":true,\"accessed_time_dt\":\"2024-08-08T10:53:04.355980Z\"},\"user\":{\"name\":\"Blogs\",\"type\":\"novel\",\"uid\":\"635fca94-5574-11ef-82f0-0242ac110005\",\"groups\":[{\"type\":\"buyer spirit webcam\",\"uid\":\"635fd57a-5574-11ef-84bc-0242ac110005\"},{\"name\":\"cooperation meditation memo\",\"desc\":\"discretion fantastic tactics\",\"uid\":\"635fe13c-5574-11ef-85a3-0242ac110005\"}],\"type_id\":99,\"credential_uid\":\"635fe862-5574-11ef-ba0c-0242ac110005\",\"ldap_person\":{\"email_addrs\":[\"Kimberley@sip.int\"],\"leave_time\":1723114384357313,\"modified_time_dt\":\"2024-08-08T10:53:04.357320Z\"}},\"group\":{\"name\":\"care viii external\",\"type\":\"right crowd crops\",\"desc\":\"appointed opponent written\",\"uid\":\"635ff8a2-5574-11ef-af7e-0242ac110005\"},\"tid\":26,\"uid\":\"635ffed8-5574-11ef-b0fd-0242ac110005\",\"cmd_line\":\"gamecube forbes described\",\"container\":{\"name\":\"homes commonwealth recall\",\"size\":3538073681,\"uid\":\"63600950-5574-11ef-aae8-0242ac110005\",\"image\":{\"name\":\"jersey elected projector\",\"tag\":\"members breathing powers\",\"path\":\"trades mess wishlist\",\"uid\":\"6360136e-5574-11ef-8aec-0242ac110005\"}},\"created_time\":1723114384358291,\"integrity\":\"High\",\"integrity_id\":4,\"namespace_pid\":6,\"parent_process\":{\"pid\":31,\"file\":{\"name\":\"patches.tar\",\"type\":\"Unknown\",\"path\":\"throws additions myspace/jackets.b/patches.tar\",\"signature\":{\"certificate\":{\"version\":\"1.1.0\",\"subject\":\"donate tons media\",\"issuer\":\"italic hamburg judges\",\"fingerprints\":[{\"value\":\"F13F9E344F8839E5D7D17303ABAE106FC66E7D519B232C80C8D6066EF1A5148A796818425ED64282D159C7D8749343FBF193D9C83256C16B72857EBE0151F543\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}],\"created_time\":1723114384358869,\"expiration_time\":1723114384358874,\"serial_number\":\"fell lab weddings\"},\"algorithm\":\"DSA\",\"algorithm_id\":1,\"developer_uid\":\"63603196-5574-11ef-ac47-0242ac110005\"},\"uid\":\"636040d2-5574-11ef-965c-0242ac110005\",\"type_id\":0,\"parent_folder\":\"throws additions myspace/jackets.b\",\"confidentiality\":\"Top Secret\",\"confidentiality_id\":4,\"hashes\":[{\"value\":\"04ACD168BF6D98D85736E4DB0EF815B53830AF1882C47ABFC357172729DFCD84EF6553958C4CB4593A3844E5D7FC9136FDDF5C82B1171ACAD84F52F7F133AA21\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"6B85712C92509BE057A8284F4CBF4868755DC0FFB2611096D26209767429967390E3CADE2D1733A0C8D9217CFF1BFA985A184E36695A411B7DEAC20411C9DED8\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}],\"modified_time_dt\":\"2024-08-08T10:53:04.359528Z\"},\"group\":{\"name\":\"recommends pollution humans\",\"uid\":\"63604e4c-5574-11ef-9f32-0242ac110005\"},\"uid\":\"636054f0-5574-11ef-8588-0242ac110005\",\"cmd_line\":\"swingers centers burke\",\"container\":{\"name\":\"heather troubleshooting considerable\",\"size\":119356271,\"image\":{\"name\":\"listing hardwood defined\",\"uid\":\"636066de-5574-11ef-9bc9-0242ac110005\"},\"hash\":{\"value\":\"F0F33A03B88C641E422DA78295DB088A0C19D463F4BD44A1CE20D3BB9892A0063ABB61D6124EB7D79EF56FC55ADEFAF30542712C4C8D0A1B952AFB4A346C0876\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},\"orchestrator\":\"australian future sponsor\"},\"created_time\":1723114384360489,\"lineage\":[\"seeds spouse noble\",\"lifestyle fault floors\"],\"namespace_pid\":18,\"parent_process\":{\"pid\":42,\"file\":{\"name\":\"implemented.rom\",\"type\":\"Unknown\",\"path\":\"calcium amateur harmony/ltd.toast/implemented.rom\",\"modifier\":{\"type\":\"Admin\",\"uid\":\"6360b08a-5574-11ef-ae8e-0242ac110005\",\"type_id\":2,\"ldap_person\":{\"location\":{\"desc\":\"Croatia, Republic of\",\"city\":\"Regulations technician\",\"country\":\"HR\",\"coordinates\":[-57.4552,63.8901],\"continent\":\"Europe\"},\"cost_center\":\"verify nut levels\",\"ldap_cn\":\"racing morgan volt\",\"ldap_dn\":\"census doors though\",\"modified_time_dt\":\"2024-08-08T10:53:04.363022Z\"}},\"type_id\":0,\"creator\":{\"name\":\"With\",\"type\":\"Unknown\",\"domain\":\"adjustment container harris\",\"uid\":\"6360d920-5574-11ef-a83a-0242ac110005\",\"type_id\":0,\"account\":{\"name\":\"europe eating mailing\",\"type\":\"Linux Account\",\"uid\":\"6360e442-5574-11ef-9167-0242ac110005\",\"type_id\":9}},\"parent_folder\":\"calcium amateur harmony/ltd.toast\",\"hashes\":[{\"value\":\"19C64195EB8F22C39B4BAD63078823DDD82E6D61847B25F1F5B969BE6C891661\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3},{\"value\":\"652D75F9BAFB25E55C0E8DB77C3A9EA11F87C5167431C08F827375741D1B0C2F\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3}],\"modified_time_dt\":\"2024-08-08T10:53:04.363717Z\"},\"user\":{\"name\":\"Satisfaction\",\"type\":\"System\",\"uid\":\"6360f752-5574-11ef-a1db-0242ac110005\",\"type_id\":3,\"account\":{\"type\":\"LDAP Account\",\"uid\":\"636119d0-5574-11ef-a86d-0242ac110005\",\"type_id\":1},\"credential_uid\":\"6361204c-5574-11ef-8854-0242ac110005\"},\"group\":{\"name\":\"flags gang blow\",\"desc\":\"mistakes prediction toy\",\"uid\":\"63612c22-5574-11ef-800b-0242ac110005\",\"privileges\":[\"joining boots aw\",\"gang robust transport\"]},\"uid\":\"636132c6-5574-11ef-83af-0242ac110005\",\"cmd_line\":\"psp bush feet\",\"container\":{\"name\":\"obligation catalyst concentrations\",\"runtime\":\"tex strings mounted\",\"size\":1952448709,\"uid\":\"63613c44-5574-11ef-bd50-0242ac110005\",\"image\":{\"name\":\"rate ben fish\",\"uid\":\"63614568-5574-11ef-bf7a-0242ac110005\"},\"hash\":{\"value\":\"43CF305C9FBAF25955B6B640407705DE473A6AECC1D3684D43A7E6E113AD35E3\",\"algorithm\":\"magic\",\"algorithm_id\":99}},\"created_time\":1723114384366178,\"namespace_pid\":17,\"parent_process\":{\"name\":\"Versions\",\"pid\":16,\"session\":{\"uid\":\"6361567a-5574-11ef-b26b-0242ac110005\",\"issuer\":\"level boc morrison\",\"created_time\":1723114384366575,\"credential_uid\":\"63615e22-5574-11ef-b196-0242ac110005\",\"is_remote\":false},\"file\":{\"name\":\"python.bin\",\"owner\":{\"name\":\"Yoga\",\"type\":\"Admin\",\"type_id\":2},\"type\":\"afghanistan\",\"path\":\"variable their precipitation/moving.sql/python.bin\",\"signature\":{\"certificate\":{\"version\":\"1.1.0\",\"subject\":\"x tide described\",\"issuer\":\"equations different edward\",\"fingerprints\":[{\"value\":\"90290C4ADF68C053210274BB5414BED2BC4FCB71C37F521FF4EDBF5AFF66421A60FED68A12C81359536FCF2B89DB3463979F17F089E68FEA0B179D5DEF6F3A00\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}],\"created_time\":1723114384368646,\"expiration_time\":1723114384368652,\"serial_number\":\"ultimate nervous george\"},\"algorithm\":\"Authenticode\",\"algorithm_id\":4},\"type_id\":99,\"accessor\":{\"name\":\"Jd\",\"type\":\"deviant\",\"domain\":\"elizabeth cheapest solution\",\"uid\":\"6361bec6-5574-11ef-81b5-0242ac110005\",\"type_id\":99},\"mime_type\":\"personnel/bids\",\"parent_folder\":\"variable their precipitation/moving.sql\",\"hashes\":[{\"value\":\"2056009EE1A3B111E2E00906EDA7AD1AAC1EF242387CFB2CEE5B57763863C0EF228A7536B36C462A03C687D2F886BE6C218F00A2FC11674F8FF5454966830CB3\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}]},\"user\":{\"name\":\"Spring\",\"type\":\"nu\",\"uid\":\"6361cccc-5574-11ef-994f-0242ac110005\",\"org\":{\"name\":\"watts desktop hong\",\"uid\":\"6361d546-5574-11ef-b2b3-0242ac110005\"},\"type_id\":99,\"account\":{\"name\":\"bd atom berkeley\",\"type\":\"Apple Account\",\"uid\":\"6361dec4-5574-11ef-80de-0242ac110005\",\"type_id\":8},\"email_addr\":\"Kristin@tion.net\"},\"group\":{\"name\":\"academics secondary simon\",\"uid\":\"6361ef22-5574-11ef-8892-0242ac110005\"},\"uid\":\"6361f634-5574-11ef-87d8-0242ac110005\",\"cmd_line\":\"distances participating maintenance\",\"container\":{\"name\":\"waste counties homepage\",\"size\":3565502421,\"uid\":\"63620160-5574-11ef-b37a-0242ac110005\",\"image\":{\"name\":\"apt lp screen\",\"path\":\"gulf brian arrow\",\"uid\":\"63620bec-5574-11ef-8f30-0242ac110005\"},\"network_driver\":\"ks field roger\",\"pod_uuid\":\"breathing\"},\"created_time\":1723114384371224,\"namespace_pid\":72,\"parent_process\":{\"name\":\"Definitely\",\"pid\":14,\"file\":{\"attributes\":39,\"name\":\"wing.crdownload\",\"type\":\"Folder\",\"path\":\"regularly drivers sacred/rational.fla/wing.crdownload\",\"product\":{\"name\":\"cr fat generators\",\"version\":\"1.1.0\",\"uid\":\"636288ba-5574-11ef-b671-0242ac110005\",\"lang\":\"en\",\"vendor_name\":\"conflicts feed receivers\"},\"type_id\":2,\"parent_folder\":\"regularly drivers sacred/rational.fla\",\"created_time\":1723114384374429,\"hashes\":[{\"value\":\"140C02576C0D51BBE84B1C70EEE68AD61D116AA6E8F7BBD899753EB4599951C5E2DF128141610C2F838E0C7181B50795297C0E8D1398FDAD5ED2095EA783FC02\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7},{\"value\":\"E405FA83FE9CFE003B49FD852D4429D0EFF2F914\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}],\"modified_time\":1723114384374497,\"xattributes\":{},\"created_time_dt\":\"2024-08-08T10:53:04.374525Z\"},\"user\":{\"name\":\"Influenced\",\"type\":\"User\",\"domain\":\"adding merit extend\",\"uid\":\"63629a58-5574-11ef-8c2b-0242ac110005\",\"type_id\":1,\"credential_uid\":\"6362a124-5574-11ef-a23f-0242ac110005\"},\"group\":{\"domain\":\"enterprises civil knowledge\",\"desc\":\"patch celebration lancaster\",\"uid\":\"6362ab10-5574-11ef-adda-0242ac110005\"},\"uid\":\"6362b0ec-5574-11ef-bb67-0242ac110005\",\"loaded_modules\":[\"/fri/tall/bit/rap/meyer.hqx\"],\"cmd_line\":\"railway filling consistent\",\"container\":{\"name\":\"calvin actor describe\",\"size\":1384069832,\"tag\":\"automobiles gratuit tower\",\"uid\":\"6362bb3c-5574-11ef-8a12-0242ac110005\",\"image\":{\"name\":\"pi churches es\",\"uid\":\"6362c56e-5574-11ef-8c25-0242ac110005\"},\"hash\":{\"value\":\"67C09C289C121B7595556E03199ABF1EC4E85049DC99DB50BBB35FD8B5E2636C89497184BE8F2ED184301E2A5411B5565E97D87BCC951CB5F2CA9C8E696E6341\",\"algorithm\":\"CTPH\",\"algorithm_id\":5},\"orchestrator\":\"asking jerry namespace\"},\"created_time\":1723114384376016,\"integrity\":\"System\",\"integrity_id\":5,\"namespace_pid\":67,\"parent_process\":{\"name\":\"Animal\",\"pid\":95,\"file\":{\"attributes\":1,\"name\":\"tennessee.wsf\",\"type\":\"Folder\",\"path\":\"pennsylvania matthew somewhere/saw.dbf/tennessee.wsf\",\"uid\":\"6362dc0c-5574-11ef-b631-0242ac110005\",\"type_id\":2,\"creator\":{\"name\":\"Cognitive\",\"type\":\"User\",\"uid\":\"6362e6ac-5574-11ef-a13c-0242ac110005\",\"type_id\":1,\"email_addr\":\"Lorretta@components.nato\"},\"parent_folder\":\"pennsylvania matthew somewhere/saw.dbf\",\"hashes\":[{\"value\":\"1701CFB023A18B1534D60983D25660944BF18C8928D27C2658306664990BC734\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3},{\"value\":\"DEF35473338568D93D88C11638B8777B05D03931E8939FF2B7E675DB82DA9434\",\"algorithm\":\"magic\",\"algorithm_id\":99}],\"is_system\":false,\"security_descriptor\":\"lcd elementary surround\"},\"user\":{\"name\":\"Guys\",\"type\":\"Unknown\",\"uid\":\"63630eca-5574-11ef-b29c-0242ac110005\",\"org\":{\"name\":\"mighty thou ff\",\"uid\":\"636317ee-5574-11ef-b39a-0242ac110005\",\"ou_name\":\"companies functions hockey\"},\"groups\":[{\"name\":\"hood powers merely\",\"domain\":\"parties entertainment lemon\",\"uid\":\"636321d0-5574-11ef-ae4b-0242ac110005\"},{\"name\":\"rise parcel bookmarks\",\"privileges\":[\"etc survey at\",\"cohen mails bio\"]}],\"type_id\":0,\"email_addr\":\"Classie@municipality.pro\"},\"group\":{\"name\":\"legislature normal lectures\",\"uid\":\"63632d38-5574-11ef-85c8-0242ac110005\"},\"uid\":\"63633300-5574-11ef-80ee-0242ac110005\",\"cmd_line\":\"magazines spin aaron\",\"container\":{\"name\":\"deputy mirror eagle\",\"size\":2004032787,\"tag\":\"magazine looking deemed\",\"uid\":\"63633e40-5574-11ef-9825-0242ac110005\",\"image\":{\"uid\":\"6363469c-5574-11ef-9299-0242ac110005\"},\"hash\":{\"value\":\"55601A1804A5DD2CDDC702A8DBFD7D6EF6FB18BBD4EF25B7BA0FDF2AF274DC5BDD0AA03C3DF2E03891033BB6780C2DFC3D777203E7CC6D1D1B6AAA24A5B53037\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}},\"created_time\":1723114384379317,\"namespace_pid\":66,\"parent_process\":{\"name\":\"Delight\",\"file\":{\"name\":\"plasma.3dm\",\"type\":\"Folder\",\"path\":\"important companion consultancy/wallpaper.drv/plasma.3dm\",\"signature\":{\"certificate\":{\"version\":\"1.1.0\",\"subject\":\"assuming remarks brass\",\"issuer\":\"sheet registry concord\",\"fingerprints\":[{\"value\":\"EC6B1A9A8BA16A6F215D2D1F3906D6499B49BE59A250E976C526E3C93470BEAF\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3},{\"value\":\"E8F0948E22757C48DC176AC0971E4DC26962E907CD0016E2D3F3F85B10496DB3ADA83ABE28D5C02C0E75801F09CE16ECBC57DC728CA43C1AF4A195603D2E9D59\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}],\"created_time\":1723114384380115,\"expiration_time\":1723114384380123,\"serial_number\":\"provinces medicine it\"},\"algorithm\":\"Unknown\",\"algorithm_id\":0},\"type_id\":2,\"parent_folder\":\"important companion consultancy/wallpaper.drv\",\"confidentiality\":\"Secret\",\"confidentiality_id\":3,\"hashes\":[{\"value\":\"9159E7F170D8AC61900DA4485A05F8FA752EBB6B1271EB39B603C7BD22C9F591\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3},{\"value\":\"208252F637543172F0D9AA5A077FB15DC8E779E2AB911FADCC37F9C807EB56EFBAC0FC78C2916944595F6C58BE380B5BA4AC2E0A76A1D10091E0847D61B627D5\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}]},\"user\":{\"name\":\"Focused\",\"type\":\"Admin\",\"type_id\":2,\"email_addr\":\"Numbers@si.coop\",\"uid_alt\":\"biggest stupid linking\"},\"group\":{\"name\":\"jar transparency sing\",\"privileges\":[\"costs anthropology nickname\",\"nbc dns flex\"]},\"tid\":66,\"uid\":\"63637afe-5574-11ef-b99b-0242ac110005\",\"cmd_line\":\"felt essay relax\",\"container\":{\"name\":\"contain accepted gba\",\"runtime\":\"admin hammer variance\",\"tag\":\"geographical registered suspension\",\"uid\":\"63638544-5574-11ef-bbd6-0242ac110005\",\"image\":{\"name\":\"exist acceptance britney\",\"uid\":\"63638df0-5574-11ef-8d90-0242ac110005\"},\"hash\":{\"value\":\"83D3D1C470830C64B9B04152B2CD1D11DD99205143049050D298FD7C21CC125A\",\"algorithm\":\"magic\",\"algorithm_id\":99},\"network_driver\":\"shops congratulations variance\"},\"created_time\":1723114384381145,\"integrity\":\"Protected\",\"integrity_id\":6,\"namespace_pid\":1,\"parent_process\":{\"pid\":44,\"file\":{\"attributes\":2,\"name\":\"fits.cfm\",\"type\":\"Symbolic Link\",\"path\":\"watts leave ukraine/ringtones.rtf/fits.cfm\",\"type_id\":7,\"parent_folder\":\"watts leave ukraine/ringtones.rtf\",\"confidentiality\":\"Confidential\",\"confidentiality_id\":2,\"hashes\":[{\"value\":\"B90D6FEF7CE6A21866AE315B5A971CA7C32531C74C5A720508ED5490C80E51AF7F2194E67D30333457C00E700B4CAACF979ECA995DF46837A0D1ED6847A7CE7E\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"3F2C9248EE951C2D98A3CD5B4AF06BD317DB2124\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}],\"is_system\":true,\"security_descriptor\":\"selling dt few\",\"accessed_time_dt\":\"2024-08-08T10:53:04.381694Z\",\"created_time_dt\":\"2024-08-08T10:53:04.381707Z\"},\"user\":{\"name\":\"Edgar\",\"uid\":\"6363b992-5574-11ef-9143-0242ac110005\",\"ldap_person\":{\"email_addrs\":[\"Mariann@routine.net\"],\"job_title\":\"alto languages tanks\",\"deleted_time_dt\":\"2024-08-08T10:53:04.382339Z\"}},\"group\":{\"name\":\"thinking offices worcester\",\"uid\":\"6363ca0e-5574-11ef-837d-0242ac110005\",\"privileges\":[\"ingredients pins connector\"]},\"uid\":\"6363d120-5574-11ef-b647-0242ac110005\",\"cmd_line\":\"effects day pocket\",\"container\":{\"name\":\"astronomy routing grocery\",\"size\":2306842201,\"tag\":\"exchange timber candles\",\"uid\":\"6363dbde-5574-11ef-a3c5-0242ac110005\",\"image\":{\"name\":\"errors request zdnet\",\"uid\":\"6363e57a-5574-11ef-8bf7-0242ac110005\"},\"hash\":{\"value\":\"237ED8923CABFCED8263F1C5E537EDA9F4C9DF97C64000C74437C23D8564FDCB9AB6A7D16DD6E62D0915824B5BFF1CF112DD0BAEAA89171E14E068515290265E\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},\"orchestrator\":\"viral lindsay intellectual\"},\"created_time\":1723114384383389,\"namespace_pid\":39,\"parent_process\":{\"name\":\"Vessels\",\"pid\":73,\"file\":{\"name\":\"photo.gadget\",\"owner\":{\"name\":\"Priorities\",\"type\":\"uploaded\",\"uid\":\"63640244-5574-11ef-864e-0242ac110005\",\"type_id\":99,\"account\":{\"name\":\"charles verification grave\",\"type\":\"Unknown\",\"uid\":\"63640bea-5574-11ef-881a-0242ac110005\",\"type_id\":0}},\"type\":\"Symbolic Link\",\"version\":\"1.1.0\",\"path\":\"alter checked emperor/toner.htm/photo.gadget\",\"type_id\":7,\"parent_folder\":\"alter checked emperor/toner.htm\",\"confidentiality\":\"Not Confidential\",\"confidentiality_id\":1,\"created_time\":1723114384384361,\"hashes\":[{\"value\":\"DB52AE7062C6819F07456657BE8F96A41BD461DAB2FF0DB18FF7DFABECA6AB0522C141821715890230BE5D35FDE767FE5CB592C5B2A8CD9CE93B3396F2701EA0\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"5CC3F82838BA7260203E4590CE03D00E1663D41F6A5167144F5C95D6BE2166A0\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3}]},\"user\":{\"type\":\"carmen\",\"uid\":\"63641a22-5574-11ef-8919-0242ac110005\",\"type_id\":99,\"account\":{\"name\":\"reef terrorist graduation\",\"type\":\"AWS Account\",\"uid\":\"636423be-5574-11ef-8304-0242ac110005\",\"type_id\":10},\"email_addr\":\"Lauryn@reliance.travel\"},\"cmd_line\":\"lung mega nn\",\"container\":{\"name\":\"texas comments creator\",\"size\":639972788,\"uid\":\"63642e36-5574-11ef-aac4-0242ac110005\",\"hash\":{\"value\":\"1C073A2AE40F35C9E559128C518EF6BB606F87F47F7A6D8AF51E96DEBBDCF7E746F35B0E8CF42CF24B80034B359D710FF883F08C153BB4B4717E83FAED4E08A6\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7},\"orchestrator\":\"preview contractors helps\"},\"created_time\":1723114384385246,\"namespace_pid\":8,\"parent_process\":{\"name\":\"Scott\",\"pid\":56,\"file\":{\"name\":\"ba.3ds\",\"type\":\"Block Device\",\"path\":\"diagnosis angeles portsmouth/travels.mpa/ba.3ds\",\"type_id\":4,\"parent_folder\":\"diagnosis angeles portsmouth/travels.mpa\",\"accessed_time\":1723114384386177,\"created_time\":1723114384386185,\"hashes\":[{\"value\":\"50D299D6D7966A2DC1E0CF7FEB739E33\",\"algorithm\":\"MD5\",\"algorithm_id\":1},{\"value\":\"328AFE7E94B22225322E3B4913F934C50B1CBF2E70837C0DC87BE27DA150B3EBA052395D9A4CC1FB7FC4E8C89E2EFEB5DF2FD8EC79D5A1215267ABF6EE2505F9\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}],\"created_time_dt\":\"2024-08-08T10:53:04.386239Z\"},\"user\":{\"name\":\"Kit\",\"type\":\"Admin\",\"domain\":\"amendment spot sudan\",\"type_id\":2},\"group\":{\"name\":\"passed rankings affects\",\"uid\":\"63646496-5574-11ef-bfc5-0242ac110005\"},\"uid\":\"63646b44-5574-11ef-a77a-0242ac110005\",\"cmd_line\":\"notre cameras draw\",\"container\":{\"name\":\"katrina commonly sweet\",\"uid\":\"636474e0-5574-11ef-bca8-0242ac110005\",\"image\":{\"name\":\"advertisement metabolism bound\",\"tag\":\"parent prostores taste\",\"path\":\"advantage bm record\",\"uid\":\"63647df0-5574-11ef-b02b-0242ac110005\"},\"hash\":{\"value\":\"36604EB0C3355689302D7694E45FA957071097E28B061276AABCBAC610B98FCE4F7A18C5D7566551D4EBC9F0E6D2EE5157C288FE26459003392E240F8FBEB605\",\"algorithm\":\"Unknown\",\"algorithm_id\":0},\"orchestrator\":\"child railroad thehun\"},\"created_time\":1723114384387286,\"namespace_pid\":4,\"parent_process\":{\"name\":\"Burning\",\"pid\":34,\"session\":{\"issuer\":\"mounts burns budgets\",\"created_time\":1723114384387484,\"is_remote\":true,\"is_vpn\":true},\"file\":{\"attributes\":97,\"name\":\"employment.wma\",\"owner\":{\"name\":\"Nov\",\"type\":\"User\",\"uid\":\"6364960a-5574-11ef-ad32-0242ac110005\",\"org\":{\"name\":\"arrive protecting fy\",\"uid\":\"6364a60e-5574-11ef-aaf1-0242ac110005\",\"ou_name\":\"cat saints infringement\",\"ou_uid\":\"6364acb2-5574-11ef-b1ce-0242ac110005\"},\"groups\":[{\"name\":\"head state rubber\",\"uid\":\"6364d64c-5574-11ef-a880-0242ac110005\"},{\"name\":\"catalyst strong mins\",\"desc\":\"consortium bald removing\",\"uid\":\"6364de3a-5574-11ef-9448-0242ac110005\"}],\"type_id\":1},\"type\":\"Symbolic Link\",\"version\":\"1.1.0\",\"path\":\"executed removal years/among.yuv/employment.wma\",\"product\":{\"version\":\"1.1.0\",\"path\":\"internship progress gun\",\"lang\":\"en\",\"vendor_name\":\"sp protection requests\"},\"type_id\":7,\"mime_type\":\"medal/nearly\",\"parent_folder\":\"executed removal years/among.yuv\",\"hashes\":[{\"value\":\"5E759101C609F4B740EF80E765AE365B2AF502D28946FFDB14A008BA3B8F3B38D22724597DB1A2727631E47BE95BF3DBC91421426B178885ABB756996AA2ED28\",\"algorithm\":\"CTPH\",\"algorithm_id\":5},{\"value\":\"BA5273E243BB87B0BDE0E2E45609708C95F1B8CD05342C435BFE11DDFE05790E8640967A0D5DB90EE7DC886350B9345D9484533BB633B821A82462D74B3318A8\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}],\"accessed_time_dt\":\"2024-08-08T10:53:04.389945Z\",\"created_time_dt\":\"2024-08-08T10:53:04.389957Z\"},\"user\":{\"name\":\"Without\",\"type\":\"celebs\",\"uid\":\"6364f62c-5574-11ef-be1d-0242ac110005\",\"type_id\":99},\"group\":{\"desc\":\"allowance vacation ae\"},\"tid\":42,\"uid\":\"636504b4-5574-11ef-af4a-0242ac110005\",\"cmd_line\":\"macintosh enjoying disposal\",\"container\":{\"size\":117561636,\"image\":{\"name\":\"federation technical rally\",\"uid\":\"636511ac-5574-11ef-b939-0242ac110005\"},\"hash\":{\"value\":\"1C6EE66D49C991A2FC79EC6D6B64F4AB5B8E29D3C774F3B6DD10F3A024271023CD29C66DA147EADA969690FFC2FA73C8B9EC6C4377580CF3CE89AEF8A8136657\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},\"orchestrator\":\"winning business collaborative\"},\"created_time\":1723114384391076,\"parent_process\":{\"name\":\"Vic\",\"pid\":16,\"session\":{\"count\":58,\"uid\":\"636527dc-5574-11ef-a1e5-0242ac110005\",\"issuer\":\"petition disclaimer clara\",\"created_time\":1723114384391616,\"expiration_reason\":\"declined attorney sunday\",\"is_remote\":false,\"is_vpn\":false,\"uid_alt\":\"sim yorkshire adaptation\",\"expiration_time_dt\":\"2024-08-08T10:53:04.391655Z\"},\"file\":{\"name\":\"medication.pdf\",\"owner\":{\"type\":\"System\",\"domain\":\"affiliation arab invision\",\"uid\":\"63653dee-5574-11ef-8c70-0242ac110005\",\"type_id\":3,\"ldap_person\":{\"created_time\":1723114384392352,\"email_addrs\":[\"Olympia@jesse.travel\",\"Mina@seeking.com\"],\"employee_uid\":\"63654de8-5574-11ef-a8ac-0242ac110005\",\"given_name\":\"pulse waiver footwear\",\"ldap_cn\":\"professionals worm eng\",\"leave_time\":1723114384392577}},\"size\":1001943972,\"type\":\"Folder\",\"version\":\"1.1.0\",\"path\":\"gotten unique thereafter/championship.deskthemepack/medication.pdf\",\"product\":{\"name\":\"mumbai determined nobody\",\"version\":\"1.1.0\",\"uid\":\"6365590a-5574-11ef-aaa7-0242ac110005\",\"lang\":\"en\",\"vendor_name\":\"infected listen uk\"},\"uid\":\"63655f9a-5574-11ef-add1-0242ac110005\",\"type_id\":2,\"creator\":{\"name\":\"Kurt\",\"type\":\"examines\",\"uid\":\"636569d6-5574-11ef-bef4-0242ac110005\",\"type_id\":99,\"account\":{\"name\":\"petite suggestions british\",\"type\":\"AWS Account\",\"uid\":\"63657340-5574-11ef-b69a-0242ac110005\",\"type_id\":10},\"uid_alt\":\"rack fake bleeding\"},\"parent_folder\":\"gotten unique thereafter/championship.deskthemepack\",\"confidentiality\":\"Secret\",\"confidentiality_id\":3,\"hashes\":[{\"value\":\"C67541E14008D6AF094C938459E575DFB5FA24FD50ADAFC615DB56E4A773FD0BEBA072C2A8F3ECB17D4CBB51818B31ECE4F0A810CB8E5C42C622592DB55DA0A1\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}],\"is_system\":true},\"user\":{\"type\":\"recent\",\"uid\":\"6365822c-5574-11ef-95fb-0242ac110005\",\"org\":{\"name\":\"jerry calling mardi\",\"uid\":\"63658ac4-5574-11ef-bea5-0242ac110005\",\"ou_name\":\"motion ampland acknowledged\"},\"type_id\":99,\"credential_uid\":\"63659186-5574-11ef-a13d-0242ac110005\",\"email_addr\":\"Lynetta@lib.jobs\"},\"group\":{\"name\":\"phys dollar not\",\"type\":\"foster prefer phys\",\"domain\":\"explicitly retreat de\",\"uid\":\"63659b86-5574-11ef-ac1a-0242ac110005\"},\"uid\":\"6365a1b2-5574-11ef-847c-0242ac110005\",\"cmd_line\":\"sorts sites obtained\",\"container\":{\"name\":\"hack aud canadian\",\"size\":2490340163,\"uid\":\"6365ab4e-5574-11ef-a5b2-0242ac110005\",\"image\":{\"name\":\"graphs uni learned\",\"uid\":\"6365b47c-5574-11ef-94cc-0242ac110005\"},\"hash\":{\"value\":\"1348CB592CE159B2F0A3E0A0B20233BF7F40585376BD14ED638003DF65CE6028072010B42D85244F83CA87E928EA1C229FCDC44AFE29B22E34B99D3C8B26EB98\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},\"network_driver\":\"nh essentials blogs\",\"pod_uuid\":\"automobiles\"},\"created_time\":1723114384395481,\"namespace_pid\":90,\"parent_process\":{\"name\":\"Offline\",\"pid\":2,\"session\":{\"uuid\":\"6365e014-5574-11ef-a98e-0242ac110005\",\"issuer\":\"bluetooth raise shopping\",\"created_time\":1723114384396317,\"expiration_reason\":\"politics nt username\",\"expiration_time\":1723114384396336,\"is_remote\":true,\"expiration_time_dt\":\"2024-08-08T10:53:04.396343Z\"},\"file\":{\"name\":\"atlantic.icns\",\"type\":\"Symbolic Link\",\"path\":\"rear biology finest/nintendo.class/atlantic.icns\",\"signature\":{\"certificate\":{\"version\":\"1.1.0\",\"subject\":\"national garmin even\",\"issuer\":\"cut duo agencies\",\"fingerprints\":[{\"value\":\"E8D8654C197E7B3BEED4D69E3EDD3A5B\",\"algorithm\":\"MD5\",\"algorithm_id\":1},{\"value\":\"75529D527C6CDFA48546F9F7ED5AFD587F24AB584370D91EBFC1743E519B936C7780070A7709D4FECA4C639302E40E1BD1F842B3613B900269D77BEA17429361\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}],\"expiration_time\":1723114384396755,\"serial_number\":\"rhode realty talented\"},\"algorithm\":\"vendor\",\"algorithm_id\":99},\"desc\":\"specific aside io\",\"type_id\":7,\"parent_folder\":\"rear biology finest/nintendo.class\",\"confidentiality\":\"freelance pty ferrari\",\"created_time\":1723114384396786,\"hashes\":[{\"value\":\"0C900BDED46D1122DBC26B7D537D76633CD9937DF7B4C9C56ECFC151D2E269764BD92568B8FFD9877177AA338BB4EEE65DC5AE4D07BE354D503F9D3EF0B36007\",\"algorithm\":\"Unknown\",\"algorithm_id\":0},{\"value\":\"D0278DE5F6E5DF29D9C928BCB6D5A285EA17CE11\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}],\"modified_time\":1723114384396821,\"xattributes\":{},\"modified_time_dt\":\"2024-08-08T10:53:04.396853Z\"},\"user\":{\"name\":\"Collectables\",\"type\":\"User\",\"domain\":\"crops midi hope\",\"uid\":\"6366010c-5574-11ef-bfe7-0242ac110005\",\"type_id\":1,\"uid_alt\":\"thunder pickup tab\"},\"group\":{\"desc\":\"muze comply jets\"},\"uid\":\"63660b34-5574-11ef-bbcf-0242ac110005\",\"cmd_line\":\"canada federation computational\",\"container\":{\"name\":\"barriers cheaper logged\",\"runtime\":\"logos drilling schools\",\"uid\":\"636616ce-5574-11ef-bd26-0242ac110005\",\"image\":{\"name\":\"handy derek tb\",\"uid\":\"63661fac-5574-11ef-9e80-0242ac110005\"},\"hash\":{\"value\":\"6F08C5DDCDD0BE06D83AA3E0E3D5A09E\",\"algorithm\":\"MD5\",\"algorithm_id\":1}},\"created_time\":1723114384397969,\"namespace_pid\":82,\"parent_process\":{\"name\":\"Recommendations\",\"pid\":76,\"file\":{\"attributes\":9,\"name\":\"placement.3dm\",\"type\":\"Symbolic Link\",\"version\":\"1.1.0\",\"path\":\"arizona concentrations widescreen/wire.tax2020/placement.3dm\",\"modifier\":{\"name\":\"Incident\",\"type\":\"Admin\",\"uid\":\"63663aa0-5574-11ef-89ff-0242ac110005\",\"groups\":[{\"name\":\"guest demographic terry\",\"domain\":\"adventure charter tom\",\"uid\":\"63665ca6-5574-11ef-abfa-0242ac110005\"},{\"name\":\"moderators broker asian\",\"uid\":\"636664f8-5574-11ef-96ca-0242ac110005\"}],\"type_id\":2,\"account\":{\"type\":\"Windows Account\",\"uid\":\"63666f0c-5574-11ef-98ef-0242ac110005\",\"type_id\":2},\"uid_alt\":\"notre sponsorship elections\"},\"desc\":\"populations servers environments\",\"type_id\":7,\"company_name\":\"Christa Marta\",\"creator\":{\"name\":\"Quotes\",\"type\":\"System\",\"uid\":\"63667ca4-5574-11ef-a8ae-0242ac110005\",\"groups\":[{\"name\":\"engineers constitute papers\",\"uid\":\"636685fa-5574-11ef-8fd9-0242ac110005\"},{\"type\":\"introducing amendments portuguese\",\"uid\":\"63668c80-5574-11ef-bd3d-0242ac110005\"}],\"type_id\":3,\"account\":{\"name\":\"hewlett beats hit\",\"type\":\"GCP Account\",\"uid\":\"636695b8-5574-11ef-8e13-0242ac110005\",\"type_id\":5},\"ldap_person\":{\"location\":{\"desc\":\"Cyprus, Republic of\",\"city\":\"Bibliographic selections\",\"country\":\"CY\",\"coordinates\":[-120.1139,17.5612],\"continent\":\"Asia\"},\"modified_time\":1723114384401210,\"office_location\":\"dl td transition\",\"last_login_time_dt\":\"2024-08-08T10:53:04.401225Z\"}},\"parent_folder\":\"arizona concentrations widescreen/wire.tax2020\",\"accessed_time\":1723114384401235,\"hashes\":[{\"value\":\"5509CE62AD4908E35D559F0487FCFAFEAA7A7AA2B4771FF42C45FF34397DF6E1F848AF224697A1C8BB77C1A81AFAA825437582905189C5346490D5121B91F366\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7},{\"value\":\"E2A4DD55AA0F76F85A047DAF5B859095\",\"algorithm\":\"MD5\",\"algorithm_id\":1}],\"xattributes\":{},\"created_time_dt\":\"2024-08-08T10:53:04.401316Z\"},\"user\":{\"name\":\"Taxes\",\"type\":\"System\",\"uid\":\"6366aed6-5574-11ef-855a-0242ac110005\",\"type_id\":3},\"group\":{\"name\":\"split viking nike\",\"domain\":\"apollo clicking incorrect\",\"uid\":\"6366b8c2-5574-11ef-a4e8-0242ac110005\"},\"uid\":\"6366be8a-5574-11ef-a313-0242ac110005\",\"cmd_line\":\"accessible annotated plus\",\"container\":{\"name\":\"butter repeated annie\",\"size\":1994539178,\"uid\":\"6366e1b2-5574-11ef-a230-0242ac110005\",\"image\":{\"name\":\"newspapers marriage translations\",\"uid\":\"6366ed6a-5574-11ef-9f59-0242ac110005\"},\"hash\":{\"value\":\"E94025BE336B1F89159AF64B1F6EDA5D470AC8D6\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}},\"created_time\":1723114384403255,\"integrity\":\"applying observe nba\",\"namespace_pid\":98,\"parent_process\":{\"name\":\"Exotic\",\"pid\":64,\"session\":{\"uid\":\"636701d8-5574-11ef-a4f1-0242ac110005\",\"credential_uid\":\"6367082c-5574-11ef-aaa8-0242ac110005\",\"expiration_reason\":\"washing sunday reaching\",\"expiration_time\":1723114384403944,\"is_remote\":true,\"created_time_dt\":\"2024-08-08T10:53:04.403955Z\",\"expiration_time_dt\":\"2024-08-08T10:53:04.403964Z\"},\"file\":{\"name\":\"accuracy.kmz\",\"type\":\"Character Device\",\"version\":\"1.1.0\",\"path\":\"breast enjoying verbal/assure.gam/accuracy.kmz\",\"signature\":{\"certificate\":{\"version\":\"1.1.0\",\"subject\":\"lion struggle widespread\",\"issuer\":\"clocks suppose products\",\"fingerprints\":[{\"value\":\"83624D02DEDBF131BC80643811BDE31BB6FCBCDD128849E01A630F99100E4AEE2BF55A6610961457C3AA9B403628F34BC835B62EC068589F520AB344681A174E\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}],\"created_time\":1723114384404438,\"expiration_time\":1723114384404443,\"serial_number\":\"negotiation feel cole\"},\"algorithm\":\"gotten\",\"algorithm_id\":99},\"product\":{\"version\":\"1.1.0\",\"uid\":\"6367296a-5574-11ef-8136-0242ac110005\",\"lang\":\"en\",\"vendor_name\":\"cindy specifications frontpage\"},\"uid\":\"63673090-5574-11ef-ad66-0242ac110005\",\"type_id\":3,\"parent_folder\":\"breast enjoying verbal/assure.gam\",\"confidentiality\":\"Top Secret\",\"confidentiality_id\":4,\"hashes\":[{\"value\":\"D02BCEDE7EF63722B56FD76E6C3E0C74E72D5B9C169DE7BA9712A1EAEF0C13F59F27BBFC33274C80889426EB38A8D191AB7B08FE9397BF0BE4D5B4C08CF7956C\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7},{\"value\":\"990D4710B15458E3EDAA8601CDF5B44648B4FC61\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}],\"is_system\":false,\"accessed_time_dt\":\"2024-08-08T10:53:04.404997Z\"},\"user\":{\"name\":\"Saver\",\"type\":\"Admin\",\"uid\":\"6367417a-5574-11ef-8cd6-0242ac110005\",\"groups\":[{\"name\":\"guyana applied attribute\",\"domain\":\"identification browsing structures\",\"uid\":\"63676952-5574-11ef-a883-0242ac110005\"}],\"type_id\":2,\"full_name\":\"Mayme Lurline\"},\"group\":{\"name\":\"executive mathematical signals\",\"uid\":\"63677460-5574-11ef-a07f-0242ac110005\"},\"tid\":41,\"uid\":\"63677a6e-5574-11ef-9578-0242ac110005\",\"cmd_line\":\"mere loaded similar\",\"created_time\":1723114384406818,\"lineage\":[\"operational pilot citysearch\"]},\"auid\":58,\"euid\":32,\"created_time_dt\":\"2024-08-08T10:53:04.406843Z\"},\"terminated_time\":1723114384406852}},\"xattributes\":{},\"auid\":30},\"xattributes\":{},\"euid\":78,\"terminated_time_dt\":\"2024-08-08T10:53:04.406915Z\"},\"sandbox\":\"challenged profiles family\",\"xattributes\":{}},\"sandbox\":\"declare indication occupations\",\"xattributes\":{}},\"sandbox\":\"delays fighting soonest\",\"euid\":11},\"created_time_dt\":\"2024-08-08T10:53:04.406974Z\"},\"terminated_time\":1723114384406979},\"euid\":20},\"auid\":5},\"sandbox\":\"representing stationery affiliated\"},\"euid\":92},\"auid\":32}},\"sandbox\":\"em therefore spoke\",\"xattributes\":{},\"created_time_dt\":\"2024-08-08T10:53:04.407027Z\"},\"xattributes\":{},\"euid\":11,\"terminated_time_dt\":\"2024-08-08T10:53:04.407047Z\"},\"terminated_time_dt\":\"2024-08-08T10:53:04.407054Z\"},\"sandbox\":\"conversations poker oriented\",\"auid\":31,\"euid\":40,\"terminated_time_dt\":\"2024-08-08T10:53:04.407066Z\"},\"terminated_time\":1723114384407071,\"euid\":45},\"egid\":67},\"xattributes\":{},\"euid\":77,\"egid\":31},\"auid\":39}},\"egid\":16},\"created_time_dt\":\"2024-08-08T10:53:04.407101Z\"},\"sandbox\":\"numbers audience guard\",\"auid\":45,\"terminated_time_dt\":\"2024-08-08T10:53:04.407112Z\"},\"user\":{\"name\":\"Boy\",\"type\":\"Admin\",\"domain\":\"distance predicted facilities\",\"uid\":\"63679120-5574-11ef-be81-0242ac110005\",\"type_id\":2},\"invoked_by\":\"popularity puzzle provides\"},\"cloud\":{\"provider\":\"diabetes gaps ag\",\"region\":\"act ran entity\"},\"dst_endpoint\":{\"name\":\"full essentials size\",\"port\":55506,\"type\":\"ssl\",\"os\":{\"name\":\"mailing possibilities either\",\"type\":\"AIX\",\"version\":\"1.1.0\",\"build\":\"walking thermal neck\",\"type_id\":401},\"ip\":\"226.140.221.18\",\"uid\":\"635383ba-5574-11ef-bd0d-0242ac110005\",\"type_id\":99,\"container\":{\"name\":\"twelve will royalty\",\"runtime\":\"lopez bulletin thru\",\"size\":2829011720,\"tag\":\"grain alert score\",\"uid\":\"63539300-5574-11ef-82a9-0242ac110005\",\"image\":{\"name\":\"routing playback sb\",\"uid\":\"63539e90-5574-11ef-9508-0242ac110005\"},\"hash\":{\"value\":\"4447CDB3261C7AE4F053DC296FEE1093F25F731D23A692D5819318F1901FDEC79EB2CA760BABCD759285BAE417ACD21FC64BB623583834C076F16FA9A53F1107\",\"algorithm\":\"Unknown\",\"algorithm_id\":0},\"orchestrator\":\"georgia rr scheduled\",\"pod_uuid\":\"municipality\"},\"instance_uid\":\"6353a91c-5574-11ef-b5fc-0242ac110005\",\"interface_name\":\"ideas utility possible\",\"interface_uid\":\"6353afd4-5574-11ef-b86c-0242ac110005\",\"namespace_pid\":72,\"proxy_endpoint\":{\"name\":\"lit canberra terminology\",\"port\":64602,\"type\":\"IOT\",\"ip\":\"35.105.135.121\",\"location\":{\"desc\":\"Guadeloupe\",\"city\":\"Establishment kind\",\"country\":\"GP\",\"coordinates\":[90.6576,-34.4194],\"continent\":\"North America\"},\"hostname\":\"guided.name\",\"uid\":\"6353bf1a-5574-11ef-be0c-0242ac110005\",\"type_id\":7,\"container\":{\"name\":\"programmes relevance boot\",\"size\":2534954875,\"image\":{\"name\":\"weblogs grad offices\",\"uid\":\"6353ca32-5574-11ef-8405-0242ac110005\",\"labels\":[\"commit\",\"walter\"]},\"hash\":{\"value\":\"71FAFC4E2FC1E47E234762A96B80512B6B5534C2\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2},\"orchestrator\":\"mic waiting gains\"},\"instance_uid\":\"6353d496-5574-11ef-ba97-0242ac110005\",\"interface_name\":\"nato pray consult\",\"interface_uid\":\"6353db12-5574-11ef-861d-0242ac110005\",\"namespace_pid\":17,\"proxy_endpoint\":{\"name\":\"slides weird discussion\",\"port\":38178,\"type\":\"Server\",\"domain\":\"equipped disagree kevin\",\"ip\":\"114.100.167.141\",\"hostname\":\"challenged.travel\",\"uid\":\"6353ed14-5574-11ef-a94e-0242ac110005\",\"type_id\":1,\"container\":{\"name\":\"produces integrate invitation\",\"size\":3462840380,\"tag\":\"locks circuit hindu\",\"uid\":\"6353f70a-5574-11ef-a129-0242ac110005\",\"image\":{\"name\":\"amount dividend oregon\",\"uid\":\"6353ff98-5574-11ef-8eac-0242ac110005\"},\"hash\":{\"value\":\"555F45D31B82ABEEDB74D75EACB96817602160400F9A16B894CB77D68292FE96CFDCF573199918FB36F17CCC5B1B99A9ABBB62D931C518CC5D6A05A5659B534C\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}},\"hw_info\":{\"cpu_cores\":9,\"cpu_count\":87,\"cpu_speed\":32,\"keyboard_info\":{\"keyboard_type\":\"tries dramatically undo\"}},\"instance_uid\":\"63540c0e-5574-11ef-98f2-0242ac110005\",\"interface_name\":\"detroit handbags discuss\",\"interface_uid\":\"63541294-5574-11ef-aa42-0242ac110005\",\"namespace_pid\":67,\"svc_name\":\"discovered occurs presidential\",\"zone\":\"little tucson operations\"},\"svc_name\":\"history it exp\",\"zone\":\"join your encourage\"},\"svc_name\":\"gl dropped workforce\"},\"severity_id\":2,\"src_endpoint\":{\"name\":\"allah pain blues\",\"type\":\"Hub\",\"ip\":\"175.16.199.0\",\"hostname\":\"generic.edu\",\"uid\":\"63552c6a-5574-11ef-847f-0242ac110005\",\"mac\":\"E4:C5:2D:FD:E6:16:2B:96\",\"type_id\":11,\"container\":{\"name\":\"involvement buses bowling\",\"size\":509766084,\"tag\":\"lawyers genre trained\",\"uid\":\"635539f8-5574-11ef-b41d-0242ac110005\",\"image\":{\"name\":\"clause material fort\",\"uid\":\"635540f6-5574-11ef-bbdd-0242ac110005\",\"labels\":[\"difficulties\",\"confusion\"]},\"hash\":{\"value\":\"6DE8A320862880F35A99FE4448414E898831DCCD\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}},\"instance_uid\":\"63554826-5574-11ef-973b-0242ac110005\",\"interface_name\":\"collections setting twelve\",\"interface_uid\":\"63554c86-5574-11ef-90cb-0242ac110005\",\"svc_name\":\"welding minute invention\"},\"status_id\":0}", + "outcome": "unknown", + "provider": "buying fa joel", + "severity": 2, + "type": [ + "info" + ] + }, + "file": { + "directory": "wiki optimization counter/prohibited.ai", + "hash": { + "sha256": [ + "4A2B4592EAC6D75C3BD4FE50308A2316D54BC427F65F109C7EC4105B6467C984" + ], + "tlsh": [ + "F6B8BFDD92E45272F30B728D921EF2A47DD9D950600D885830D30532F39E2A5688B4797CF0B172989E4C95B557B2497E98AC07417E8766E06BDFFEBDEBBE76C8" + ] + }, + "name": "ate.cue", + "path": "wiki optimization counter/prohibited.ai/ate.cue", + "type": "Folder", + "x509": { + "issuer": { + "distinguished_name": "warning cute armor" + }, + "not_after": "2024-08-08T10:53:04.273Z", + "serial_number": "qld undergraduate cowboy", + "subject": { + "distinguished_name": "advised chess egyptian" + }, + "version_number": "1.1.0" + } + }, + "message": "epa stanley speech", + "network": { + "application": [ + "welding minute invention", + "gl dropped workforce" + ] + }, + "ocsf": { + "activity_id": "7", + "activity_name": "Move", + "actor": { + "invoked_by": "popularity puzzle provides", + "process": { + "auid": "45", + "cmd_line": "syndication traveler charges", + "container": { + "hash": { + "algorithm": "SHA-1", + "algorithm_id": "2", + "value": "10EFC79292FD96E5C3DDF56D50E2BF33CB5A2EC1" + }, + "image": { + "labels": [ + "pants", + "firewall" + ], + "name": "technician rogers federal", + "tag": "pub flexible interface", + "uid": "63561756-5574-11ef-85d8-0242ac110005" + }, + "name": "slim rehabilitation nest", + "size": 2119671744, + "uid": "63560cca-5574-11ef-8db7-0242ac110005" + }, + "created_time": "2024-08-08T10:53:04.292Z", + "file": { + "attributes": 91, + "creator": { + "email_addr": "Blaine@highlight.pro", + "full_name": "Melodee Norma", + "name": "Resource", + "type": "System", + "type_id": "3", + "uid": "6355ab18-5574-11ef-bc66-0242ac110005" + }, + "desc": "xp endif record", + "hashes": [ + { + "algorithm": "SHA-1", + "algorithm_id": "2", + "value": "28E532D56B18548CC0B68A63311D2DCD2D258B2F" + }, + { + "algorithm": "MD5", + "algorithm_id": "1", + "value": "695BF60E03F83A36699AF46519E8E584" + } + ], + "mime_type": "incl/johnston", + "modifier": { + "domain": "beneficial az attraction", + "email_addr": "Lura@consolidated.mil", + "name": "Dimensional", + "type": "System", + "type_id": "3", + "uid": "63556d6a-5574-11ef-ac26-0242ac110005" + }, + "name": "physician.asf", + "parent_folder": "donors replied magazine/elder.accdb", + "path": "donors replied magazine/elder.accdb/physician.asf", + "type": "Regular File", + "type_id": "1" + }, + "group": { + "domain": "problem choosing reform", + "name": "manage livestock tribes", + "uid": "6355e5e2-5574-11ef-b983-0242ac110005" + }, + "integrity": "cr darwin wearing", + "loaded_modules": [ + "/sic/measurement/morrison/routing/classroom.class", + "/projector/dare/dt/fancy/governance.wma" + ], + "name": "Eden", + "namespace_pid": 27, + "parent_process": { + "cmd_line": "asks eight printed", + "container": { + "hash": { + "algorithm": "SHA-256", + "algorithm_id": "3", + "value": "D0A3630555BBEC7FC05A98D311C23B00FD1AB4D8296AC4A4125976D80B6A6959" + }, + "image": { + "name": "abu collectables clinical", + "uid": "63567a16-5574-11ef-8843-0242ac110005" + }, + "name": "te beginners geology", + "size": 1467240565, + "uid": "63567160-5574-11ef-a13e-0242ac110005" + }, + "created_time": "2024-08-08T10:53:04.295Z", + "created_time_dt": "2024-08-08T10:53:04.407Z", + "file": { + "accessor": { + "email_addr": "Sunni@holders.jobs", + "type": "republican", + "type_id": "99", + "uid": "6356478a-5574-11ef-bd16-0242ac110005" + }, + "attributes": 91, + "name": "engineers.png", + "parent_folder": "judgment entering hydrocodone/sharp.uue", + "path": "judgment entering hydrocodone/sharp.uue/engineers.png", + "type": "Character Device", + "type_id": "3" + }, + "group": { + "desc": "rogers eco outlets", + "type": "savannah weapon canon", + "uid": "63565dba-5574-11ef-80bf-0242ac110005" + }, + "integrity": "eternal reservation which", + "name": "Outreach", + "namespace_pid": 73, + "parent_process_keyword": "{container={uid=6356a234-5574-11ef-a31f-0242ac110005, image={uid=6356aaae-5574-11ef-80e9-0242ac110005, name=bag belief such, labels=[memorabilia, producers]}, size=3349958052, name=diving invited scoring, pod_uuid=pp, runtime=louise demanding pontiac, tag=witness indicators oral, hash={value=5EF93A057B5E36A7F6F0880E87F5CF4B, algorithm_id=1, algorithm=MD5}}, created_time=1723114384296, egid=16, cmd_line=tools aluminium combinations, namespace_pid=42, name=Hung, pid=85, parent_process={container={uid=6356f91e-5574-11ef-ae76-0242ac110005, image={uid=635701a2-5574-11ef-bc46-0242ac110005, name=sao naked toddler, labels=[toolbox, taught]}, size=420397581, name=slovenia anybody colors, pod_uuid=arranged, runtime=organic worked yn, hash={value=E6E7B71309D96CA832137A8E06B9E34906F7A42708F8EBD9C2B75A423AC058A7F0DD0B2AB768E8090DF7E6E6C89E95D7D80DCC4FD0F84464C499AFA89D9AE294, algorithm_id=7, algorithm=quickXorHash}}, created_time=1723114384298, namespace_pid=34, pid=15, parent_process={container={uid=6357871c-5574-11ef-9b53-0242ac110005, image={uid=63578f78-5574-11ef-83eb-0242ac110005, name=lots time boolean}, orchestrator=board luis adopted, size=2152153573, name=loving revealed remarkable, hash={value=EA7F1EC6B430560FE1BA023D62E5D33D29746DD5F0355FB118B1E4536D6230111964615215FCE2BE609D341EACB3B42869EE304F80BBAEC3F6720FA8FD50AD97, algorithm_id=5, algorithm=CTPH}}, uid=63577e16-5574-11ef-8086-0242ac110005, created_time=1723114384302, auid=39, file={owner={uid=63572f2e-5574-11ef-80bc-0242ac110005, full_name=Mistie Belkis, type_id=3, domain=harmony served deadly, name=Excessive, groups=[{uid=635738e8-5574-11ef-b1ba-0242ac110005, name=recruiting member combine}], type=System, account={uid=6357423e-5574-11ef-bd28-0242ac110005, type_id=7, type=Mac OS Account}}, is_system=false, creator={uid=635752c4-5574-11ef-9816-0242ac110005, full_name=Lauralee Thomasine, type_id=1, domain=cabinet satisfaction excitement, name=Health, type=User, ldap_person={ldap_dn=roy noticed vertical, surname=tract olympus editor, created_time_dt=2024-08-08T10:53:04.301134Z, location={continent=Europe, country=RS, city=Princeton judy, coordinates=[-170.2881, -62.2248], desc=Serbia, Republic of}}}, type_id=5, type=Local Socket, xattributes={}, path=everything packaging fears/sat.crdownload/sitting.bmp, uid=635748e2-5574-11ef-9899-0242ac110005, parent_folder=everything packaging fears/sat.crdownload, modified_time=1723114384301, name=sitting.bmp, hashes=[{value=D496B4FAFB1139B1F80F1B60D5AB3A22EF18A1625889B6793BDD41EAF1EB68F093E7AF5254D7DB838F22711DAA2F5E3A0CA6BF5F983AAAC163D7D525C760277B, algorithm_id=0, algorithm=Unknown}], accessed_time=1723114384301}, cmd_line=consists posters menus, name=Whilst, pid=51, parent_process={container={uid=63597a54-5574-11ef-acbb-0242ac110005, image={uid=63599c96-5574-11ef-8abe-0242ac110005, name=hanging assume mill}, size=3636193350, name=drill modern difference, hash={value=90C9EFE0343A584FD260823A0B266073C0E319EDC8D3C7CD2CCF69E236CF45D870E30646022FDB667F085AEA84B64830C3B3DC702C35A111DCCB3F05F05F9529, algorithm_id=6, algorithm=TLSH}}, created_time=1723114384316, euid=77, session={uid=6357a396-5574-11ef-8ef4-0242ac110005, created_time=1723114384303, is_remote=false, is_mfa=true, issuer=demonstration holmes california}, namespace_pid=49, pid=93, parent_process={container={uid=635a7206-5574-11ef-b9d6-0242ac110005, image={uid=635a8282-5574-11ef-8212-0242ac110005}, size=560452224, name=answers camera televisions, hash={value=FAF5EB7985BA4C9CBED8EED0D046F77F7C6ADCB15B9F3537256D717C2D370E448132CECC73264489D250CE463844ECFF1DC62C554DC6654B0C11659842BD7828, algorithm_id=7, algorithm=quickXorHash}}, uid=635a5c26-5574-11ef-8945-0242ac110005, created_time=1723114384322, egid=67, file={path=proper unified cingular/outsourcing.cs/venice.pct, created_time=1723114384320, product={vendor_name=staying attachment med, version=1.1.0}, parent_folder=proper unified cingular/outsourcing.cs, type_id=3, name=venice.pct, accessor={uid=635a477c-5574-11ef-8dd3-0242ac110005, type_id=2, name=Arlington, type=Admin, credential_uid=635a4f2e-5574-11ef-b0c1-0242ac110005}, hashes=[{value=5B54C0A045F179BCBBBC9ABCB8B5CD4C, algorithm_id=1, algorithm=MD5}, {value=B1A66BA2E7D51C706F9A2CA80905DF475AE44EDC79EC60CA4D7580FBD6548B91, algorithm_id=99, algorithm=magic}], accessed_time=1723114384320, modified_time_dt=2024-08-08T10:53:04.320622Z, type=Character Device, desc=advantage profit fall}, cmd_line=cup rights charger, namespace_pid=14, name=Ft, pid=85, parent_process={container={uid=635bd29a-5574-11ef-a523-0242ac110005, image={uid=635c0198-5574-11ef-ba77-0242ac110005, name=junction naval insulation, tag=watches wellington muscle}, size=1841031275, name=ink bio mileage, pod_uuid=nuclear, runtime=effort des lu, hash={value=FA987EC04918567E13A7554C7DDC4D86FB705EAD55207E05ED4E224FB0A9F1570BE1D51F9AE581D415E2D13894EECAEEF402D9901F8C9E70CD839691DD428BBD, algorithm_id=5, algorithm=CTPH}}, created_time=1723114384332, euid=45, namespace_pid=91, pid=1, parent_process={container={uid=635d91e8-5574-11ef-bfc1-0242ac110005, image={uid=635dba88-5574-11ef-a7d2-0242ac110005, name=bring president swap}, network_driver=crawford invitation pierce, orchestrator=differences lycos cut, size=175725837, name=ate worth powerpoint, runtime=society mem dependence, hash={value=7D1BDD4F5CF16C23DEE15E0673B9B700804F55D5AC5DAA8E6A6F6DD1951AB502D960DF687EDC47B11A696C8F4A969208DFC7E3E4043EE2C907B4FCC244E9FD74, algorithm_id=5, algorithm=CTPH}}, created_time=1723114384343, auid=31, euid=40, namespace_pid=17, sandbox=conversations poker oriented, pid=46, parent_process={container={uid=635e290a-5574-11ef-8290-0242ac110005, image={uid=635e31d4-5574-11ef-8b11-0242ac110005, tag=developer characterized chelsea}, size=1634165265, name=dry age their, tag=revised bytes swingers, hash={value=D5F2E5C77054C44C2C72A1B017DECA06FC637C99, algorithm_id=2, algorithm=SHA-1}}, uid=635e1f5a-5574-11ef-aad7-0242ac110005, created_time=1723114384346, file={owner={uid=635ddb94-5574-11ef-ab3f-0242ac110005, org={name=whom demand thereof, ou_name=weighted fundraising drainage}, type_id=1, name=Tissue, type=User}, is_system=false, type_id=1, confidentiality=Unknown, modified_time_dt=2024-08-08T10:53:04.344556Z, type=Regular File, path=commons employ nickel/humanity.swf/earnings.otf, parent_folder=commons employ nickel/humanity.swf, confidentiality_id=0, company_name=Abby Cyrus, security_descriptor=correctly screenshots reached, name=earnings.otf, hashes=[{value=EE1150845FA3041CEB3A3FCDBE42D68A, algorithm_id=1, algorithm=MD5}, {value=DC684E0A948E820C9B32AE34F0E147CCCAEAB3646C95D1FBF6E5EA257B9107251945EB892CD81A3750D89799ADF86C76382C60E73A85B10D110CE39164882C8F, algorithm_id=7, algorithm=quickXorHash}], created_time_dt=2024-08-08T10:53:04.344543Z}, cmd_line=macedonia reid wanna, name=During, pid=22, parent_process={container={uid=635eaa7e-5574-11ef-99fc-0242ac110005, image={uid=635eb3a2-5574-11ef-8a60-0242ac110005, name=carolina bio conversion}, orchestrator=wto murray posted, size=2909077433, name=car ericsson vary, pod_uuid=designed, tag=apparent philadelphia southern, hash={value=62B8E80D982A1EF7D7764527C89E80FE2D9EFE4990B43078E143E4C6EDD2F407, algorithm_id=3, algorithm=SHA-256}}, created_time=1723114384349, euid=11, namespace_pid=5, pid=15, parent_process={container={uid=635f000a-5574-11ef-bd88-0242ac110005, image={uid=635f0898-5574-11ef-a44a-0242ac110005, name=procedures later palestinian}, orchestrator=teens motion deaths, size=22516444, name=thomson multi reliable, hash={value=B330ECA1D2F13AB95C1C8C41637D9CD297E8221B1DBE869BDE2ACD408F9548B864002FB987EEDA759EF00CDF20345836767C45CA1D40C2DCACE6B6A569E48F09, algorithm_id=6, algorithm=TLSH}}, created_time=1723114384351, namespace_pid=7, sandbox=em therefore spoke, pid=58, parent_process={container={uid=635f7e18-5574-11ef-84ec-0242ac110005, image={uid=635f891c-5574-11ef-9147-0242ac110005, name=packs auction technical}, size=574926482, name=inquire justice risks, runtime=fragrance instances sun}, lineage=[lying advertisements renew, buf prescribed puerto], created_time=1723114384354, namespace_pid=80, pid=86, parent_process={lineage=[trees saving alias, ssl september rack], uid=635fa406-5574-11ef-809b-0242ac110005, auid=32, cmd_line=information propecia md, namespace_pid=50, name=Blogger, pid=77, parent_process={container={uid=63600950-5574-11ef-aae8-0242ac110005, image={path=trades mess wishlist, uid=6360136e-5574-11ef-8aec-0242ac110005, name=jersey elected projector, tag=members breathing powers}, size=3538073681, name=homes commonwealth recall}, created_time=1723114384358, euid=92, namespace_pid=6, pid=15, parent_process={container={image={uid=636066de-5574-11ef-9bc9-0242ac110005, name=listing hardwood defined}, orchestrator=australian future sponsor, size=119356271, name=heather troubleshooting considerable, hash={value=F0F33A03B88C641E422DA78295DB088A0C19D463F4BD44A1CE20D3BB9892A0063ABB61D6124EB7D79EF56FC55ADEFAF30542712C4C8D0A1B952AFB4A346C0876, algorithm_id=4, algorithm=SHA-512}}, lineage=[seeds spouse noble, lifestyle fault floors], uid=636054f0-5574-11ef-8588-0242ac110005, created_time=1723114384360, file={path=throws additions myspace/jackets.b/patches.tar, uid=636040d2-5574-11ef-965c-0242ac110005, parent_folder=throws additions myspace/jackets.b, confidentiality_id=4, signature={certificate={created_time=1723114384358, subject=donate tons media, expiration_time=1723114384358, serial_number=fell lab weddings, version=1.1.0, issuer=italic hamburg judges, fingerprints=[{value=F13F9E344F8839E5D7D17303ABAE106FC66E7D519B232C80C8D6066EF1A5148A796818425ED64282D159C7D8749343FBF193D9C83256C16B72857EBE0151F543, algorithm_id=5, algorithm=CTPH}]}, developer_uid=63603196-5574-11ef-ac47-0242ac110005, algorithm_id=1, algorithm=DSA}, type_id=0, confidentiality=Top Secret, name=patches.tar, hashes=[{value=04ACD168BF6D98D85736E4DB0EF815B53830AF1882C47ABFC357172729DFCD84EF6553958C4CB4593A3844E5D7FC9136FDDF5C82B1171ACAD84F52F7F133AA21, algorithm_id=4, algorithm=SHA-512}, {value=6B85712C92509BE057A8284F4CBF4868755DC0FFB2611096D26209767429967390E3CADE2D1733A0C8D9217CFF1BFA985A184E36695A411B7DEAC20411C9DED8, algorithm_id=7, algorithm=quickXorHash}], modified_time_dt=2024-08-08T10:53:04.359528Z, type=Unknown}, cmd_line=swingers centers burke, namespace_pid=18, sandbox=representing stationery affiliated, pid=31, parent_process={container={uid=63613c44-5574-11ef-bd50-0242ac110005, image={uid=63614568-5574-11ef-bf7a-0242ac110005, name=rate ben fish}, size=1952448709, name=obligation catalyst concentrations, runtime=tex strings mounted, hash={value=43CF305C9FBAF25955B6B640407705DE473A6AECC1D3684D43A7E6E113AD35E3, algorithm_id=99, algorithm=magic}}, uid=636132c6-5574-11ef-83af-0242ac110005, created_time=1723114384366, auid=5, file={path=calcium amateur harmony/ltd.toast/implemented.rom, creator={uid=6360d920-5574-11ef-a83a-0242ac110005, type_id=0, domain=adjustment container harris, name=With, type=Unknown, account={uid=6360e442-5574-11ef-9167-0242ac110005, type_id=9, name=europe eating mailing, type=Linux Account}}, parent_folder=calcium amateur harmony/ltd.toast, type_id=0, modifier={uid=6360b08a-5574-11ef-ae8e-0242ac110005, type_id=2, type=Admin, ldap_person={ldap_dn=census doors though, ldap_cn=racing morgan volt, cost_center=verify nut levels, location={continent=Europe, country=HR, city=Regulations technician, coordinates=[-57.4552, 63.8901], desc=Croatia, Republic of}, modified_time_dt=2024-08-08T10:53:04.363022Z}}, name=implemented.rom, hashes=[{value=19C64195EB8F22C39B4BAD63078823DDD82E6D61847B25F1F5B969BE6C891661, algorithm_id=3, algorithm=SHA-256}, {value=652D75F9BAFB25E55C0E8DB77C3A9EA11F87C5167431C08F827375741D1B0C2F, algorithm_id=3, algorithm=SHA-256}], modified_time_dt=2024-08-08T10:53:04.363717Z, type=Unknown}, cmd_line=psp bush feet, namespace_pid=17, pid=42, parent_process={container={uid=63620160-5574-11ef-b37a-0242ac110005, image={path=gulf brian arrow, uid=63620bec-5574-11ef-8f30-0242ac110005, name=apt lp screen}, network_driver=ks field roger, size=3565502421, name=waste counties homepage, pod_uuid=breathing}, created_time=1723114384371, euid=20, session={uid=6361567a-5574-11ef-b26b-0242ac110005, created_time=1723114384366, is_remote=false, issuer=level boc morrison, credential_uid=63615e22-5574-11ef-b196-0242ac110005}, namespace_pid=72, pid=16, parent_process={container={uid=6362bb3c-5574-11ef-8a12-0242ac110005, image={uid=6362c56e-5574-11ef-8c25-0242ac110005, name=pi churches es}, orchestrator=asking jerry namespace, size=1384069832, name=calvin actor describe, tag=automobiles gratuit tower, hash={value=67C09C289C121B7595556E03199ABF1EC4E85049DC99DB50BBB35FD8B5E2636C89497184BE8F2ED184301E2A5411B5565E97D87BCC951CB5F2CA9C8E696E6341, algorithm_id=5, algorithm=CTPH}}, created_time=1723114384376, namespace_pid=67, pid=14, parent_process={container={uid=63633e40-5574-11ef-9825-0242ac110005, image={uid=6363469c-5574-11ef-9299-0242ac110005}, size=2004032787, name=deputy mirror eagle, tag=magazine looking deemed, hash={value=55601A1804A5DD2CDDC702A8DBFD7D6EF6FB18BBD4EF25B7BA0FDF2AF274DC5BDD0AA03C3DF2E03891033BB6780C2DFC3D777203E7CC6D1D1B6AAA24A5B53037, algorithm_id=4, algorithm=SHA-512}}, uid=63633300-5574-11ef-80ee-0242ac110005, created_time=1723114384379, file={path=pennsylvania matthew somewhere/saw.dbf/tennessee.wsf, uid=6362dc0c-5574-11ef-b631-0242ac110005, is_system=false, creator={uid=6362e6ac-5574-11ef-a13c-0242ac110005, email_addr=Lorretta@components.nato, type_id=1, name=Cognitive, type=User}, parent_folder=pennsylvania matthew somewhere/saw.dbf, type_id=2, security_descriptor=lcd elementary surround, name=tennessee.wsf, hashes=[{value=1701CFB023A18B1534D60983D25660944BF18C8928D27C2658306664990BC734, algorithm_id=3, algorithm=SHA-256}, {value=DEF35473338568D93D88C11638B8777B05D03931E8939FF2B7E675DB82DA9434, algorithm_id=99, algorithm=magic}], attributes=1, type=Folder}, cmd_line=magazines spin aaron, namespace_pid=66, name=Animal, created_time_dt=2024-08-08T10:53:04.406974Z, pid=95, parent_process={container={uid=63638544-5574-11ef-bbd6-0242ac110005, image={uid=63638df0-5574-11ef-8d90-0242ac110005, name=exist acceptance britney}, network_driver=shops congratulations variance, name=contain accepted gba, runtime=admin hammer variance, tag=geographical registered suspension, hash={value=83D3D1C470830C64B9B04152B2CD1D11DD99205143049050D298FD7C21CC125A, algorithm_id=99, algorithm=magic}}, created_time=1723114384381, euid=11, namespace_pid=1, sandbox=delays fighting soonest, parent_process={container={uid=6363dbde-5574-11ef-a3c5-0242ac110005, image={uid=6363e57a-5574-11ef-8bf7-0242ac110005, name=errors request zdnet}, orchestrator=viral lindsay intellectual, size=2306842201, name=astronomy routing grocery, tag=exchange timber candles, hash={value=237ED8923CABFCED8263F1C5E537EDA9F4C9DF97C64000C74437C23D8564FDCB9AB6A7D16DD6E62D0915824B5BFF1CF112DD0BAEAA89171E14E068515290265E, algorithm_id=4, algorithm=SHA-512}}, uid=6363d120-5574-11ef-b647-0242ac110005, created_time=1723114384383, file={is_system=true, type_id=7, confidentiality=Confidential, type=Symbolic Link, path=watts leave ukraine/ringtones.rtf/fits.cfm, parent_folder=watts leave ukraine/ringtones.rtf, confidentiality_id=2, accessed_time_dt=2024-08-08T10:53:04.381694Z, security_descriptor=selling dt few, name=fits.cfm, hashes=[{value=B90D6FEF7CE6A21866AE315B5A971CA7C32531C74C5A720508ED5490C80E51AF7F2194E67D30333457C00E700B4CAACF979ECA995DF46837A0D1ED6847A7CE7E, algorithm_id=4, algorithm=SHA-512}, {value=3F2C9248EE951C2D98A3CD5B4AF06BD317DB2124, algorithm_id=2, algorithm=SHA-1}], created_time_dt=2024-08-08T10:53:04.381707Z, attributes=2}, cmd_line=effects day pocket, namespace_pid=39, sandbox=declare indication occupations, pid=44, parent_process={container={uid=63642e36-5574-11ef-aac4-0242ac110005, orchestrator=preview contractors helps, size=639972788, name=texas comments creator, hash={value=1C073A2AE40F35C9E559128C518EF6BB606F87F47F7A6D8AF51E96DEBBDCF7E746F35B0E8CF42CF24B80034B359D710FF883F08C153BB4B4717E83FAED4E08A6, algorithm_id=7, algorithm=quickXorHash}}, created_time=1723114384385, file={owner={uid=63640244-5574-11ef-864e-0242ac110005, type_id=99, name=Priorities, type=uploaded, account={uid=63640bea-5574-11ef-881a-0242ac110005, type_id=0, name=charles verification grave, type=Unknown}}, path=alter checked emperor/toner.htm/photo.gadget, created_time=1723114384384, parent_folder=alter checked emperor/toner.htm, confidentiality_id=1, type_id=7, confidentiality=Not Confidential, name=photo.gadget, hashes=[{value=DB52AE7062C6819F07456657BE8F96A41BD461DAB2FF0DB18FF7DFABECA6AB0522C141821715890230BE5D35FDE767FE5CB592C5B2A8CD9CE93B3396F2701EA0, algorithm_id=4, algorithm=SHA-512}, {value=5CC3F82838BA7260203E4590CE03D00E1663D41F6A5167144F5C95D6BE2166A0, algorithm_id=3, algorithm=SHA-256}], type=Symbolic Link, version=1.1.0}, cmd_line=lung mega nn, namespace_pid=8, name=Vessels, sandbox=challenged profiles family, pid=73, parent_process={container={uid=636474e0-5574-11ef-bca8-0242ac110005, image={path=advantage bm record, uid=63647df0-5574-11ef-b02b-0242ac110005, name=advertisement metabolism bound, tag=parent prostores taste}, orchestrator=child railroad thehun, name=katrina commonly sweet, hash={value=36604EB0C3355689302D7694E45FA957071097E28B061276AABCBAC610B98FCE4F7A18C5D7566551D4EBC9F0E6D2EE5157C288FE26459003392E240F8FBEB605, algorithm_id=0, algorithm=Unknown}}, created_time=1723114384387, euid=78, namespace_pid=4, pid=56, parent_process={container={image={uid=636511ac-5574-11ef-b939-0242ac110005, name=federation technical rally}, orchestrator=winning business collaborative, size=117561636, hash={value=1C6EE66D49C991A2FC79EC6D6B64F4AB5B8E29D3C774F3B6DD10F3A024271023CD29C66DA147EADA969690FFC2FA73C8B9EC6C4377580CF3CE89AEF8A8136657, algorithm_id=4, algorithm=SHA-512}}, created_time=1723114384391, auid=30, session={created_time=1723114384387, is_vpn=true, is_remote=true, issuer=mounts burns budgets}, pid=34, parent_process={container={uid=6365ab4e-5574-11ef-a5b2-0242ac110005, image={uid=6365b47c-5574-11ef-94cc-0242ac110005, name=graphs uni learned}, network_driver=nh essentials blogs, size=2490340163, name=hack aud canadian, pod_uuid=automobiles, hash={value=1348CB592CE159B2F0A3E0A0B20233BF7F40585376BD14ED638003DF65CE6028072010B42D85244F83CA87E928EA1C229FCDC44AFE29B22E34B99D3C8B26EB98, algorithm_id=6, algorithm=TLSH}}, uid=6365a1b2-5574-11ef-847c-0242ac110005, created_time=1723114384395, file={owner={uid=63653dee-5574-11ef-8c70-0242ac110005, type_id=3, domain=affiliation arab invision, type=System, ldap_person={created_time=1723114384392, leave_time=1723114384392, email_addrs=[Olympia@jesse.travel, Mina@seeking.com], ldap_cn=professionals worm eng, given_name=pulse waiver footwear, employee_uid=63654de8-5574-11ef-a8ac-0242ac110005}}, is_system=true, product={uid=6365590a-5574-11ef-aaa7-0242ac110005, name=mumbai determined nobody, vendor_name=infected listen uk, lang=en, version=1.1.0}, creator={uid=636569d6-5574-11ef-bef4-0242ac110005, type_id=99, name=Kurt, uid_alt=rack fake bleeding, type=examines, account={uid=63657340-5574-11ef-b69a-0242ac110005, type_id=10, name=petite suggestions british, type=AWS Account}}, type_id=2, confidentiality=Secret, type=Folder, version=1.1.0, path=gotten unique thereafter/championship.deskthemepack/medication.pdf, uid=63655f9a-5574-11ef-add1-0242ac110005, parent_folder=gotten unique thereafter/championship.deskthemepack, size=1001943972, confidentiality_id=3, name=medication.pdf, hashes=[{value=C67541E14008D6AF094C938459E575DFB5FA24FD50ADAFC615DB56E4A773FD0BEBA072C2A8F3ECB17D4CBB51818B31ECE4F0A810CB8E5C42C622592DB55DA0A1, algorithm_id=7, algorithm=quickXorHash}]}, cmd_line=sorts sites obtained, session={uid=636527dc-5574-11ef-a1e5-0242ac110005, created_time=1723114384391, is_vpn=false, expiration_reason=declined attorney sunday, expiration_time_dt=2024-08-08T10:53:04.391655Z, count=58, is_remote=false, uid_alt=sim yorkshire adaptation, issuer=petition disclaimer clara}, namespace_pid=90, name=Vic, pid=16, parent_process={container={uid=636616ce-5574-11ef-bd26-0242ac110005, image={uid=63661fac-5574-11ef-9e80-0242ac110005, name=handy derek tb}, name=barriers cheaper logged, runtime=logos drilling schools, hash={value=6F08C5DDCDD0BE06D83AA3E0E3D5A09E, algorithm_id=1, algorithm=MD5}}, created_time=1723114384397, session={created_time=1723114384396, expiration_reason=politics nt username, expiration_time_dt=2024-08-08T10:53:04.396343Z, expiration_time=1723114384396, is_remote=true, uuid=6365e014-5574-11ef-a98e-0242ac110005, issuer=bluetooth raise shopping}, namespace_pid=82, pid=2, parent_process={container={uid=6366e1b2-5574-11ef-a230-0242ac110005, image={uid=6366ed6a-5574-11ef-9f59-0242ac110005, name=newspapers marriage translations}, size=1994539178, name=butter repeated annie, hash={value=E94025BE336B1F89159AF64B1F6EDA5D470AC8D6, algorithm_id=2, algorithm=SHA-1}}, created_time=1723114384403, auid=58, euid=32, namespace_pid=98, pid=76, parent_process={lineage=[operational pilot citysearch], uid=63677a6e-5574-11ef-9578-0242ac110005, created_time=1723114384406, file={is_system=false, product={uid=6367296a-5574-11ef-8136-0242ac110005, vendor_name=cindy specifications frontpage, lang=en, version=1.1.0}, signature={certificate={created_time=1723114384404, subject=lion struggle widespread, expiration_time=1723114384404, serial_number=negotiation feel cole, version=1.1.0, issuer=clocks suppose products, fingerprints=[{value=83624D02DEDBF131BC80643811BDE31BB6FCBCDD128849E01A630F99100E4AEE2BF55A6610961457C3AA9B403628F34BC835B62EC068589F520AB344681A174E, algorithm_id=6, algorithm=TLSH}]}, algorithm_id=99, algorithm=gotten}, type_id=3, confidentiality=Top Secret, type=Character Device, version=1.1.0, path=breast enjoying verbal/assure.gam/accuracy.kmz, uid=63673090-5574-11ef-ad66-0242ac110005, parent_folder=breast enjoying verbal/assure.gam, confidentiality_id=4, accessed_time_dt=2024-08-08T10:53:04.404997Z, name=accuracy.kmz, hashes=[{value=D02BCEDE7EF63722B56FD76E6C3E0C74E72D5B9C169DE7BA9712A1EAEF0C13F59F27BBFC33274C80889426EB38A8D191AB7B08FE9397BF0BE4D5B4C08CF7956C, algorithm_id=7, algorithm=quickXorHash}, {value=990D4710B15458E3EDAA8601CDF5B44648B4FC61, algorithm_id=2, algorithm=SHA-1}]}, cmd_line=mere loaded similar, session={uid=636701d8-5574-11ef-a4f1-0242ac110005, expiration_reason=washing sunday reaching, expiration_time_dt=2024-08-08T10:53:04.403964Z, expiration_time=1723114384403, is_remote=true, created_time_dt=2024-08-08T10:53:04.403955Z, credential_uid=6367082c-5574-11ef-aaa8-0242ac110005}, name=Exotic, pid=64, user={uid=6367417a-5574-11ef-8cd6-0242ac110005, full_name=Mayme Lurline, type_id=2, name=Saver, groups=[{uid=63676952-5574-11ef-a883-0242ac110005, domain=identification browsing structures, name=guyana applied attribute}], type=Admin}, tid=41, group={uid=63677460-5574-11ef-a07f-0242ac110005, name=executive mathematical signals}}, uid=6366be8a-5574-11ef-a313-0242ac110005, integrity=applying observe nba, file={creator={uid=63667ca4-5574-11ef-a8ae-0242ac110005, type_id=3, name=Quotes, groups=[{uid=636685fa-5574-11ef-8fd9-0242ac110005, name=engineers constitute papers}, {uid=63668c80-5574-11ef-bd3d-0242ac110005, type=introducing amendments portuguese}], type=System, ldap_person={modified_time=1723114384401, last_login_time_dt=2024-08-08T10:53:04.401225Z, location={continent=Asia, country=CY, city=Bibliographic selections, coordinates=[-120.1139, 17.5612], desc=Cyprus, Republic of}, office_location=dl td transition}, account={uid=636695b8-5574-11ef-8e13-0242ac110005, type_id=5, name=hewlett beats hit, type=GCP Account}}, type_id=7, modifier={uid=63663aa0-5574-11ef-89ff-0242ac110005, type_id=2, name=Incident, groups=[{uid=63665ca6-5574-11ef-abfa-0242ac110005, domain=adventure charter tom, name=guest demographic terry}, {uid=636664f8-5574-11ef-96ca-0242ac110005, name=moderators broker asian}], uid_alt=notre sponsorship elections, type=Admin, account={uid=63666f0c-5574-11ef-98ef-0242ac110005, type_id=2, type=Windows Account}}, type=Symbolic Link, version=1.1.0, xattributes={}, path=arizona concentrations widescreen/wire.tax2020/placement.3dm, parent_folder=arizona concentrations widescreen/wire.tax2020, company_name=Christa Marta, name=placement.3dm, hashes=[{value=5509CE62AD4908E35D559F0487FCFAFEAA7A7AA2B4771FF42C45FF34397DF6E1F848AF224697A1C8BB77C1A81AFAA825437582905189C5346490D5121B91F366, algorithm_id=7, algorithm=quickXorHash}, {value=E2A4DD55AA0F76F85A047DAF5B859095, algorithm_id=1, algorithm=MD5}], created_time_dt=2024-08-08T10:53:04.401316Z, attributes=9, accessed_time=1723114384401, desc=populations servers environments}, cmd_line=accessible annotated plus, name=Recommendations, created_time_dt=2024-08-08T10:53:04.406843Z, user={uid=6366aed6-5574-11ef-855a-0242ac110005, type_id=3, name=Taxes, type=System}, group={uid=6366b8c2-5574-11ef-a4e8-0242ac110005, domain=apollo clicking incorrect, name=split viking nike}}, terminated_time=1723114384406, uid=63660b34-5574-11ef-bbcf-0242ac110005, file={created_time=1723114384396, signature={certificate={subject=national garmin even, expiration_time=1723114384396, serial_number=rhode realty talented, version=1.1.0, issuer=cut duo agencies, fingerprints=[{value=E8D8654C197E7B3BEED4D69E3EDD3A5B, algorithm_id=1, algorithm=MD5}, {value=75529D527C6CDFA48546F9F7ED5AFD587F24AB584370D91EBFC1743E519B936C7780070A7709D4FECA4C639302E40E1BD1F842B3613B900269D77BEA17429361, algorithm_id=0, algorithm=Unknown}]}, algorithm_id=99, algorithm=vendor}, type_id=7, confidentiality=freelance pty ferrari, modified_time_dt=2024-08-08T10:53:04.396853Z, type=Symbolic Link, xattributes={}, path=rear biology finest/nintendo.class/atlantic.icns, parent_folder=rear biology finest/nintendo.class, modified_time=1723114384396, name=atlantic.icns, hashes=[{value=0C900BDED46D1122DBC26B7D537D76633CD9937DF7B4C9C56ECFC151D2E269764BD92568B8FFD9877177AA338BB4EEE65DC5AE4D07BE354D503F9D3EF0B36007, algorithm_id=0, algorithm=Unknown}, {value=D0278DE5F6E5DF29D9C928BCB6D5A285EA17CE11, algorithm_id=2, algorithm=SHA-1}], desc=specific aside io}, cmd_line=canada federation computational, name=Offline, user={uid=6366010c-5574-11ef-bfe7-0242ac110005, type_id=1, domain=crops midi hope, name=Collectables, uid_alt=thunder pickup tab, type=User}, group={desc=muze comply jets}}, user={uid=6365822c-5574-11ef-95fb-0242ac110005, email_addr=Lynetta@lib.jobs, org={uid=63658ac4-5574-11ef-bea5-0242ac110005, name=jerry calling mardi, ou_name=motion ampland acknowledged}, type_id=99, type=recent, credential_uid=63659186-5574-11ef-a13d-0242ac110005}, group={uid=63659b86-5574-11ef-ac1a-0242ac110005, domain=explicitly retreat de, name=phys dollar not, type=foster prefer phys}}, tid=42, xattributes={}, uid=636504b4-5574-11ef-af4a-0242ac110005, file={owner={uid=6364960a-5574-11ef-ad32-0242ac110005, org={ou_uid=6364acb2-5574-11ef-b1ce-0242ac110005, uid=6364a60e-5574-11ef-aaf1-0242ac110005, name=arrive protecting fy, ou_name=cat saints infringement}, type_id=1, name=Nov, groups=[{uid=6364d64c-5574-11ef-a880-0242ac110005, name=head state rubber}, {uid=6364de3a-5574-11ef-9448-0242ac110005, name=catalyst strong mins, desc=consortium bald removing}], type=User}, product={path=internship progress gun, vendor_name=sp protection requests, lang=en, version=1.1.0}, type_id=7, type=Symbolic Link, version=1.1.0, path=executed removal years/among.yuv/employment.wma, parent_folder=executed removal years/among.yuv, accessed_time_dt=2024-08-08T10:53:04.389945Z, mime_type=medal/nearly, name=employment.wma, hashes=[{value=5E759101C609F4B740EF80E765AE365B2AF502D28946FFDB14A008BA3B8F3B38D22724597DB1A2727631E47BE95BF3DBC91421426B178885ABB756996AA2ED28, algorithm_id=5, algorithm=CTPH}, {value=BA5273E243BB87B0BDE0E2E45609708C95F1B8CD05342C435BFE11DDFE05790E8640967A0D5DB90EE7DC886350B9345D9484533BB633B821A82462D74B3318A8, algorithm_id=6, algorithm=TLSH}], created_time_dt=2024-08-08T10:53:04.389957Z, attributes=97}, cmd_line=macintosh enjoying disposal, name=Burning, user={uid=6364f62c-5574-11ef-be1d-0242ac110005, type_id=99, name=Without, type=celebs}, group={desc=allowance vacation ae}}, xattributes={}, terminated_time_dt=2024-08-08T10:53:04.406915Z, uid=63646b44-5574-11ef-a77a-0242ac110005, file={path=diagnosis angeles portsmouth/travels.mpa/ba.3ds, created_time=1723114384386, parent_folder=diagnosis angeles portsmouth/travels.mpa, type_id=4, name=ba.3ds, hashes=[{value=50D299D6D7966A2DC1E0CF7FEB739E33, algorithm_id=1, algorithm=MD5}, {value=328AFE7E94B22225322E3B4913F934C50B1CBF2E70837C0DC87BE27DA150B3EBA052395D9A4CC1FB7FC4E8C89E2EFEB5DF2FD8EC79D5A1215267ABF6EE2505F9, algorithm_id=6, algorithm=TLSH}], created_time_dt=2024-08-08T10:53:04.386239Z, accessed_time=1723114384386, type=Block Device}, cmd_line=notre cameras draw, name=Scott, user={type_id=2, domain=amendment spot sudan, name=Kit, type=Admin}, group={uid=63646496-5574-11ef-bfc5-0242ac110005, name=passed rankings affects}}, user={uid=63641a22-5574-11ef-8919-0242ac110005, email_addr=Lauryn@reliance.travel, type_id=99, type=carmen, account={uid=636423be-5574-11ef-8304-0242ac110005, type_id=10, name=reef terrorist graduation, type=AWS Account}}, xattributes={}}, user={uid=6363b992-5574-11ef-9143-0242ac110005, name=Edgar, ldap_person={email_addrs=[Mariann@routine.net], deleted_time_dt=2024-08-08T10:53:04.382339Z, job_title=alto languages tanks}}, xattributes={}, group={uid=6363ca0e-5574-11ef-837d-0242ac110005, privileges=[ingredients pins connector], name=thinking offices worcester}}, tid=66, uid=63637afe-5574-11ef-b99b-0242ac110005, integrity=Protected, file={path=important companion consultancy/wallpaper.drv/plasma.3dm, parent_folder=important companion consultancy/wallpaper.drv, confidentiality_id=3, signature={certificate={created_time=1723114384380, subject=assuming remarks brass, expiration_time=1723114384380, serial_number=provinces medicine it, version=1.1.0, issuer=sheet registry concord, fingerprints=[{value=EC6B1A9A8BA16A6F215D2D1F3906D6499B49BE59A250E976C526E3C93470BEAF, algorithm_id=3, algorithm=SHA-256}, {value=E8F0948E22757C48DC176AC0971E4DC26962E907CD0016E2D3F3F85B10496DB3ADA83ABE28D5C02C0E75801F09CE16ECBC57DC728CA43C1AF4A195603D2E9D59, algorithm_id=5, algorithm=CTPH}]}, algorithm_id=0, algorithm=Unknown}, type_id=2, confidentiality=Secret, name=plasma.3dm, hashes=[{value=9159E7F170D8AC61900DA4485A05F8FA752EBB6B1271EB39B603C7BD22C9F591, algorithm_id=3, algorithm=SHA-256}, {value=208252F637543172F0D9AA5A077FB15DC8E779E2AB911FADCC37F9C807EB56EFBAC0FC78C2916944595F6C58BE380B5BA4AC2E0A76A1D10091E0847D61B627D5, algorithm_id=6, algorithm=TLSH}], type=Folder}, cmd_line=felt essay relax, name=Delight, user={email_addr=Numbers@si.coop, type_id=2, name=Focused, uid_alt=biggest stupid linking, type=Admin}, integrity_id=6, group={privileges=[costs anthropology nickname, nbc dns flex], name=jar transparency sing}}, user={uid=63630eca-5574-11ef-b29c-0242ac110005, email_addr=Classie@municipality.pro, org={uid=636317ee-5574-11ef-b39a-0242ac110005, name=mighty thou ff, ou_name=companies functions hockey}, type_id=0, name=Guys, groups=[{uid=636321d0-5574-11ef-ae4b-0242ac110005, domain=parties entertainment lemon, name=hood powers merely}, {privileges=[etc survey at, cohen mails bio], name=rise parcel bookmarks}], type=Unknown}, group={uid=63632d38-5574-11ef-85c8-0242ac110005, name=legislature normal lectures}}, terminated_time=1723114384406, uid=6362b0ec-5574-11ef-bb67-0242ac110005, integrity=System, file={path=regularly drivers sacred/rational.fla/wing.crdownload, created_time=1723114384374, product={uid=636288ba-5574-11ef-b671-0242ac110005, name=cr fat generators, vendor_name=conflicts feed receivers, lang=en, version=1.1.0}, parent_folder=regularly drivers sacred/rational.fla, modified_time=1723114384374, type_id=2, name=wing.crdownload, hashes=[{value=140C02576C0D51BBE84B1C70EEE68AD61D116AA6E8F7BBD899753EB4599951C5E2DF128141610C2F838E0C7181B50795297C0E8D1398FDAD5ED2095EA783FC02, algorithm_id=7, algorithm=quickXorHash}, {value=E405FA83FE9CFE003B49FD852D4429D0EFF2F914, algorithm_id=2, algorithm=SHA-1}], created_time_dt=2024-08-08T10:53:04.374525Z, attributes=39, type=Folder, xattributes={}}, cmd_line=railway filling consistent, name=Definitely, loaded_modules=[/fri/tall/bit/rap/meyer.hqx], user={uid=63629a58-5574-11ef-8c2b-0242ac110005, type_id=1, domain=adding merit extend, name=Influenced, type=User, credential_uid=6362a124-5574-11ef-a23f-0242ac110005}, integrity_id=5, group={uid=6362ab10-5574-11ef-adda-0242ac110005, domain=enterprises civil knowledge, desc=patch celebration lancaster}}, uid=6361f634-5574-11ef-87d8-0242ac110005, file={owner={type_id=2, name=Yoga, type=Admin}, path=variable their precipitation/moving.sql/python.bin, parent_folder=variable their precipitation/moving.sql, signature={certificate={created_time=1723114384368, subject=x tide described, expiration_time=1723114384368, serial_number=ultimate nervous george, version=1.1.0, issuer=equations different edward, fingerprints=[{value=90290C4ADF68C053210274BB5414BED2BC4FCB71C37F521FF4EDBF5AFF66421A60FED68A12C81359536FCF2B89DB3463979F17F089E68FEA0B179D5DEF6F3A00, algorithm_id=6, algorithm=TLSH}]}, algorithm_id=4, algorithm=Authenticode}, mime_type=personnel/bids, type_id=99, name=python.bin, accessor={uid=6361bec6-5574-11ef-81b5-0242ac110005, type_id=99, domain=elizabeth cheapest solution, name=Jd, type=deviant}, hashes=[{value=2056009EE1A3B111E2E00906EDA7AD1AAC1EF242387CFB2CEE5B57763863C0EF228A7536B36C462A03C687D2F886BE6C218F00A2FC11674F8FF5454966830CB3, algorithm_id=5, algorithm=CTPH}], type=afghanistan}, cmd_line=distances participating maintenance, name=Versions, user={uid=6361cccc-5574-11ef-994f-0242ac110005, email_addr=Kristin@tion.net, org={uid=6361d546-5574-11ef-b2b3-0242ac110005, name=watts desktop hong}, type_id=99, name=Spring, type=nu, account={uid=6361dec4-5574-11ef-80de-0242ac110005, type_id=8, name=bd atom berkeley, type=Apple Account}}, group={uid=6361ef22-5574-11ef-8892-0242ac110005, name=academics secondary simon}}, user={uid=6360f752-5574-11ef-a1db-0242ac110005, type_id=3, name=Satisfaction, type=System, account={uid=636119d0-5574-11ef-a86d-0242ac110005, type_id=1, type=LDAP Account}, credential_uid=6361204c-5574-11ef-8854-0242ac110005}, group={uid=63612c22-5574-11ef-800b-0242ac110005, privileges=[joining boots aw, gang robust transport], name=flags gang blow, desc=mistakes prediction toy}}, group={uid=63604e4c-5574-11ef-9f32-0242ac110005, name=recommends pollution humans}}, tid=26, uid=635ffed8-5574-11ef-b0fd-0242ac110005, integrity=High, file={path=seem party existence/buried.3dm/lotus.pkg, created_time=1723114384355, is_system=true, parent_folder=seem party existence/buried.3dm, accessed_time_dt=2024-08-08T10:53:04.355980Z, type_id=5, confidentiality=belief hard romania, name=lotus.pkg, hashes=[{value=921DB9BE9AB2B726859E733D87A56CDEB799FBC45281315CFE4A7BAAF6BB9A1DD4359096B697BBB33B1DCA573CD79CB87614124DFA2B3C79768B3F29A7DBF0EF, algorithm_id=5, algorithm=CTPH}, {value=E9C848387AB1784EBC52FD937D18A8D44D2CF6BDBEB2BAB7B04E28413AE39FA4C07EAFA782325DD3B65A30B4AE8538D0ACCE7FC48BF1A3AB1B4651A5CFB050AA, algorithm_id=7, algorithm=quickXorHash}], attributes=31, type=Local Socket}, cmd_line=gamecube forbes described, name=Defense, user={uid=635fca94-5574-11ef-82f0-0242ac110005, type_id=99, name=Blogs, groups=[{uid=635fd57a-5574-11ef-84bc-0242ac110005, type=buyer spirit webcam}, {uid=635fe13c-5574-11ef-85a3-0242ac110005, name=cooperation meditation memo, desc=discretion fantastic tactics}], type=novel, ldap_person={leave_time=1723114384357, email_addrs=[Kimberley@sip.int], modified_time_dt=2024-08-08T10:53:04.357320Z}, credential_uid=635fe862-5574-11ef-ba0c-0242ac110005}, integrity_id=4, group={uid=635ff8a2-5574-11ef-af7e-0242ac110005, name=care viii external, type=right crowd crops, desc=appointed opponent written}}, user={uid=635f9c7c-5574-11ef-b4d1-0242ac110005, type_id=99, name=Lenses, uid_alt=penalty spray weight, type=dairy}}, uid=635f63d8-5574-11ef-8afe-0242ac110005, integrity=deutsche what indians, file={path=sports amp assess/explosion.sln/offered.avi, parent_folder=sports amp assess/explosion.sln, type_id=2, security_descriptor=salmon sister tucson, name=offered.avi, accessed_time=1723114384352, type=Folder}, cmd_line=reflects champion naughty, name=Gen, user={uid=635f51c2-5574-11ef-bad8-0242ac110005, type_id=0, name=Rest, type=Unknown}, group={uid=635f5d02-5574-11ef-be03-0242ac110005, privileges=[seasonal railroad already], name=produces consequence selling}}, xattributes={}, uid=635ef6dc-5574-11ef-a3ad-0242ac110005, file={signature={certificate={subject=durham sitting hiv, expiration_time=1723114384349, serial_number=field geek theater, version=1.1.0, issuer=eq designers loc, fingerprints=[{value=B133E6238B0833E7D12E8F6E64EABBFE2780E49FD028477670556B99E873D6C8CC7E38E25BAF9228F2324C513ECA25C63FF88415399CBD0FF61001ACC2BD0B10, algorithm_id=6, algorithm=TLSH}, {value=8B4AB0E3B292ED97FB8DCFB7C0267D1F7366F45CE8FDC2E3F0EAE57312A3F4D83BB72E25B072DF7E3416CF022B3276885495F9F245FE9CB67704AFD4B94EBF99, algorithm_id=7, algorithm=quickXorHash}]}, algorithm_id=2, algorithm=RSA}, type_id=4, type=Block Device, xattributes={}, path=newsletter tulsa locale/wait.cab/closing.3ds, uid=635ed24c-5574-11ef-9b19-0242ac110005, parent_folder=newsletter tulsa locale/wait.cab, modified_time=1723114384350, size=2333859778, mime_type=radio/minolta, security_descriptor=went stick curious, name=closing.3ds, hashes=[{value=65BD10756687E64C347423BA3836F065, algorithm_id=1, algorithm=MD5}, {value=B3140286AC71AD2ACF69681F4F2A907B0B83D8EDFBFFDD4E0A38C05A23180495, algorithm_id=3, algorithm=SHA-256}]}, cmd_line=statutes columnists commerce, name=Lm, created_time_dt=2024-08-08T10:53:04.407027Z, user={uid=635ee0e8-5574-11ef-ac61-0242ac110005, type_id=3, name=Gossip, type=System, credential_uid=635ee75a-5574-11ef-ac0c-0242ac110005}, group={uid=635ef114-5574-11ef-8c2b-0242ac110005, name=alcohol surprise http, desc=wales if adams}}, xattributes={}, terminated_time_dt=2024-08-08T10:53:04.407047Z, uid=635e817a-5574-11ef-850e-0242ac110005, integrity=ag disagree anymore, file={path=monkey refused genesis/pictures.cs/modification.php, parent_folder=monkey refused genesis/pictures.cs, confidentiality_id=1, type_id=1, confidentiality=Not Confidential, name=modification.php, attributes=27, type=Regular File}, cmd_line=rides vids label, name=Door, user={uid=635e6e38-5574-11ef-9132-0242ac110005, type_id=3, name=Roller, type=System}, group={uid=635e79b4-5574-11ef-b9e2-0242ac110005, privileges=[later conversion foreign, shadows phpbb ate], name=dogs republic occurrence, type=headers brunei ontario}}, user={uid=635e09a2-5574-11ef-8b02-0242ac110005, name=Greenhouse, uid_alt=nu tiny challenging}, terminated_time_dt=2024-08-08T10:53:04.407054Z, group={uid=635e1960-5574-11ef-bc86-0242ac110005, name=function bought terrace, desc=oo phase relocation}}, terminated_time_dt=2024-08-08T10:53:04.407066Z, uid=635d7fa0-5574-11ef-9af0-0242ac110005, file={created_time=1723114384339, creator={uid=635ce108-5574-11ef-b897-0242ac110005, type_id=3, name=Heel, uid_alt=rapidly specification instructional, type=System, account={uid=635d0a66-5574-11ef-bcd7-0242ac110005, type_id=4, name=discs sure enclosed, type=AWS IAM Role}}, signature={certificate={uid=635c43c4-5574-11ef-a8eb-0242ac110005, created_time=1723114384334, expiration_time_dt=2024-08-08T10:53:04.334601Z, subject=pets documentary mutual, expiration_time=1723114384334, serial_number=anything repair rank, version=1.1.0, issuer=rounds eds contests, fingerprints=[{value=4D78419C492968B9564F7F87CEBFA246405627A31D833B60027D564FB453A9F76CDBDF3D6229EFE19244F6B38DC9C1E531EC641A042F38CE33A3E62DEEB1E115, algorithm_id=7, algorithm=quickXorHash}]}, developer_uid=635c7e16-5574-11ef-b814-0242ac110005, algorithm_id=3, algorithm=ECDSA}, type_id=5, accessor={uid=635cc204-5574-11ef-85ce-0242ac110005, type_id=0, domain=weighted organize jim, name=Contents, type=Unknown}, type=Local Socket, version=1.1.0, xattributes={}, path=justin jm kenya/acknowledged.cgi/settled.exe, parent_folder=justin jm kenya/acknowledged.cgi, modified_time=1723114384340, accessed_time_dt=2024-08-08T10:53:04.340128Z, name=settled.exe, hashes=[{value=E3406337AAEB1C0AC1339EA8DBC6212C72E6551C007F921C64EADEDFC50CEAF2D661F48148C64A04B17DEC7D46C8D70913DA02218205F62B8170DF4110BEE8BE, algorithm_id=0, algorithm=Unknown}, {value=3F9D17F4A6D80A19A14E6E6464F3E85457666C674359CE0CCEBD5BF88B46CD79CC44F0213344FB06287280BC58AA62C13301DEC710F880AE66297C4F2F4477F4, algorithm_id=7, algorithm=quickXorHash}], created_time_dt=2024-08-08T10:53:04.340139Z}, cmd_line=masters treatments custody, name=Surprise, loaded_modules=[/desert/arch/conditional/mas/zinc.cgi, /direct/appendix/stated/partition/awareness.gam], user={uid=635d5bd8-5574-11ef-a7e3-0242ac110005, type_id=0, uid_alt=charging build burning, type=Unknown}, group={uid=635d7852-5574-11ef-8eaa-0242ac110005, privileges=[verbal spokesman stuart, audio mozambique mae], domain=remove ix couple, name=pendant alike china}}, terminated_time=1723114384407, uid=635bb51c-5574-11ef-96c1-0242ac110005, integrity=Low, file={creator={uid=635ab20c-5574-11ef-8a49-0242ac110005, type_id=99, name=Televisions, type=restaurant, ldap_person={modified_time=1723114384328, created_time_dt=2024-08-08T10:53:04.328333Z}}, type_id=2, confidentiality=dare assembly conflicts, modified_time_dt=2024-08-08T10:53:04.328440Z, type=Folder, path=qc stunning upcoming/freelance.b/stop.rom, parent_folder=qc stunning upcoming/freelance.b, size=184463636, accessed_time_dt=2024-08-08T10:53:04.328434Z, security_descriptor=streets teacher movie, name=stop.rom, hashes=[{value=D6DF1AB7AC275F8C7AFF9D010CCFD0DB08BBE2D8, algorithm_id=2, algorithm=SHA-1}, {value=A99E2AF60B8C1ACE6169FBA74BE6B9CB5ECA5D5A24F28F39E4EC50A265F7F5F4, algorithm_id=3, algorithm=SHA-256}], attributes=8, accessed_time=1723114384328}, cmd_line=assignment position expression, user={uid=635b94ec-5574-11ef-90e7-0242ac110005, type_id=2, name=Fountain, type=Admin}, integrity_id=2, group={uid=635baaf4-5574-11ef-8c3f-0242ac110005, name=lang drivers mood}}}, xattributes={}, uid=63581182-5574-11ef-aeb6-0242ac110005, integrity=delivering shaved mexico, egid=31, file={path=pre memo parish/bibliographic.db/kerry.sdf, product={uid=6357b6b0-5574-11ef-9715-0242ac110005, cpe_name=realty contributions melissa, name=forum activists cancelled, vendor_name=actress mess enjoyed, version=1.1.0}, creator={uid=6357f01c-5574-11ef-9c74-0242ac110005, type_id=0, name=Filme, type=Unknown}, parent_folder=pre memo parish/bibliographic.db, mime_type=architecture/hall, type_id=99, modifier={uid=6357d28a-5574-11ef-b53e-0242ac110005, type_id=3, domain=theology suzuki inn, name=Criterion, groups=[{name=meanwhile vid contributed}, {uid=6357dc9e-5574-11ef-a420-0242ac110005, name=difference white sensors, type=chef laos flat, desc=undertake carried ones}], uid_alt=repair trains victim, type=System, account={type_id=9, name=fans car enable, type=Linux Account}, credential_uid=6357e5f4-5574-11ef-8af6-0242ac110005}, security_descriptor=volvo workflow pros, name=kerry.sdf, hashes=[{value=35431593FE35166DB2935F72C55A3E0A8F8255878BACFF713A775559201158B2429DDF8B60D7FC65E8A640435ECA4BE8239A740FE91DA7560AC32207BF2F73AB, algorithm_id=6, algorithm=TLSH}, {value=BA2F52D229E66F7D965D4AAFDBB382D12FBA5669FBE91F4700E0B7A9355279E7FC2108CAA3AAB2AA5DDAD12B63AC6953845DD468A203773BE8FC734CE9FF93AB, algorithm_id=5, algorithm=CTPH}], type=terrorist}, cmd_line=mentor dust attending, group={uid=63580af2-5574-11ef-88eb-0242ac110005, name=mad integrity assessment, type=glossary scotia pete}}, user={uid=63576804-5574-11ef-9ed9-0242ac110005, type_id=0, name=Pavilion, type=Unknown, credential_uid=63576e4e-5574-11ef-85ed-0242ac110005}, tid=93, group={uid=6357784e-5574-11ef-9c0c-0242ac110005, name=sale point solutions}}, tid=82, uid=6356ef50-5574-11ef-9f3f-0242ac110005, integrity=System, file={owner={uid=6356c534-5574-11ef-9ab7-0242ac110005, full_name=Henry Tonja, name=Answer}, path=defining inch factors/ist.mpa/creations.ico, created_time=1723114384297, product={uid=6356cfa2-5574-11ef-a798-0242ac110005, name=amateur bristol cuba, vendor_name=gentleman quit confirm, version=1.1.0}, parent_folder=defining inch factors/ist.mpa, accessed_time_dt=2024-08-08T10:53:04.297651Z, type_id=99, name=creations.ico, hashes=[{value=0976ABA0D430405622A00981BC58C6F16D2A40F1, algorithm_id=2, algorithm=SHA-1}, {value=36324C961DBB9EF924720EB1C5F7E53B29AD9EF8D2A5A4CF1FD2686CCF8FC21A7A1368175B23CFFF36A4DB33D4F7C399148E923594A5667C996C53E9AB311088, algorithm_id=4, algorithm=SHA-512}], created_time_dt=2024-08-08T10:53:04.297659Z, type=ti}, cmd_line=capable homepage reject, name=Dead, user={uid=6356e906-5574-11ef-bcbc-0242ac110005, type_id=2, name=Theatre, type=Admin}, integrity_id=5}, user={uid=63568cfe-5574-11ef-9336-0242ac110005, full_name=Gussie Leila, email_addr=Claire@longitude.arpa, type_id=99, name=Paint, type=creative}, group={uid=635698ac-5574-11ef-a457-0242ac110005, name=prince enhance terrain, desc=dual yacht replace}}", + "pid": 24, + "session": { + "created_time": "2024-08-08T10:53:04.293Z", + "expiration_time": "2024-08-08T10:53:04.293Z", + "expiration_time_dt": "2024-08-08T10:53:04.293Z", + "is_remote": false, + "issuer": "watt ips cash", + "uid": "63562c6e-5574-11ef-a07c-0242ac110005", + "uuid": "635632b8-5574-11ef-8dc9-0242ac110005" + }, + "uid": "635663a0-5574-11ef-b2fa-0242ac110005", + "user": { + "domain": "shortly payments endorsement", + "type": "User", + "type_id": "1", + "uid": "6356532e-5574-11ef-a4a6-0242ac110005", + "uid_alt": "mysql syria beaches" + } + }, + "pid": 95, + "sandbox": "numbers audience guard", + "terminated_time_dt": "2024-08-08T10:53:04.407Z", + "uid": "6355ece0-5574-11ef-9b58-0242ac110005", + "user": { + "credential_uid": "6355da02-5574-11ef-89ed-0242ac110005", + "domain": "random john findlaw", + "full_name": "Alexander Helena", + "groups": [ + { + "name": "rural legislature built", + "privileges": [ + "clearing transfer worthy", + "jim pdas remind" + ], + "type": "harm slovakia tone", + "uid": "6355ca8a-5574-11ef-8efb-0242ac110005" + }, + { + "domain": "seeing dynamics qualified", + "uid": "6355d2aa-5574-11ef-8276-0242ac110005" + } + ], + "type": "Unknown", + "type_id": "0", + "uid_alt": "providing arms servers" + } + }, + "user": { + "domain": "distance predicted facilities", + "name": "Boy", + "type": "Admin", + "type_id": "2", + "uid": "63679120-5574-11ef-be81-0242ac110005" + } + }, + "category_name": "Application Activity", + "category_uid": "6", + "class_name": "File Hosting Activity", + "class_uid": "6006", + "cloud": { + "provider": "diabetes gaps ag", + "region": "act ran entity" + }, + "dst_endpoint": { + "container": { + "hash": { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "4447CDB3261C7AE4F053DC296FEE1093F25F731D23A692D5819318F1901FDEC79EB2CA760BABCD759285BAE417ACD21FC64BB623583834C076F16FA9A53F1107" + }, + "image": { + "name": "routing playback sb", + "uid": "63539e90-5574-11ef-9508-0242ac110005" + }, + "name": "twelve will royalty", + "orchestrator": "georgia rr scheduled", + "pod_uuid": "municipality", + "runtime": "lopez bulletin thru", + "size": 2829011720, + "tag": "grain alert score", + "uid": "63539300-5574-11ef-82a9-0242ac110005" + }, + "instance_uid": "6353a91c-5574-11ef-b5fc-0242ac110005", + "interface_name": "ideas utility possible", + "interface_uid": "6353afd4-5574-11ef-b86c-0242ac110005", + "ip": "226.140.221.18", + "name": "full essentials size", + "namespace_pid": 72, + "os": { + "build": "walking thermal neck", + "name": "mailing possibilities either", + "type": "AIX", + "type_id": 401, + "version": "1.1.0" + }, + "port": 55506, + "proxy_endpoint": { + "container": { + "hash": { + "algorithm": "SHA-1", + "algorithm_id": 2, + "value": "71FAFC4E2FC1E47E234762A96B80512B6B5534C2" + }, + "image": { + "labels": [ + "commit", + "walter" + ], + "name": "weblogs grad offices", + "uid": "6353ca32-5574-11ef-8405-0242ac110005" + }, + "name": "programmes relevance boot", + "orchestrator": "mic waiting gains", + "size": 2534954875 + }, + "hostname": "guided.name", + "instance_uid": "6353d496-5574-11ef-ba97-0242ac110005", + "interface_name": "nato pray consult", + "interface_uid": "6353db12-5574-11ef-861d-0242ac110005", + "ip": "35.105.135.121", + "location": { + "city": "Establishment kind", + "continent": "North America", + "coordinates": [ + 90.6576, + -34.4194 + ], + "country": "GP", + "desc": "Guadeloupe" + }, + "name": "lit canberra terminology", + "namespace_pid": 17, + "port": 64602, + "proxy_endpoint": { + "container": { + "hash": { + "algorithm": "CTPH", + "algorithm_id": 5, + "value": "555F45D31B82ABEEDB74D75EACB96817602160400F9A16B894CB77D68292FE96CFDCF573199918FB36F17CCC5B1B99A9ABBB62D931C518CC5D6A05A5659B534C" + }, + "image": { + "name": "amount dividend oregon", + "uid": "6353ff98-5574-11ef-8eac-0242ac110005" + }, + "name": "produces integrate invitation", + "size": 3462840380, + "tag": "locks circuit hindu", + "uid": "6353f70a-5574-11ef-a129-0242ac110005" + }, + "domain": "equipped disagree kevin", + "hostname": "challenged.travel", + "hw_info": { + "cpu_cores": 9, + "cpu_count": 87, + "cpu_speed": 32, + "keyboard_info": { + "keyboard_type": "tries dramatically undo" + } + }, + "instance_uid": "63540c0e-5574-11ef-98f2-0242ac110005", + "interface_name": "detroit handbags discuss", + "interface_uid": "63541294-5574-11ef-aa42-0242ac110005", + "ip": "114.100.167.141", + "name": "slides weird discussion", + "namespace_pid": 67, + "port": 38178, + "svc_name": "discovered occurs presidential", + "type": "Server", + "type_id": 1, + "uid": "6353ed14-5574-11ef-a94e-0242ac110005", + "zone": "little tucson operations" + }, + "svc_name": "history it exp", + "type": "IOT", + "type_id": 7, + "uid": "6353bf1a-5574-11ef-be0c-0242ac110005", + "zone": "join your encourage" + }, + "svc_name": "gl dropped workforce", + "type": "ssl", + "type_id": 99, + "uid": "635383ba-5574-11ef-bd0d-0242ac110005" + }, + "file": { + "hashes": [ + { + "algorithm": "TLSH", + "algorithm_id": "6", + "value": "F6B8BFDD92E45272F30B728D921EF2A47DD9D950600D885830D30532F39E2A5688B4797CF0B172989E4C95B557B2497E98AC07417E8766E06BDFFEBDEBBE76C8" + }, + { + "algorithm": "SHA-256", + "algorithm_id": "3", + "value": "4A2B4592EAC6D75C3BD4FE50308A2316D54BC427F65F109C7EC4105B6467C984" + } + ], + "modifier": { + "account": { + "name": "interactions minister lamps", + "type": "Windows Account", + "type_id": "2", + "uid": "635347c4-5574-11ef-a25d-0242ac110005" + }, + "credential_uid": "63534eea-5574-11ef-8a7c-0242ac110005", + "ldap_person": { + "created_time": 1723114384275, + "email_addrs": [ + "Leonida@consoles.gov" + ], + "given_name": "routines identical brunswick", + "hire_time": 1723114384275, + "job_title": "voted awareness pt", + "leave_time_dt": "2024-08-08T10:53:04.275331Z", + "modified_time": 1723114384275 + }, + "name": "Scenic", + "type": "User", + "type_id": "1", + "uid": "63533b6c-5574-11ef-bfed-0242ac110005" + }, + "name": "ate.cue", + "parent_folder": "wiki optimization counter/prohibited.ai", + "path": "wiki optimization counter/prohibited.ai/ate.cue", + "signature": { + "algorithm": "Unknown", + "algorithm_id": "0", + "certificate": { + "created_time": "2024-08-08T10:53:04.273Z", + "created_time_dt": "2024-08-08T10:53:04.273Z", + "expiration_time": "2024-08-08T10:53:04.273Z", + "fingerprints": [ + { + "algorithm": "SHA-512", + "algorithm_id": "4", + "value": "367C62D5A1EE13A74F11A143DB9DD2389B73DE066483521D1905177739F6EB41DE30BDAFD42E95AF3306EF8BC6273C97A75C8276B592B1D5FCC7458F1EBBEB03" + }, + { + "algorithm": "CTPH", + "algorithm_id": "5", + "value": "DEE5E5BE829C1FF9E773E27CDA4A8960CAB5C8A6F392DA6ACCBACB430B13B9BC64822221325357EAA87B60D5F4474090332CD89561EBEC061294834301DF9AE9" + } + ], + "issuer": "warning cute armor", + "serial_number": "qld undergraduate cowboy", + "subject": "advised chess egyptian", + "version": "1.1.0" + }, + "created_time": "2024-08-08T10:53:04.273Z" + }, + "type": "Folder", + "type_id": "2", + "version": "1.1.0" + }, + "message": "epa stanley speech", + "metadata": { + "correlation_uid": "635472c0-5574-11ef-8c5d-0242ac110005", + "event_code": "sessions", + "log_name": "standing band submission", + "logged_time": "2024-08-08T10:53:04.282Z", + "original_time": "sum shipped decreased", + "product": { + "name": "cooling florist anna", + "path": "avoid meeting appear", + "uid": "63545eac-5574-11ef-8bb1-0242ac110005", + "vendor_name": "buying fa joel", + "version": "1.1.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "linux/linux_users", + "load_balancer", + "network_proxy", + "security_control" + ], + "version": "1.1.0" + }, + "observables": [ + { + "name": "affiliated fuji ralph", + "type": "Hostname", + "type_id": "1" + }, + { + "name": "sponsored fw illustrated", + "type": "Hostname", + "type_id": "1" + } + ], + "severity": "Low", + "severity_id": 2, + "src_endpoint": { + "container": { + "hash": { + "algorithm": "SHA-1", + "algorithm_id": 2, + "value": "6DE8A320862880F35A99FE4448414E898831DCCD" + }, + "image": { + "labels": [ + "difficulties", + "confusion" + ], + "name": "clause material fort", + "uid": "635540f6-5574-11ef-bbdd-0242ac110005" + }, + "name": "involvement buses bowling", + "size": 509766084, + "tag": "lawyers genre trained", + "uid": "635539f8-5574-11ef-b41d-0242ac110005" + }, + "hostname": "generic.edu", + "instance_uid": "63554826-5574-11ef-973b-0242ac110005", + "interface_name": "collections setting twelve", + "interface_uid": "63554c86-5574-11ef-90cb-0242ac110005", + "ip": "175.16.199.0", + "mac": "E4-C5-2D-FD-E6-16-2B-96", + "name": "allah pain blues", + "svc_name": "welding minute invention", + "type": "Hub", + "type_id": 11, + "uid": "63552c6a-5574-11ef-847f-0242ac110005" + }, + "status": "Unknown", + "status_id": "0", + "time": "2024-08-08T10:53:04.287Z", + "timezone_offset": 56, + "type_name": "File Hosting Activity: Move", + "type_uid": "600607" + }, + "process": { + "command_line": "syndication traveler charges", + "end": "2024-08-08T10:53:04.407Z", + "entity_id": "6355ece0-5574-11ef-9b58-0242ac110005", + "group": { + "id": [ + "6355e5e2-5574-11ef-b983-0242ac110005" + ], + "name": "manage livestock tribes" + }, + "name": "Eden", + "parent": { + "command_line": "asks eight printed", + "entity_id": "635663a0-5574-11ef-b2fa-0242ac110005", + "group": { + "id": [ + "63565dba-5574-11ef-80bf-0242ac110005" + ] + }, + "name": "Outreach", + "pid": 24, + "start": "2024-08-08T10:53:04.295Z", + "user": { + "domain": "shortly payments endorsement", + "id": [ + "6356532e-5574-11ef-a4a6-0242ac110005" + ] + } + }, + "pid": 95, + "start": "2024-08-08T10:53:04.292Z", + "user": { + "domain": "random john findlaw", + "full_name": "Alexander Helena", + "group": { + "id": [ + "6355ca8a-5574-11ef-8efb-0242ac110005", + "6355d2aa-5574-11ef-8276-0242ac110005" + ], + "name": [ + "rural legislature built" + ] + } + } + }, + "related": { + "hash": [ + "10EFC79292FD96E5C3DDF56D50E2BF33CB5A2EC1", + "28E532D56B18548CC0B68A63311D2DCD2D258B2F", + "695BF60E03F83A36699AF46519E8E584", + "D0A3630555BBEC7FC05A98D311C23B00FD1AB4D8296AC4A4125976D80B6A6959", + "F6B8BFDD92E45272F30B728D921EF2A47DD9D950600D885830D30532F39E2A5688B4797CF0B172989E4C95B557B2497E98AC07417E8766E06BDFFEBDEBBE76C8", + "4A2B4592EAC6D75C3BD4FE50308A2316D54BC427F65F109C7EC4105B6467C984", + "367C62D5A1EE13A74F11A143DB9DD2389B73DE066483521D1905177739F6EB41DE30BDAFD42E95AF3306EF8BC6273C97A75C8276B592B1D5FCC7458F1EBBEB03", + "DEE5E5BE829C1FF9E773E27CDA4A8960CAB5C8A6F392DA6ACCBACB430B13B9BC64822221325357EAA87B60D5F4474090332CD89561EBEC061294834301DF9AE9" + ], + "hosts": [ + "generic.edu" + ], + "ip": [ + "175.16.199.0", + "226.140.221.18" + ], + "user": [ + "Alexander Helena", + "63679120-5574-11ef-be81-0242ac110005", + "Boy", + "6356532e-5574-11ef-a4a6-0242ac110005", + "Sunni@holders.jobs", + "6356478a-5574-11ef-bd16-0242ac110005", + "mysql syria beaches", + "Blaine@highlight.pro", + "Melodee Norma", + "Resource", + "6355ab18-5574-11ef-bc66-0242ac110005", + "Lura@consolidated.mil", + "Dimensional", + "63556d6a-5574-11ef-ac26-0242ac110005", + "providing arms servers", + "Scenic", + "63533b6c-5574-11ef-bfed-0242ac110005" + ] + }, + "source": { + "domain": [ + "generic.edu" + ], + "ip": "175.16.199.0", + "mac": "E4-C5-2D-FD-E6-16-2B-96" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "distance predicted facilities", + "id": "63679120-5574-11ef-be81-0242ac110005", + "name": "Boy" + } } ] -} \ No newline at end of file +} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-common-config.yml b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-common-config.yml index 08ff342ecf4b..b990043214a2 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-common-config.yml +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-common-config.yml @@ -4,3 +4,17 @@ fields: - preserve_duplicate_custom_fields numeric_keyword_fields: - ocsf.malware.classification_ids + - ocsf.user.ldap_person.manager.account.type_id + - ocsf.dst_endpoint.type_id + - ocsf.scan.type_id + - ocsf.scan.type_id + - ocsf.src_endpoint.type_id + - ocsf.src_endpoint.type_id + - ocsf.type_id + - ocsf.user.ldap_person.manager.type_id + - ocsf.resources.owner.type_id + - ocsf.resources.owner.type_id + - ocsf.dst_endpoint.type_id + - ocsf.proxy_endpoint.type_id + - ocsf.src_endpoint.type_id + - ocsf.security_states.state_id diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log index 02aa10f13f38..d746bdcc6a43 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log @@ -1,2 +1,6 @@ {"count":73,"message":"flags feel absolute","cis_benchmark_result": {"rule": {"category": "descidhscate", "desc": "rule_description", "name": "rule_name", "uid":"rule123", "version": "0.1.0"}},"status":"creativity","time":1695277679358,"device":{"name":"ranked murder listing","type":"Desktop","ip":"81.2.69.142","uid":"023e2564-5848-11ee-9c42-0242ac110005","hostname":"lucas.pro","type_id":2,"subnet":"49.28.0.0\/16","autoscale_uid":"023de734-5848-11ee-b193-0242ac110005","instance_uid":"023dec02-5848-11ee-8203-0242ac110005","interface_name":"jerry street buried","interface_uid":"023e1a06-5848-11ee-89c6-0242ac110005","region":"inline contains milwaukee","risk_level":"russell customized absolutely","risk_score":36,"uid_alt":"burst premier reverse","vpc_uid":"023e205a-5848-11ee-a8d6-0242ac110005","modified_time_dt":"2023-09-21T06:27:59.357977Z","first_seen_time_dt":"2023-09-21T06:27:59.356353Z"},"metadata":{"version":"1.0.0","extension":{"name":"chess entry productive","version":"1.0.0","uid":"023dccfe-5848-11ee-8227-0242ac110005"},"product":{"name":"legal subsidiary eleven","version":"1.0.0","path":"financial spot tennis","uid":"023dd33e-5848-11ee-aa6d-0242ac110005","vendor_name":"assumes podcast went"},"profiles":["cloud","container","datetime","host"],"correlation_uid":"023dd7c6-5848-11ee-9d4d-0242ac110005","log_provider":"reliance trust interim","original_time":"database darwin area","processed_time_dt":"2023-09-21T06:27:59.356124Z"},"severity":"Fatal","type_name":"Device Config State: Collect","activity_id":2,"type_uid":500202,"category_name":"Discovery","class_uid":5002,"category_uid":5,"class_name":"Device Config State","timezone_offset":0,"activity_name":"Collect","cloud":{"org":{"uid":"023dbdcc-5848-11ee-bd54-0242ac110005","ou_name":"determined apr sheets"},"provider":"mathematical inclusive insured","region":"gravity bids tennis"},"enrichments":[{"data":{"inexpensive":"abddfg"},"name":"preview belarus licking","type":"separation passes distance","value":"magnitude cancellation weed","provider":"surgical disaster individually"}],"severity_id":6,"status_id":99} {"message":"poster thongs assumptions","status":"Success","time":1695277679358,"device":{"name":"craig functioning literally","type":"Laptop","os":{"name":"spy chronic casual","type":"Android","version":"1.0.0","build":"dozen oval removing","type_id":201,"lang":"en","edition":"nightmare engineers carter"},"location":{"desc":"Reunion","city":"Porcelain senior","country":"RE","coordinates":[-161.6608,-47.0418],"continent":"Africa"},"uid":"7f256308-584d-11ee-8de0-0242ac110005","image":{"name":"saudi enhanced surgical","uid":"7f2554b2-584d-11ee-b26b-0242ac110005"},"mac":"C6:49:F0:76:1D:13:CE:F7","type_id":3,"autoscale_uid":"7f25415c-584d-11ee-b3fc-0242ac110005","hw_info":{"cpu_bits":66},"instance_uid":"7f254ea4-584d-11ee-a68f-0242ac110005","interface_name":"watt profile rs","is_personal":false,"last_seen_time":1695277679358,"region":"airport leaves kitchen","risk_level":"organizational economic connecticut"},"metadata":{"version":"1.0.0","product":{"name":"butterfly knight log","version":"1.0.0","uid":"7f25336a-584d-11ee-b2a5-0242ac110005","lang":"en","vendor_name":"disciplinary rec report"},"profiles":["cloud","container","datetime","host"],"event_code":"spelling","log_name":"len falling educational","log_provider":"tales asset extremely","log_version":"learners headlines linear","original_time":"programmers less barcelona","processed_time":1695280036393},"severity":"Critical","type_name":"Device Inventory Info: Collect","activity_id":2,"type_uid":500102,"category_name":"Discovery","class_uid":5001,"category_uid":5,"class_name":"Device Inventory Info","timezone_offset":65,"activity_name":"Collect","cloud":{"org":{"name":"black lets promotions","ou_name":"recover sol revolutionary"},"provider":"mod force sailing","region":"ticket resident buried"},"enrichments":[{"data":{"nintendo":"abcd"},"name":"visual mv bottom","type":"calibration basics quebec","value":"alice stick spray","provider":"lucy permanent trips"}],"severity_id":5,"status_code":"vancouver","status_id":1,"start_time_dt":"2023-09-21T07:07:16.394812Z"} +{"activity_id":1,"activity_name":"Login Attempt","actor":{"authorizations":[{"decision":"allow","policy":{"desc":"Allow login","group":{"desc":"Employee Group","domain":"example.com","name":"employees","privileges":["read","write"],"type":"internal","uid":"grp101"},"name":"Login Policy","uid":"pol101","version":"1.0"}}],"idp":{"name":"IDP Service","uid":"idp101"},"invoked_by":"web_app","process":{"cmd_line":"/usr/bin/login","created_time":1672444800,"file":{"accessed_time":1672531200,"accessor":{"account":{"name":"john.doe","type":"user","type_id":1,"uid":"acc101"},"credential_uid":"cred101","domain":"example.com","email_addr":"john.doe@example.com","full_name":"John Doe","groups":[{"desc":"Employee Group","domain":"example.com","name":"employees","privileges":["read","write"],"type":"internal","uid":"grp101"}],"ldap_person":null,"name":"John Doe","org":{"name":"Example Corp","ou_name":"IT","ou_uid":"ou101","uid":"org101"},"type":"user","type_id":1,"uid":"usr101","uid_alt":"john_doe_alt"},"attributes":777,"company_name":"Example Corp","confidentiality":"high","confidentiality_id":2,"created_time":1672444800,"creator":null,"desc":"Login script","hashes":[{"algorithm":"SHA-256","algorithm_id":4,"value":"abcd1234"}],"is_system":true,"mime_type":"application/x-sh","modified_time":1672444800,"modifier":null,"name":"login.sh","owner":null,"parent_folder":"/usr/bin","path":"/usr/bin/login.sh","product":null,"security_descriptor":"D:P(A;;FA;;;BA)","signature":{"algorithm":"RSA","algorithm_id":1,"certificate":{"created_time":1577836800,"expiration_time":1893456000,"fingerprints":[{"algorithm":"SHA-1","algorithm_id":3,"value":"abc123"}],"issuer":"Example CA","serial_number":"123456","subject":"Example Corp","uid":"cert101","version":"1"},"created_time":1672444800,"developer_uid":"dev101","digest":{"algorithm":"SHA-256","algorithm_id":4,"value":"abcd1234"}},"size":2048,"type":"script","type_id":1,"uid":"file101","version":"1.0","xattributes":{}},"integrity":"valid","integrity_id":1,"lineage":["/sbin/init","/usr/bin/login"],"loaded_modules":["pam","bash"],"name":"login","parent_process":null,"pid":1234,"sandbox":"none","session":null,"terminated_time":1672531200,"tid":5678,"uid":"proc101","user":null,"xattributes":{}},"session":{"count":1,"created_time":1672444800,"credential_uid":"cred101","expiration_reason":"timeout","expiration_time":1672531200,"is_mfa":true,"is_remote":false,"is_vpn":false,"issuer":"IDP Service","terminal":"pts/1","uid":"sess101","uid_alt":"sess102","uuid":"uuid-1234"},"user":{"account":{"name":"john.doe","type":"user","type_id":1,"uid":"acc101"},"credential_uid":"cred101","domain":"example.com","email_addr":"john.doe@example.com","full_name":"John Doe","groups":[{"desc":"Employee Group","domain":"example.com","name":"employees","privileges":["read","write"],"type":"internal","uid":"grp101"}],"ldap_person":{"cost_center":"IT","created_time":1577836800,"deleted_time":null,"email_addrs":["john.doe@example.com"],"employee_uid":"emp101","given_name":"John","hire_time":1546300800,"job_title":"System Administrator","labels":["full-time"],"last_login_time":1672444800,"ldap_cn":"john_doe_cn","ldap_dn":"cn=John Doe,ou=users,dc=example,dc=com","leave_time":null,"location":{"city":"San Francisco","continent":"North America","coordinates":[37.7749,-122.4194],"country":"USA","desc":"Head Office","is_on_premises":true,"isp":"Example ISP","postal_code":"94103","provider":"Example Provider","region":"California"},"manager":{"account":{"name":"jane.manager","type":"user","type_id":1,"uid":"acc102"},"credential_uid":"cred102","domain":"example.com","email_addr":"jane.manager@example.com","full_name":"Jane Manager","groups":[{"desc":"Managers Group","domain":"example.com","name":"managers","privileges":["read","write","manage"],"type":"internal","uid":"grp102"}],"ldap_person":null,"name":"Jane Manager","org":{"name":"Example Corp","ou_name":"IT","ou_uid":"ou101","uid":"org101"},"type":"user","type_id":1,"uid":"usr102","uid_alt":"jane_manager_alt"},"modified_time":1622505600,"office_location":"Building A","surname":"Doe"},"name":"John Doe","org":{"name":"Example Corp","ou_name":"IT","ou_uid":"ou101","uid":"org101"},"type":"user","type_id":1,"uid":"usr101","uid_alt":"john_doe_alt"}},"category_name":"User Activity","category_uid":5,"class_name":"Login Events","class_uid":5003,"count":1,"duration":3600,"end_time":1672531200,"enrichments":[{"data":{},"name":"GeoIP Enrichment","provider":"GeoIP Service","type":"location","value":"San Francisco, USA"}],"message":"User John Doe attempted a login from San Francisco.","metadata":{"correlation_uid":"cor-1234","event_code":"login_attempt","extension":{"name":"Login Extension","uid":"ext-1234","version":"1.0"},"extensions":[],"labels":["security"],"log_level":"info","log_name":"user_activity","log_provider":"Example Provider","log_version":"1.0","logged_time":1672444800,"loggers":[],"modified_time":1672444800,"original_time":"2023-01-01T00:00:00Z","processed_time":1672531200,"product":{"cpe_name":"cpe:/a:example:product","feature":{"name":"Login Feature","uid":"fea-1234","version":"1.0"},"lang":"en","name":"User Activity Logger","path":"/var/log/user_activity","uid":"prod-1234","url_string":"https://example.com","vendor_name":"Example Vendor","version":"1.0"},"profiles":["default"],"sequence":1,"tenant_uid":"tenant123","uid":"evt-1234","version":"1.0"},"observables":[{"name":"San Francisco","reputation":{"base_score":90,"provider":"GeoIP Service","score":"high","score_id":1},"type":"location","type_id":2,"value":"San Francisco, USA"}],"raw_data":"raw_event_data","severity":"medium","severity_id":2,"start_time":1672444800,"status":"processed","status_code":"200","status_detail":"Event processed successfully.","status_id":1,"time":1672444800,"timezone_offset":-8,"type_name":"login_event","type_uid":1001,"unmapped":{},"user":{"account":{"name":"john.doe","type":"user","type_id":1,"uid":"acc101"},"credential_uid":"cred101","domain":"example.com","email_addr":"john.doe@example.com","full_name":"John Doe","groups":[{"desc":"Employee Group","domain":"example.com","name":"employees","privileges":["read","write"],"type":"internal","uid":"grp101"}],"ldap_person":{"cost_center":"IT","created_time":1577836800,"deleted_time":null,"email_addrs":["john.doe@example.com"],"employee_uid":"emp101","given_name":"John","hire_time":1546300800,"job_title":"System Administrator","labels":["full-time"],"last_login_time":1672444800,"ldap_cn":"john_doe_cn","ldap_dn":"cn=John Doe,ou=users,dc=example,dc=com","leave_time":null,"location":{"city":"San Francisco","continent":"North America","coordinates":[37.7749,-122.4194],"country":"USA","desc":"Head Office","is_on_premises":true,"isp":"Example ISP","postal_code":"94103","provider":"Example Provider","region":"California"},"manager":{"account":{"name":"jane.manager","type":"user","type_id":1,"uid":"acc102"},"credential_uid":"cred102","domain":"example.com","email_addr":"jane.manager@example.com","full_name":"Jane Manager","groups":[{"desc":"Managers Group","domain":"example.com","name":"managers","privileges":["read","write","manage"],"type":"internal","uid":"grp102"}],"ldap_person":null,"name":"Jane Manager","org":{"name":"Example Corp","ou_name":"IT","ou_uid":"ou101","uid":"org101"},"type":"user","type_id":1,"uid":"usr102","uid_alt":"jane_manager_alt"},"modified_time":1622505600,"office_location":"Building A","surname":"Doe"},"name":"John Doe","org":{"name":"Example Corp","ou_name":"IT","ou_uid":"ou101","uid":"org101"},"type":"user","type_id":1,"uid":"usr101","uid_alt":"john_doe_alt"}} +{"message":"ol avatar webster","status":"jim","time":1722592439954199,"device":{"name":"sk feat cups","type":"Browser","ip":"81.2.69.144","location":{"desc":"Burundi, Republic of","city":"Randy wellington","country":"BI","coordinates":[-44.0959,34.4006],"continent":"Africa"},"hostname":"surfaces.biz","uid":"2444035c-50b5-11ef-be7d-0242ac110005","type_id":8,"container":{"name":"ent give c","size":2809284742,"uid":"2444104a-50b5-11ef-a8ef-0242ac110005","image":{"name":"rt href dubai","tag":"team established germany","path":"enhancing zope celtic","uid":"24441aea-50b5-11ef-a95e-0242ac110005","labels":["determines","dirt"]},"hash":{"value":"A0F0F23EF42637BEC6F126E2A94D58802124DC4B559791CE9583CBC1BB474C954FEF9FD047DFB80F46A869FBB1BAC07C4841FC2C92C4A9DF1755072825DEBBC8","algorithm":"Unknown","algorithm_id":0},"orchestrator":"carries pretty ranks"},"instance_uid":"2443f740-50b5-11ef-8557-0242ac110005","interface_name":"mb built rip","interface_uid":"24442436-50b5-11ef-a4a7-0242ac110005","is_managed":false,"is_trusted":true,"last_seen_time":1722592439950666,"region":"topic toshiba inform","risk_score":3,"vlan_uid":"2443ec0a-50b5-11ef-95ed-0242ac110005","zone":"percent databases fairfield","first_seen_time_dt":"2024-08-02T09:53:59.950879Z"},"metadata":{"version":"1.1.0","extension":{"name":"columbia merely switzerland","version":"1.1.0","uid":"24428c98-50b5-11ef-955a-0242ac110005"},"product":{"name":"semi boston electric","path":"norm eggs ranges","uid":"24429a8a-50b5-11ef-924a-0242ac110005","vendor_name":"gauge thereby modes"},"log_level":"ata ty announcements","sequence":29,"profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"correlation_uid":"2442a34a-50b5-11ef-adc6-0242ac110005","log_name":"orientation will game","log_provider":"rod seasons weed","loggers":[{"name":"netherlands devoted extensive","device":{"name":"tender harmony powerseller","type":"Laptop","os":{"name":"ian distributor collectible","type":"HP-UX","type_id":402,"cpu_bits":9},"ip":"97.19.65.133","uid":"24433d8c-50b5-11ef-b570-0242ac110005","type_id":3,"subnet":"164.124.0.0/16","autoscale_uid":"24432c02-50b5-11ef-b1ff-0242ac110005","container":{"size":2010633241,"uid":"2443498a-50b5-11ef-ae6c-0242ac110005","image":{"name":"anxiety patents return","uid":"2443540c-50b5-11ef-8146-0242ac110005","labels":["intimate","momentum"]},"hash":{"value":"FA43AD9444AD97C075FDAE70D75E938A031C84A9C642A94B9F058555892B875F","algorithm":"magic","algorithm_id":99}},"imei":"relatively drums significantly","instance_uid":"2443362a-50b5-11ef-b381-0242ac110005","interface_name":"own monitoring ph","interface_uid":"24435e02-50b5-11ef-81a2-0242ac110005","is_managed":true,"is_personal":false,"namespace_pid":85,"region":"impacts trackbacks authentication","uid_alt":"kelkoo clinics nearby"},"product":{"name":"herself market quote","version":"1.1.0","uid":"2443cb58-50b5-11ef-b723-0242ac110005","cpe_name":"locale memorabilia board","url_string":"belt","vendor_name":"ultimately permalink scenes"},"log_name":"jul pregnant carrying","log_provider":"specifically executive dosage","transmit_time_dt":"2024-08-02T09:53:59.950077Z"}],"modified_time":1722592439950096,"original_time":"livecam yearly isbn","processed_time":1722592439950110,"tenant_uid":"2443d6b6-50b5-11ef-8908-0242ac110005","modified_time_dt":"2024-08-02T09:53:59.950313Z"},"severity":"Low","duration":84,"type_name":"Operating System Patch State: Unknown","activity_id":0,"type_uid":500400,"category_name":"Discovery","class_uid":5004,"category_uid":5,"class_name":"Operating System Patch State","timezone_offset":54,"activity_name":"Unknown","cloud":{"project_uid":"244256a6-50b5-11ef-b514-0242ac110005","provider":"examined thumbzilla applies","region":"refugees england number"},"kb_article_list":[{"os":{"name":"pills conversations dave","type":"Windows Mobile","type_id":101,"lang":"en","edition":"liechtenstein wildlife rooms"},"title":"survey chinese wales","uid":"24443296-50b5-11ef-a50c-0242ac110005","severity":"spectacular durham aw","bulletin":"mauritius journalists shaved"},{"os":{"name":"reaches ridge signatures","type":"overseas","version":"1.1.0","type_id":99,"cpe_name":"almost advertisement oe","cpu_bits":7},"product":{"name":"recorder engaging widescreen","version":"1.1.0","uid":"244462f2-50b5-11ef-86a0-0242ac110005","lang":"en","cpe_name":"stuffed robots bras","vendor_name":"spring russian core"},"uid":"24446d6a-50b5-11ef-ac9c-0242ac110005","severity":"paso strictly after","src_url":"reserved"}],"severity_id":2,"status_id":99} +{"message":"suppose intimate restaurant","status":"mayor jewel fixes","time":1723105732280760,"device":{"type":"Server","ip":"233.56.87.14","hostname":"scores.museum","uid":"3e55aa52-5560-11ef-b18f-0242ac110005","org":{"uid":"3e55922e-5560-11ef-8631-0242ac110005","ou_name":"gourmet biographies avon","ou_uid":"3e55997c-5560-11ef-b188-0242ac110005"},"type_id":1,"container":{"name":"china elections nathan","runtime":"fail gmc swap","size":72520595,"uid":"3e55b7a4-5560-11ef-96a7-0242ac110005","image":{"name":"ceo fly grenada","uid":"3e55c60e-5560-11ef-b505-0242ac110005"},"hash":{"value":"57799DCAEC3A56379406B2C2D009F1CEC4582CC018A5EA2902010D23F77C9604AC49FFDF893574E772F722ED8989C6E29473647F4D6751DBB0C22B88E9C07596","algorithm":"quickXorHash","algorithm_id":7},"network_driver":"british makeup series"},"first_seen_time":1723105732279498,"imei":"opt specializing courses","instance_uid":"3e559fb2-5560-11ef-b12b-0242ac110005","interface_name":"wet logos memorial","interface_uid":"3e55cfbe-5560-11ef-b385-0242ac110005","last_seen_time":1723105732278612,"namespace_pid":42,"network_interfaces":[{"name":"ext nasty pants","type":"Wireless","ip":"175.16.199.0","hostname":"description.travel","mac":"5A:10:D1:50:15:9A:55:A6","type_id":2}],"region":"wyoming founded blond","risk_level":"Low","risk_level_id":1,"vlan_uid":"3e558716-5560-11ef-8b46-0242ac110005"},"metadata":{"version":"1.1.0","product":{"name":"unions held pal","version":"1.1.0","uid":"3e54e914-5560-11ef-a37e-0242ac110005","url_string":"davidson","vendor_name":"dental magazines describing"},"profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"event_code":"exceptional","log_name":"should ld recruiting","log_provider":"reducing descriptions andrea","modified_time":1723105732274878,"original_time":"gorgeous sometimes normal","processed_time":1723105732274895,"tenant_uid":"3e54f35a-5560-11ef-a63f-0242ac110005"},"severity":"Unknown","api":{"request":{"data":"except","uid":"3e55dcca-5560-11ef-8d98-0242ac110005"},"response":{"error":"disputes gardens passive","code":23,"flags":["int gadgets alliance","half blake tone"],"message":"art tunisia irish","error_message":"finish marine developers"},"operation":"hd inner forgot"},"type_name":"Device Config State Change: Unknown","activity_id":0,"type_uid":501900,"observables":[{"name":"betting joe uncertainty","type":"Unknown","type_id":0},{"name":"stations effectiveness bizrate","type":"IP Address","type_id":2,"reputation":{"base_score":70.4967,"provider":"murray office chronicles","score":"Malicious","score_id":10}}],"category_name":"Discovery","class_uid":5019,"category_uid":5,"class_name":"Device Config State Change","timezone_offset":41,"end_time_dt":"2024-08-08T08:28:52.280748Z","activity_name":"Unknown","cloud":{"provider":"prepaid policy genetic","region":"unusual accuracy coordinate","zone":"median conference permalink"},"security_level":"suppliers inf fabric","severity_id":0} +{"message":"enabling pushing tee","status":"Failure","time":1723106695785986,"device":{"type":"Laptop","domain":"parts patents bios","ip":"175.16.199.0","hostname":"apparel.store","uid":"7ca10520-5562-11ef-994f-0242ac110005","image":{"name":"you therapy gaming","uid":"7ca0ff12-5562-11ef-a321-0242ac110005"},"type_id":3,"created_time":1723106695785069,"hypervisor":"weblog operates spanish","instance_uid":"7ca0f4f4-5562-11ef-9585-0242ac110005","interface_name":"individually assembled riders","interface_uid":"7ca10bd8-5562-11ef-a0b4-0242ac110005","is_compliant":true,"modified_time":1723106695785112,"region":"click added cars"},"metadata":{"version":"1.1.0","product":{"name":"use four webpage","version":"1.1.0","uid":"7c9fb288-5562-11ef-850c-0242ac110005","feature":{"name":"iii exceptional erotica","version":"1.1.0","uid":"7c9fbdfa-5562-11ef-b36a-0242ac110005"},"url_string":"light","vendor_name":"whatever chan might"},"profiles":[],"event_code":"recognized","log_name":"durable flex field","loggers":[{"name":"senator babies ou","device":{"name":"camcorder zoning projector","type":"Server","os":{"name":"pottery laws resident","type":"Unknown","country":"Haiti, Republic of","type_id":0},"domain":"pain brilliant html","ip":"177.30.168.240","hostname":"array.mil","uid":"7ca01610-5562-11ef-80c2-0242ac110005","image":{"name":"threaded reduction registry","uid":"7ca00f80-5562-11ef-9605-0242ac110005"},"type_id":1,"instance_uid":"7ca00508-5562-11ef-aef5-0242ac110005","interface_name":"smoke shorts historic","interface_uid":"7ca01d0e-5562-11ef-8a28-0242ac110005","is_personal":true,"modified_time":1723106695779060,"network_interfaces":[{"type":"Wired","ip":"162.67.186.104","hostname":"majority.int","mac":"A5:AD:3C:E2:45:BB:1F:BD","type_id":1,"subnet_prefix":63},{"name":"fujitsu specials encourages","type":"Mobile","ip":"61.37.184.176","hostname":"signal.biz","mac":"42:EC:71:C:44:87:4D:3F","type_id":3}],"region":"enforcement mls cabinet","risk_score":32,"subnet_uid":"7c9ff360-5562-11ef-a23d-0242ac110005"},"product":{"version":"1.1.0","uid":"7ca028a8-5562-11ef-9f4e-0242ac110005","lang":"en","cpe_name":"eddie m loop","vendor_name":"wild stack ing"},"uid":"7ca02fe2-5562-11ef-85c4-0242ac110005","log_name":"virus estimated hospitality","log_provider":"snapshot survive ruled"},{"name":"photo missing lions","version":"1.1.0","device":{"name":"barrier problems southampton","type":"Unknown","ip":"178.130.62.185","location":{"desc":"Nauru, Republic of","city":"Corrections presence","country":"NR","coordinates":[-87.1695,-2.0139],"continent":"Oceania"},"hostname":"traveller.org","uid":"7ca0bd86-5562-11ef-913a-0242ac110005","groups":[{"type":"train fm brain","uid":"7ca0a350-5562-11ef-a3c7-0242ac110005","privileges":["airlines ricky practitioner","hometown nh fair"]}],"type_id":0,"subnet":"239.0.0.0/8","instance_uid":"7ca0b64c-5562-11ef-9d6d-0242ac110005","interface_name":"accompanied lesson color","interface_uid":"7ca0c466-5562-11ef-abf1-0242ac110005","is_compliant":true,"is_personal":true,"modified_time":1723106695783536,"region":"careers eval haiti","subnet_uid":"7ca0aaf8-5562-11ef-825e-0242ac110005","uid_alt":"square washington foster"},"product":{"name":"sh buttons specialties","version":"1.1.0","vendor_name":"acrylic pace draws"},"uid":"7ca0ceca-5562-11ef-844f-0242ac110005","log_name":"tagged mainstream equal","log_provider":"certified denial agree"}],"original_time":"fireplace chapel support","tenant_uid":"7ca0d924-5562-11ef-9d5f-0242ac110005"},"severity":"Critical","type_name":"Device Config State Change: Other","activity_id":99,"type_uid":501999,"observables":[{"name":"savage humanity jail","type":"shots","value":"lived creator planning","type_id":99}],"category_name":"Discovery","class_uid":5019,"category_uid":5,"class_name":"Device Config State Change","timezone_offset":85,"end_time":1723106695784773,"activity_name":"fraser","security_states":[{},{"state":"Protection malfunction","state_id":5}],"enrichments":[{"data":"mpeg","name":"needs included bag","type":"palestine spin down","value":"gay from titans","provider":"sherman centers profession"}],"prev_security_states":[{},{}],"severity_id":5,"status_id":2} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json index 9866d1851a10..0a003b0f2c21 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-discovery.log-expected.json @@ -316,6 +316,1281 @@ "preserve_original_event", "preserve_duplicate_custom_fields" ] + }, + { + "@timestamp": "2022-12-31T00:00:00.000Z", + "data_stream": { + "dataset": "amazon_security_lake.discovery", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "login-attempt", + "code": "login_attempt", + "duration": 3600000000, + "end": "2023-01-01T00:00:00.000Z", + "id": "evt-1234", + "kind": "event", + "original": "{\"activity_id\":1,\"activity_name\":\"Login Attempt\",\"actor\":{\"authorizations\":[{\"decision\":\"allow\",\"policy\":{\"desc\":\"Allow login\",\"group\":{\"desc\":\"Employee Group\",\"domain\":\"example.com\",\"name\":\"employees\",\"privileges\":[\"read\",\"write\"],\"type\":\"internal\",\"uid\":\"grp101\"},\"name\":\"Login Policy\",\"uid\":\"pol101\",\"version\":\"1.0\"}}],\"idp\":{\"name\":\"IDP Service\",\"uid\":\"idp101\"},\"invoked_by\":\"web_app\",\"process\":{\"cmd_line\":\"/usr/bin/login\",\"created_time\":1672444800,\"file\":{\"accessed_time\":1672531200,\"accessor\":{\"account\":{\"name\":\"john.doe\",\"type\":\"user\",\"type_id\":1,\"uid\":\"acc101\"},\"credential_uid\":\"cred101\",\"domain\":\"example.com\",\"email_addr\":\"john.doe@example.com\",\"full_name\":\"John Doe\",\"groups\":[{\"desc\":\"Employee Group\",\"domain\":\"example.com\",\"name\":\"employees\",\"privileges\":[\"read\",\"write\"],\"type\":\"internal\",\"uid\":\"grp101\"}],\"ldap_person\":null,\"name\":\"John Doe\",\"org\":{\"name\":\"Example Corp\",\"ou_name\":\"IT\",\"ou_uid\":\"ou101\",\"uid\":\"org101\"},\"type\":\"user\",\"type_id\":1,\"uid\":\"usr101\",\"uid_alt\":\"john_doe_alt\"},\"attributes\":777,\"company_name\":\"Example Corp\",\"confidentiality\":\"high\",\"confidentiality_id\":2,\"created_time\":1672444800,\"creator\":null,\"desc\":\"Login script\",\"hashes\":[{\"algorithm\":\"SHA-256\",\"algorithm_id\":4,\"value\":\"abcd1234\"}],\"is_system\":true,\"mime_type\":\"application/x-sh\",\"modified_time\":1672444800,\"modifier\":null,\"name\":\"login.sh\",\"owner\":null,\"parent_folder\":\"/usr/bin\",\"path\":\"/usr/bin/login.sh\",\"product\":null,\"security_descriptor\":\"D:P(A;;FA;;;BA)\",\"signature\":{\"algorithm\":\"RSA\",\"algorithm_id\":1,\"certificate\":{\"created_time\":1577836800,\"expiration_time\":1893456000,\"fingerprints\":[{\"algorithm\":\"SHA-1\",\"algorithm_id\":3,\"value\":\"abc123\"}],\"issuer\":\"Example CA\",\"serial_number\":\"123456\",\"subject\":\"Example Corp\",\"uid\":\"cert101\",\"version\":\"1\"},\"created_time\":1672444800,\"developer_uid\":\"dev101\",\"digest\":{\"algorithm\":\"SHA-256\",\"algorithm_id\":4,\"value\":\"abcd1234\"}},\"size\":2048,\"type\":\"script\",\"type_id\":1,\"uid\":\"file101\",\"version\":\"1.0\",\"xattributes\":{}},\"integrity\":\"valid\",\"integrity_id\":1,\"lineage\":[\"/sbin/init\",\"/usr/bin/login\"],\"loaded_modules\":[\"pam\",\"bash\"],\"name\":\"login\",\"parent_process\":null,\"pid\":1234,\"sandbox\":\"none\",\"session\":null,\"terminated_time\":1672531200,\"tid\":5678,\"uid\":\"proc101\",\"user\":null,\"xattributes\":{}},\"session\":{\"count\":1,\"created_time\":1672444800,\"credential_uid\":\"cred101\",\"expiration_reason\":\"timeout\",\"expiration_time\":1672531200,\"is_mfa\":true,\"is_remote\":false,\"is_vpn\":false,\"issuer\":\"IDP Service\",\"terminal\":\"pts/1\",\"uid\":\"sess101\",\"uid_alt\":\"sess102\",\"uuid\":\"uuid-1234\"},\"user\":{\"account\":{\"name\":\"john.doe\",\"type\":\"user\",\"type_id\":1,\"uid\":\"acc101\"},\"credential_uid\":\"cred101\",\"domain\":\"example.com\",\"email_addr\":\"john.doe@example.com\",\"full_name\":\"John Doe\",\"groups\":[{\"desc\":\"Employee Group\",\"domain\":\"example.com\",\"name\":\"employees\",\"privileges\":[\"read\",\"write\"],\"type\":\"internal\",\"uid\":\"grp101\"}],\"ldap_person\":{\"cost_center\":\"IT\",\"created_time\":1577836800,\"deleted_time\":null,\"email_addrs\":[\"john.doe@example.com\"],\"employee_uid\":\"emp101\",\"given_name\":\"John\",\"hire_time\":1546300800,\"job_title\":\"System Administrator\",\"labels\":[\"full-time\"],\"last_login_time\":1672444800,\"ldap_cn\":\"john_doe_cn\",\"ldap_dn\":\"cn=John Doe,ou=users,dc=example,dc=com\",\"leave_time\":null,\"location\":{\"city\":\"San Francisco\",\"continent\":\"North America\",\"coordinates\":[37.7749,-122.4194],\"country\":\"USA\",\"desc\":\"Head Office\",\"is_on_premises\":true,\"isp\":\"Example ISP\",\"postal_code\":\"94103\",\"provider\":\"Example Provider\",\"region\":\"California\"},\"manager\":{\"account\":{\"name\":\"jane.manager\",\"type\":\"user\",\"type_id\":1,\"uid\":\"acc102\"},\"credential_uid\":\"cred102\",\"domain\":\"example.com\",\"email_addr\":\"jane.manager@example.com\",\"full_name\":\"Jane Manager\",\"groups\":[{\"desc\":\"Managers Group\",\"domain\":\"example.com\",\"name\":\"managers\",\"privileges\":[\"read\",\"write\",\"manage\"],\"type\":\"internal\",\"uid\":\"grp102\"}],\"ldap_person\":null,\"name\":\"Jane Manager\",\"org\":{\"name\":\"Example Corp\",\"ou_name\":\"IT\",\"ou_uid\":\"ou101\",\"uid\":\"org101\"},\"type\":\"user\",\"type_id\":1,\"uid\":\"usr102\",\"uid_alt\":\"jane_manager_alt\"},\"modified_time\":1622505600,\"office_location\":\"Building A\",\"surname\":\"Doe\"},\"name\":\"John Doe\",\"org\":{\"name\":\"Example Corp\",\"ou_name\":\"IT\",\"ou_uid\":\"ou101\",\"uid\":\"org101\"},\"type\":\"user\",\"type_id\":1,\"uid\":\"usr101\",\"uid_alt\":\"john_doe_alt\"}},\"category_name\":\"User Activity\",\"category_uid\":5,\"class_name\":\"Login Events\",\"class_uid\":5003,\"count\":1,\"duration\":3600,\"end_time\":1672531200,\"enrichments\":[{\"data\":{},\"name\":\"GeoIP Enrichment\",\"provider\":\"GeoIP Service\",\"type\":\"location\",\"value\":\"San Francisco, USA\"}],\"message\":\"User John Doe attempted a login from San Francisco.\",\"metadata\":{\"correlation_uid\":\"cor-1234\",\"event_code\":\"login_attempt\",\"extension\":{\"name\":\"Login Extension\",\"uid\":\"ext-1234\",\"version\":\"1.0\"},\"extensions\":[],\"labels\":[\"security\"],\"log_level\":\"info\",\"log_name\":\"user_activity\",\"log_provider\":\"Example Provider\",\"log_version\":\"1.0\",\"logged_time\":1672444800,\"loggers\":[],\"modified_time\":1672444800,\"original_time\":\"2023-01-01T00:00:00Z\",\"processed_time\":1672531200,\"product\":{\"cpe_name\":\"cpe:/a:example:product\",\"feature\":{\"name\":\"Login Feature\",\"uid\":\"fea-1234\",\"version\":\"1.0\"},\"lang\":\"en\",\"name\":\"User Activity Logger\",\"path\":\"/var/log/user_activity\",\"uid\":\"prod-1234\",\"url_string\":\"https://example.com\",\"vendor_name\":\"Example Vendor\",\"version\":\"1.0\"},\"profiles\":[\"default\"],\"sequence\":1,\"tenant_uid\":\"tenant123\",\"uid\":\"evt-1234\",\"version\":\"1.0\"},\"observables\":[{\"name\":\"San Francisco\",\"reputation\":{\"base_score\":90,\"provider\":\"GeoIP Service\",\"score\":\"high\",\"score_id\":1},\"type\":\"location\",\"type_id\":2,\"value\":\"San Francisco, USA\"}],\"raw_data\":\"raw_event_data\",\"severity\":\"medium\",\"severity_id\":2,\"start_time\":1672444800,\"status\":\"processed\",\"status_code\":\"200\",\"status_detail\":\"Event processed successfully.\",\"status_id\":1,\"time\":1672444800,\"timezone_offset\":-8,\"type_name\":\"login_event\",\"type_uid\":1001,\"unmapped\":{},\"user\":{\"account\":{\"name\":\"john.doe\",\"type\":\"user\",\"type_id\":1,\"uid\":\"acc101\"},\"credential_uid\":\"cred101\",\"domain\":\"example.com\",\"email_addr\":\"john.doe@example.com\",\"full_name\":\"John Doe\",\"groups\":[{\"desc\":\"Employee Group\",\"domain\":\"example.com\",\"name\":\"employees\",\"privileges\":[\"read\",\"write\"],\"type\":\"internal\",\"uid\":\"grp101\"}],\"ldap_person\":{\"cost_center\":\"IT\",\"created_time\":1577836800,\"deleted_time\":null,\"email_addrs\":[\"john.doe@example.com\"],\"employee_uid\":\"emp101\",\"given_name\":\"John\",\"hire_time\":1546300800,\"job_title\":\"System Administrator\",\"labels\":[\"full-time\"],\"last_login_time\":1672444800,\"ldap_cn\":\"john_doe_cn\",\"ldap_dn\":\"cn=John Doe,ou=users,dc=example,dc=com\",\"leave_time\":null,\"location\":{\"city\":\"San Francisco\",\"continent\":\"North America\",\"coordinates\":[37.7749,-122.4194],\"country\":\"USA\",\"desc\":\"Head Office\",\"is_on_premises\":true,\"isp\":\"Example ISP\",\"postal_code\":\"94103\",\"provider\":\"Example Provider\",\"region\":\"California\"},\"manager\":{\"account\":{\"name\":\"jane.manager\",\"type\":\"user\",\"type_id\":1,\"uid\":\"acc102\"},\"credential_uid\":\"cred102\",\"domain\":\"example.com\",\"email_addr\":\"jane.manager@example.com\",\"full_name\":\"Jane Manager\",\"groups\":[{\"desc\":\"Managers Group\",\"domain\":\"example.com\",\"name\":\"managers\",\"privileges\":[\"read\",\"write\",\"manage\"],\"type\":\"internal\",\"uid\":\"grp102\"}],\"ldap_person\":null,\"name\":\"Jane Manager\",\"org\":{\"name\":\"Example Corp\",\"ou_name\":\"IT\",\"ou_uid\":\"ou101\",\"uid\":\"org101\"},\"type\":\"user\",\"type_id\":1,\"uid\":\"usr102\",\"uid_alt\":\"jane_manager_alt\"},\"modified_time\":1622505600,\"office_location\":\"Building A\",\"surname\":\"Doe\"},\"name\":\"John Doe\",\"org\":{\"name\":\"Example Corp\",\"ou_name\":\"IT\",\"ou_uid\":\"ou101\",\"uid\":\"org101\"},\"type\":\"user\",\"type_id\":1,\"uid\":\"usr101\",\"uid_alt\":\"john_doe_alt\"}}", + "outcome": "success", + "provider": "Example Provider", + "sequence": 1, + "severity": 2, + "start": "2022-12-31T00:00:00.000Z", + "type": [ + "info" + ] + }, + "file": { + "accessed": "2023-01-01T00:00:00.000Z", + "created": "2022-12-31T00:00:00.000Z", + "directory": "/usr/bin", + "hash": { + "sha256": [ + "abcd1234" + ] + }, + "inode": "file101", + "mime_type": "application/x-sh", + "mtime": "2022-12-31T00:00:00.000Z", + "name": "login.sh", + "path": "/usr/bin/login.sh", + "size": 2048, + "type": "script", + "x509": { + "issuer": { + "distinguished_name": "Example CA" + }, + "not_after": "2030-01-01T00:00:00.000Z", + "serial_number": "123456", + "subject": { + "distinguished_name": "Example Corp" + }, + "version_number": "1" + } + }, + "message": "User John Doe attempted a login from San Francisco.", + "ocsf": { + "activity_id": "1", + "activity_name": "Login Attempt", + "actor": { + "authorizations": [ + { + "decision": "allow", + "policy": { + "desc": "Allow login", + "group": { + "desc": "Employee Group", + "domain": "example.com", + "name": "employees", + "privileges": [ + "read", + "write" + ], + "type": "internal", + "uid": "grp101" + }, + "name": "Login Policy", + "uid": "pol101", + "version": "1.0" + } + } + ], + "idp": { + "name": "IDP Service", + "uid": "idp101" + }, + "invoked_by": "web_app", + "process": { + "cmd_line": "/usr/bin/login", + "created_time": "2022-12-31T00:00:00.000Z", + "file": { + "accessed_time": "2023-01-01T00:00:00.000Z", + "accessor": { + "account": { + "name": "john.doe", + "type": "user", + "type_id": "1", + "uid": "acc101" + }, + "credential_uid": "cred101", + "domain": "example.com", + "email_addr": "john.doe@example.com", + "full_name": "John Doe", + "groups": [ + { + "desc": "Employee Group", + "domain": "example.com", + "name": "employees", + "privileges": [ + "read", + "write" + ], + "type": "internal", + "uid": "grp101" + } + ], + "name": "John Doe", + "org": { + "name": "Example Corp", + "ou_name": "IT", + "ou_uid": "ou101", + "uid": "org101" + }, + "type": "user", + "type_id": "1", + "uid": "usr101", + "uid_alt": "john_doe_alt" + }, + "attributes": 777, + "company_name": "Example Corp", + "confidentiality": "high", + "confidentiality_id": "2", + "created_time": "2022-12-31T00:00:00.000Z", + "desc": "Login script", + "hashes": [ + { + "algorithm": "SHA-256", + "algorithm_id": "4", + "value": "abcd1234" + } + ], + "is_system": true, + "mime_type": "application/x-sh", + "modified_time": "2022-12-31T00:00:00.000Z", + "name": "login.sh", + "parent_folder": "/usr/bin", + "path": "/usr/bin/login.sh", + "security_descriptor": "D:P(A;;FA;;;BA)", + "signature": { + "algorithm": "RSA", + "algorithm_id": "1", + "certificate": { + "created_time": "2020-01-01T00:00:00.000Z", + "expiration_time": "2030-01-01T00:00:00.000Z", + "fingerprints": [ + { + "algorithm": "SHA-1", + "algorithm_id": "3", + "value": "abc123" + } + ], + "issuer": "Example CA", + "serial_number": "123456", + "subject": "Example Corp", + "uid": "cert101", + "version": "1" + }, + "created_time": "2022-12-31T00:00:00.000Z", + "developer_uid": "dev101", + "digest": { + "algorithm": "SHA-256", + "algorithm_id": "4", + "value": "abcd1234" + } + }, + "size": 2048, + "type": "script", + "type_id": "1", + "uid": "file101", + "version": "1.0" + }, + "integrity": "valid", + "integrity_id": "1", + "lineage": [ + "/sbin/init", + "/usr/bin/login" + ], + "loaded_modules": [ + "pam", + "bash" + ], + "name": "login", + "pid": 1234, + "sandbox": "none", + "terminated_time": "2023-01-01T00:00:00.000Z", + "tid": 5678, + "uid": "proc101" + }, + "session": { + "count": 1, + "created_time": "2022-12-31T00:00:00.000Z", + "credential_uid": "cred101", + "expiration_reason": "timeout", + "expiration_time": "2023-01-01T00:00:00.000Z", + "is_mfa": true, + "is_remote": false, + "is_vpn": false, + "issuer": "IDP Service", + "terminal": "pts/1", + "uid": "sess101", + "uid_alt": "sess102", + "uuid": "uuid-1234" + }, + "user": { + "account": { + "name": "john.doe", + "type": "user", + "type_id": "1", + "uid": "acc101" + }, + "credential_uid": "cred101", + "domain": "example.com", + "email_addr": "john.doe@example.com", + "full_name": "John Doe", + "groups": [ + { + "desc": "Employee Group", + "domain": "example.com", + "name": "employees", + "privileges": [ + "read", + "write" + ], + "type": "internal", + "uid": "grp101" + } + ], + "ldap_person": { + "cost_center": "IT", + "created_time": 1577836800000, + "email_addrs": [ + "john.doe@example.com" + ], + "employee_uid": "emp101", + "given_name": "John", + "hire_time": 1546300800000, + "job_title": "System Administrator", + "labels": [ + "full-time" + ], + "last_login_time": 1672444800000, + "ldap_cn": "john_doe_cn", + "ldap_dn": "cn=John Doe,ou=users,dc=example,dc=com", + "location": { + "city": "San Francisco", + "continent": "North America", + "coordinates": [ + 37.7749, + -122.4194 + ], + "country": "USA", + "desc": "Head Office", + "is_on_premises": true, + "isp": "Example ISP", + "postal_code": "94103", + "provider": "Example Provider", + "region": "California" + }, + "manager": { + "account": { + "name": "jane.manager", + "type": "user", + "type_id": 1, + "uid": "acc102" + }, + "credential_uid": "cred102", + "domain": "example.com", + "email_addr": "jane.manager@example.com", + "full_name": "Jane Manager", + "groups": [ + { + "desc": "Managers Group", + "domain": "example.com", + "name": "managers", + "privileges": [ + "read", + "write", + "manage" + ], + "type": "internal", + "uid": "grp102" + } + ], + "name": "Jane Manager", + "org": { + "name": "Example Corp", + "ou_name": "IT", + "ou_uid": "ou101", + "uid": "org101" + }, + "type": "user", + "type_id": 1, + "uid": "usr102", + "uid_alt": "jane_manager_alt" + }, + "modified_time": 1622505600000, + "office_location": "Building A", + "surname": "Doe" + }, + "name": "John Doe", + "org": { + "name": "Example Corp", + "ou_name": "IT", + "ou_uid": "ou101", + "uid": "org101" + }, + "type": "user", + "type_id": "1", + "uid": "usr101", + "uid_alt": "john_doe_alt" + } + }, + "category_name": "User Activity", + "category_uid": "5", + "class_name": "Login Events", + "class_uid": "5003", + "count": 1, + "duration": 3600, + "end_time": "2023-01-01T00:00:00.000Z", + "enrichments": [ + { + "name": "GeoIP Enrichment", + "provider": "GeoIP Service", + "type": "location", + "value": "San Francisco, USA" + } + ], + "message": "User John Doe attempted a login from San Francisco.", + "metadata": { + "correlation_uid": "cor-1234", + "event_code": "login_attempt", + "extension": { + "name": "Login Extension", + "uid": "ext-1234", + "version": "1.0" + }, + "labels": [ + "security" + ], + "log_level": "info", + "log_name": "user_activity", + "log_provider": "Example Provider", + "log_version": "1.0", + "logged_time": "2022-12-31T00:00:00.000Z", + "modified_time": "2022-12-31T00:00:00.000Z", + "original_time": "2023-01-01T00:00:00Z", + "processed_time": "2023-01-01T00:00:00.000Z", + "product": { + "cpe_name": "cpe:/a:example:product", + "feature": { + "name": "Login Feature", + "uid": "fea-1234", + "version": "1.0" + }, + "lang": "en", + "name": "User Activity Logger", + "path": "/var/log/user_activity", + "uid": "prod-1234", + "url_string": "https://example.com", + "vendor_name": "Example Vendor", + "version": "1.0" + }, + "profiles": [ + "default" + ], + "sequence": 1, + "tenant_uid": "tenant123", + "uid": "evt-1234", + "version": "1.0" + }, + "observables": [ + { + "name": "San Francisco", + "reputation": { + "base_score": 90.0, + "provider": "GeoIP Service", + "score": "high", + "score_id": "1" + }, + "type": "location", + "type_id": "2", + "value": "San Francisco, USA" + } + ], + "raw_data_keyword": "raw_event_data", + "severity": "medium", + "severity_id": 2, + "start_time": "2022-12-31T00:00:00.000Z", + "status": "processed", + "status_code": "200", + "status_detail": "Event processed successfully.", + "status_id": "1", + "time": "2022-12-31T00:00:00.000Z", + "timezone_offset": -8, + "type_name": "login_event", + "type_uid": "1001", + "user": { + "account": { + "name": "john.doe", + "type": "user", + "type_id": "1", + "uid": "acc101" + }, + "credential_uid": "cred101", + "domain": "example.com", + "email_addr": "john.doe@example.com", + "full_name": "John Doe", + "groups": [ + { + "desc": "Employee Group", + "domain": "example.com", + "name": "employees", + "privileges": [ + "read", + "write" + ], + "type": "internal", + "uid": "grp101" + } + ], + "ldap_person": { + "cost_center": "IT", + "created_time": 1577836800000, + "email_addrs": [ + "john.doe@example.com" + ], + "employee_uid": "emp101", + "given_name": "John", + "hire_time": 1546300800000, + "job_title": "System Administrator", + "labels": [ + "full-time" + ], + "last_login_time": 1672444800000, + "ldap_cn": "john_doe_cn", + "ldap_dn": "cn=John Doe,ou=users,dc=example,dc=com", + "location": { + "city": "San Francisco", + "continent": "North America", + "coordinates": [ + 37.7749, + -122.4194 + ], + "country": "USA", + "desc": "Head Office", + "is_on_premises": true, + "isp": "Example ISP", + "postal_code": "94103", + "provider": "Example Provider", + "region": "California" + }, + "manager": { + "account": { + "name": "jane.manager", + "type": "user", + "type_id": 1, + "uid": "acc102" + }, + "credential_uid": "cred102", + "domain": "example.com", + "email_addr": "jane.manager@example.com", + "full_name": "Jane Manager", + "groups": [ + { + "desc": "Managers Group", + "domain": "example.com", + "name": "managers", + "privileges": [ + "read", + "write", + "manage" + ], + "type": "internal", + "uid": "grp102" + } + ], + "name": "Jane Manager", + "org": { + "name": "Example Corp", + "ou_name": "IT", + "ou_uid": "ou101", + "uid": "org101" + }, + "type": "user", + "type_id": 1, + "uid": "usr102", + "uid_alt": "jane_manager_alt" + }, + "modified_time": 1622505600000, + "office_location": "Building A", + "surname": "Doe" + }, + "name": "John Doe", + "org": { + "name": "Example Corp", + "ou_name": "IT", + "ou_uid": "ou101", + "uid": "org101" + }, + "type": "user", + "type_id": "1", + "uid": "usr101", + "uid_alt": "john_doe_alt" + } + }, + "process": { + "command_line": "/usr/bin/login", + "end": "2023-01-01T00:00:00.000Z", + "entity_id": "proc101", + "name": "login", + "pid": 1234, + "start": "2022-12-31T00:00:00.000Z", + "thread": { + "id": 5678 + } + }, + "related": { + "hash": [ + "abcd1234", + "abc123" + ], + "user": [ + "john.doe@example.com", + "John Doe", + "usr101", + "john_doe_alt" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "security" + ], + "user": { + "domain": "example.com", + "email": "john.doe@example.com", + "full_name": "John Doe", + "group": { + "id": [ + "grp101" + ], + "name": [ + "employees" + ] + }, + "id": "usr101", + "name": "John Doe", + "target": { + "domain": "example.com", + "email": "john.doe@example.com", + "full_name": "John Doe", + "group": { + "id": [ + "grp101" + ], + "name": [ + "employees" + ] + }, + "id": "usr101", + "name": "John Doe" + } + } + }, + { + "@timestamp": "2024-08-02T09:53:59.954Z", + "cloud": { + "project": { + "id": "244256a6-50b5-11ef-b514-0242ac110005" + }, + "provider": "examined thumbzilla applies", + "region": "refugees england number" + }, + "data_stream": { + "dataset": "amazon_security_lake.discovery", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "unknown", + "duration": 84000000, + "kind": "event", + "original": "{\"message\":\"ol avatar webster\",\"status\":\"jim\",\"time\":1722592439954199,\"device\":{\"name\":\"sk feat cups\",\"type\":\"Browser\",\"ip\":\"81.2.69.144\",\"location\":{\"desc\":\"Burundi, Republic of\",\"city\":\"Randy wellington\",\"country\":\"BI\",\"coordinates\":[-44.0959,34.4006],\"continent\":\"Africa\"},\"hostname\":\"surfaces.biz\",\"uid\":\"2444035c-50b5-11ef-be7d-0242ac110005\",\"type_id\":8,\"container\":{\"name\":\"ent give c\",\"size\":2809284742,\"uid\":\"2444104a-50b5-11ef-a8ef-0242ac110005\",\"image\":{\"name\":\"rt href dubai\",\"tag\":\"team established germany\",\"path\":\"enhancing zope celtic\",\"uid\":\"24441aea-50b5-11ef-a95e-0242ac110005\",\"labels\":[\"determines\",\"dirt\"]},\"hash\":{\"value\":\"A0F0F23EF42637BEC6F126E2A94D58802124DC4B559791CE9583CBC1BB474C954FEF9FD047DFB80F46A869FBB1BAC07C4841FC2C92C4A9DF1755072825DEBBC8\",\"algorithm\":\"Unknown\",\"algorithm_id\":0},\"orchestrator\":\"carries pretty ranks\"},\"instance_uid\":\"2443f740-50b5-11ef-8557-0242ac110005\",\"interface_name\":\"mb built rip\",\"interface_uid\":\"24442436-50b5-11ef-a4a7-0242ac110005\",\"is_managed\":false,\"is_trusted\":true,\"last_seen_time\":1722592439950666,\"region\":\"topic toshiba inform\",\"risk_score\":3,\"vlan_uid\":\"2443ec0a-50b5-11ef-95ed-0242ac110005\",\"zone\":\"percent databases fairfield\",\"first_seen_time_dt\":\"2024-08-02T09:53:59.950879Z\"},\"metadata\":{\"version\":\"1.1.0\",\"extension\":{\"name\":\"columbia merely switzerland\",\"version\":\"1.1.0\",\"uid\":\"24428c98-50b5-11ef-955a-0242ac110005\"},\"product\":{\"name\":\"semi boston electric\",\"path\":\"norm eggs ranges\",\"uid\":\"24429a8a-50b5-11ef-924a-0242ac110005\",\"vendor_name\":\"gauge thereby modes\"},\"log_level\":\"ata ty announcements\",\"sequence\":29,\"profiles\":[\"cloud\",\"container\",\"datetime\",\"host\",\"linux/linux_users\",\"load_balancer\",\"network_proxy\",\"security_control\"],\"correlation_uid\":\"2442a34a-50b5-11ef-adc6-0242ac110005\",\"log_name\":\"orientation will game\",\"log_provider\":\"rod seasons weed\",\"loggers\":[{\"name\":\"netherlands devoted extensive\",\"device\":{\"name\":\"tender harmony powerseller\",\"type\":\"Laptop\",\"os\":{\"name\":\"ian distributor collectible\",\"type\":\"HP-UX\",\"type_id\":402,\"cpu_bits\":9},\"ip\":\"97.19.65.133\",\"uid\":\"24433d8c-50b5-11ef-b570-0242ac110005\",\"type_id\":3,\"subnet\":\"164.124.0.0/16\",\"autoscale_uid\":\"24432c02-50b5-11ef-b1ff-0242ac110005\",\"container\":{\"size\":2010633241,\"uid\":\"2443498a-50b5-11ef-ae6c-0242ac110005\",\"image\":{\"name\":\"anxiety patents return\",\"uid\":\"2443540c-50b5-11ef-8146-0242ac110005\",\"labels\":[\"intimate\",\"momentum\"]},\"hash\":{\"value\":\"FA43AD9444AD97C075FDAE70D75E938A031C84A9C642A94B9F058555892B875F\",\"algorithm\":\"magic\",\"algorithm_id\":99}},\"imei\":\"relatively drums significantly\",\"instance_uid\":\"2443362a-50b5-11ef-b381-0242ac110005\",\"interface_name\":\"own monitoring ph\",\"interface_uid\":\"24435e02-50b5-11ef-81a2-0242ac110005\",\"is_managed\":true,\"is_personal\":false,\"namespace_pid\":85,\"region\":\"impacts trackbacks authentication\",\"uid_alt\":\"kelkoo clinics nearby\"},\"product\":{\"name\":\"herself market quote\",\"version\":\"1.1.0\",\"uid\":\"2443cb58-50b5-11ef-b723-0242ac110005\",\"cpe_name\":\"locale memorabilia board\",\"url_string\":\"belt\",\"vendor_name\":\"ultimately permalink scenes\"},\"log_name\":\"jul pregnant carrying\",\"log_provider\":\"specifically executive dosage\",\"transmit_time_dt\":\"2024-08-02T09:53:59.950077Z\"}],\"modified_time\":1722592439950096,\"original_time\":\"livecam yearly isbn\",\"processed_time\":1722592439950110,\"tenant_uid\":\"2443d6b6-50b5-11ef-8908-0242ac110005\",\"modified_time_dt\":\"2024-08-02T09:53:59.950313Z\"},\"severity\":\"Low\",\"duration\":84,\"type_name\":\"Operating System Patch State: Unknown\",\"activity_id\":0,\"type_uid\":500400,\"category_name\":\"Discovery\",\"class_uid\":5004,\"category_uid\":5,\"class_name\":\"Operating System Patch State\",\"timezone_offset\":54,\"activity_name\":\"Unknown\",\"cloud\":{\"project_uid\":\"244256a6-50b5-11ef-b514-0242ac110005\",\"provider\":\"examined thumbzilla applies\",\"region\":\"refugees england number\"},\"kb_article_list\":[{\"os\":{\"name\":\"pills conversations dave\",\"type\":\"Windows Mobile\",\"type_id\":101,\"lang\":\"en\",\"edition\":\"liechtenstein wildlife rooms\"},\"title\":\"survey chinese wales\",\"uid\":\"24443296-50b5-11ef-a50c-0242ac110005\",\"severity\":\"spectacular durham aw\",\"bulletin\":\"mauritius journalists shaved\"},{\"os\":{\"name\":\"reaches ridge signatures\",\"type\":\"overseas\",\"version\":\"1.1.0\",\"type_id\":99,\"cpe_name\":\"almost advertisement oe\",\"cpu_bits\":7},\"product\":{\"name\":\"recorder engaging widescreen\",\"version\":\"1.1.0\",\"uid\":\"244462f2-50b5-11ef-86a0-0242ac110005\",\"lang\":\"en\",\"cpe_name\":\"stuffed robots bras\",\"vendor_name\":\"spring russian core\"},\"uid\":\"24446d6a-50b5-11ef-ac9c-0242ac110005\",\"severity\":\"paso strictly after\",\"src_url\":\"reserved\"}],\"severity_id\":2,\"status_id\":99}", + "provider": "rod seasons weed", + "sequence": 29, + "severity": 2, + "type": [ + "info" + ] + }, + "host": { + "geo": { + "city_name": "Randy wellington", + "continent_name": "Africa", + "country_iso_code": "BI", + "location": [ + -44.0959, + 34.4006 + ], + "name": "Burundi, Republic of" + }, + "hostname": "surfaces.biz", + "id": "2444035c-50b5-11ef-be7d-0242ac110005", + "ip": [ + "81.2.69.144" + ], + "name": "sk feat cups", + "risk": { + "static_score": 3 + }, + "type": "Browser" + }, + "message": "ol avatar webster", + "network": { + "vlan": { + "id": "2443ec0a-50b5-11ef-95ed-0242ac110005" + } + }, + "ocsf": { + "activity_id": "0", + "activity_name": "Unknown", + "category_name": "Discovery", + "category_uid": "5", + "class_name": "Operating System Patch State", + "class_uid": "5004", + "cloud": { + "project_uid": "244256a6-50b5-11ef-b514-0242ac110005", + "provider": "examined thumbzilla applies", + "region": "refugees england number" + }, + "device": { + "container": { + "hash": { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "A0F0F23EF42637BEC6F126E2A94D58802124DC4B559791CE9583CBC1BB474C954FEF9FD047DFB80F46A869FBB1BAC07C4841FC2C92C4A9DF1755072825DEBBC8" + }, + "image": { + "labels": [ + "determines", + "dirt" + ], + "name": "rt href dubai", + "path": "enhancing zope celtic", + "tag": "team established germany", + "uid": "24441aea-50b5-11ef-a95e-0242ac110005" + }, + "name": "ent give c", + "orchestrator": "carries pretty ranks", + "size": 2809284742, + "uid": "2444104a-50b5-11ef-a8ef-0242ac110005" + }, + "first_seen_time_dt": "2024-08-02T09:53:59.950Z", + "hostname": "surfaces.biz", + "instance_uid": "2443f740-50b5-11ef-8557-0242ac110005", + "interface_name": "mb built rip", + "interface_uid": "24442436-50b5-11ef-a4a7-0242ac110005", + "ip": "81.2.69.144", + "is_managed": false, + "is_trusted": true, + "last_seen_time": "2024-08-02T09:53:59.950Z", + "location": { + "city": "Randy wellington", + "continent": "Africa", + "coordinates": [ + -44.0959, + 34.4006 + ], + "country": "BI", + "desc": "Burundi, Republic of" + }, + "name": "sk feat cups", + "region": "topic toshiba inform", + "risk_score": 3, + "type": "Browser", + "type_id": "8", + "uid": "2444035c-50b5-11ef-be7d-0242ac110005", + "vlan_uid": "2443ec0a-50b5-11ef-95ed-0242ac110005", + "zone": "percent databases fairfield" + }, + "duration": 84, + "kb_article_list": [ + { + "bulletin": "mauritius journalists shaved", + "os": { + "edition": "liechtenstein wildlife rooms", + "lang": "en", + "name": "pills conversations dave", + "type": "Windows Mobile", + "type_id": 101 + }, + "severity": "spectacular durham aw", + "title": "survey chinese wales", + "uid": "24443296-50b5-11ef-a50c-0242ac110005" + }, + { + "os": { + "cpe_name": "almost advertisement oe", + "cpu_bits": 7, + "name": "reaches ridge signatures", + "type": "overseas", + "type_id": 99, + "version": "1.1.0" + }, + "product": { + "cpe_name": "stuffed robots bras", + "lang": "en", + "name": "recorder engaging widescreen", + "uid": "244462f2-50b5-11ef-86a0-0242ac110005", + "vendor_name": "spring russian core", + "version": "1.1.0" + }, + "severity": "paso strictly after", + "src_url": "reserved", + "uid": "24446d6a-50b5-11ef-ac9c-0242ac110005" + } + ], + "message": "ol avatar webster", + "metadata": { + "correlation_uid": "2442a34a-50b5-11ef-adc6-0242ac110005", + "extension": { + "name": "columbia merely switzerland", + "uid": "24428c98-50b5-11ef-955a-0242ac110005", + "version": "1.1.0" + }, + "log_level": "ata ty announcements", + "log_name": "orientation will game", + "log_provider": "rod seasons weed", + "loggers": [ + { + "device": { + "autoscale_uid": "24432c02-50b5-11ef-b1ff-0242ac110005", + "container": { + "hash": { + "algorithm": "magic", + "algorithm_id": 99, + "value": "FA43AD9444AD97C075FDAE70D75E938A031C84A9C642A94B9F058555892B875F" + }, + "image": { + "labels": [ + "intimate", + "momentum" + ], + "name": "anxiety patents return", + "uid": "2443540c-50b5-11ef-8146-0242ac110005" + }, + "size": 2010633241, + "uid": "2443498a-50b5-11ef-ae6c-0242ac110005" + }, + "imei": "relatively drums significantly", + "instance_uid": "2443362a-50b5-11ef-b381-0242ac110005", + "interface_name": "own monitoring ph", + "interface_uid": "24435e02-50b5-11ef-81a2-0242ac110005", + "ip": "97.19.65.133", + "is_managed": true, + "is_personal": false, + "name": "tender harmony powerseller", + "namespace_pid": 85, + "os": { + "cpu_bits": 9, + "name": "ian distributor collectible", + "type": "HP-UX", + "type_id": 402 + }, + "region": "impacts trackbacks authentication", + "subnet": "164.124.0.0/16", + "type": "Laptop", + "type_id": 3, + "uid": "24433d8c-50b5-11ef-b570-0242ac110005", + "uid_alt": "kelkoo clinics nearby" + }, + "log_name": "jul pregnant carrying", + "log_provider": "specifically executive dosage", + "name": "netherlands devoted extensive", + "product": { + "cpe_name": "locale memorabilia board", + "name": "herself market quote", + "uid": "2443cb58-50b5-11ef-b723-0242ac110005", + "url_string": "belt", + "vendor_name": "ultimately permalink scenes", + "version": "1.1.0" + }, + "transmit_time_dt": "2024-08-02T09:53:59.950077Z" + } + ], + "modified_time": "2024-08-02T09:53:59.950Z", + "modified_time_dt": "2024-08-02T09:53:59.950Z", + "original_time": "livecam yearly isbn", + "processed_time": "2024-08-02T09:53:59.950Z", + "product": { + "name": "semi boston electric", + "path": "norm eggs ranges", + "uid": "24429a8a-50b5-11ef-924a-0242ac110005", + "vendor_name": "gauge thereby modes" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "linux/linux_users", + "load_balancer", + "network_proxy", + "security_control" + ], + "sequence": 29, + "tenant_uid": "2443d6b6-50b5-11ef-8908-0242ac110005", + "version": "1.1.0" + }, + "severity": "Low", + "severity_id": 2, + "status": "jim", + "status_id": "99", + "time": "2024-08-02T09:53:59.954Z", + "timezone_offset": 54, + "type_name": "Operating System Patch State: Unknown", + "type_uid": "500400" + }, + "related": { + "hosts": [ + "surfaces.biz", + "sk feat cups" + ], + "ip": [ + "81.2.69.144" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-08-08T08:28:52.280Z", + "cloud": { + "availability_zone": "median conference permalink", + "provider": "prepaid policy genetic", + "region": "unusual accuracy coordinate" + }, + "data_stream": { + "dataset": "amazon_security_lake.discovery", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "unknown", + "code": "exceptional", + "end": "2024-08-08T08:28:52.280Z", + "kind": "event", + "original": "{\"message\":\"suppose intimate restaurant\",\"status\":\"mayor jewel fixes\",\"time\":1723105732280760,\"device\":{\"type\":\"Server\",\"ip\":\"233.56.87.14\",\"hostname\":\"scores.museum\",\"uid\":\"3e55aa52-5560-11ef-b18f-0242ac110005\",\"org\":{\"uid\":\"3e55922e-5560-11ef-8631-0242ac110005\",\"ou_name\":\"gourmet biographies avon\",\"ou_uid\":\"3e55997c-5560-11ef-b188-0242ac110005\"},\"type_id\":1,\"container\":{\"name\":\"china elections nathan\",\"runtime\":\"fail gmc swap\",\"size\":72520595,\"uid\":\"3e55b7a4-5560-11ef-96a7-0242ac110005\",\"image\":{\"name\":\"ceo fly grenada\",\"uid\":\"3e55c60e-5560-11ef-b505-0242ac110005\"},\"hash\":{\"value\":\"57799DCAEC3A56379406B2C2D009F1CEC4582CC018A5EA2902010D23F77C9604AC49FFDF893574E772F722ED8989C6E29473647F4D6751DBB0C22B88E9C07596\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7},\"network_driver\":\"british makeup series\"},\"first_seen_time\":1723105732279498,\"imei\":\"opt specializing courses\",\"instance_uid\":\"3e559fb2-5560-11ef-b12b-0242ac110005\",\"interface_name\":\"wet logos memorial\",\"interface_uid\":\"3e55cfbe-5560-11ef-b385-0242ac110005\",\"last_seen_time\":1723105732278612,\"namespace_pid\":42,\"network_interfaces\":[{\"name\":\"ext nasty pants\",\"type\":\"Wireless\",\"ip\":\"175.16.199.0\",\"hostname\":\"description.travel\",\"mac\":\"5A:10:D1:50:15:9A:55:A6\",\"type_id\":2}],\"region\":\"wyoming founded blond\",\"risk_level\":\"Low\",\"risk_level_id\":1,\"vlan_uid\":\"3e558716-5560-11ef-8b46-0242ac110005\"},\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"unions held pal\",\"version\":\"1.1.0\",\"uid\":\"3e54e914-5560-11ef-a37e-0242ac110005\",\"url_string\":\"davidson\",\"vendor_name\":\"dental magazines describing\"},\"profiles\":[\"cloud\",\"container\",\"datetime\",\"host\",\"linux/linux_users\",\"load_balancer\",\"network_proxy\",\"security_control\"],\"event_code\":\"exceptional\",\"log_name\":\"should ld recruiting\",\"log_provider\":\"reducing descriptions andrea\",\"modified_time\":1723105732274878,\"original_time\":\"gorgeous sometimes normal\",\"processed_time\":1723105732274895,\"tenant_uid\":\"3e54f35a-5560-11ef-a63f-0242ac110005\"},\"severity\":\"Unknown\",\"api\":{\"request\":{\"data\":\"except\",\"uid\":\"3e55dcca-5560-11ef-8d98-0242ac110005\"},\"response\":{\"error\":\"disputes gardens passive\",\"code\":23,\"flags\":[\"int gadgets alliance\",\"half blake tone\"],\"message\":\"art tunisia irish\",\"error_message\":\"finish marine developers\"},\"operation\":\"hd inner forgot\"},\"type_name\":\"Device Config State Change: Unknown\",\"activity_id\":0,\"type_uid\":501900,\"observables\":[{\"name\":\"betting joe uncertainty\",\"type\":\"Unknown\",\"type_id\":0},{\"name\":\"stations effectiveness bizrate\",\"type\":\"IP Address\",\"type_id\":2,\"reputation\":{\"base_score\":70.4967,\"provider\":\"murray office chronicles\",\"score\":\"Malicious\",\"score_id\":10}}],\"category_name\":\"Discovery\",\"class_uid\":5019,\"category_uid\":5,\"class_name\":\"Device Config State Change\",\"timezone_offset\":41,\"end_time_dt\":\"2024-08-08T08:28:52.280748Z\",\"activity_name\":\"Unknown\",\"cloud\":{\"provider\":\"prepaid policy genetic\",\"region\":\"unusual accuracy coordinate\",\"zone\":\"median conference permalink\"},\"security_level\":\"suppliers inf fabric\",\"severity_id\":0}", + "provider": "reducing descriptions andrea", + "severity": 0, + "type": [ + "info" + ] + }, + "host": { + "hostname": "scores.museum", + "id": "3e55aa52-5560-11ef-b18f-0242ac110005", + "ip": [ + "233.56.87.14" + ], + "risk": { + "static_level": "Low" + }, + "type": "Server" + }, + "message": "suppose intimate restaurant", + "network": { + "vlan": { + "id": "3e558716-5560-11ef-8b46-0242ac110005" + } + }, + "ocsf": { + "activity_id": "0", + "activity_name": "Unknown", + "api": { + "operation": "hd inner forgot", + "request": { + "data": "except", + "uid": "3e55dcca-5560-11ef-8d98-0242ac110005" + }, + "response": { + "code": 23, + "error": "disputes gardens passive", + "error_message": "finish marine developers", + "flags": [ + "int gadgets alliance", + "half blake tone" + ], + "message": "art tunisia irish" + } + }, + "category_name": "Discovery", + "category_uid": "5", + "class_name": "Device Config State Change", + "class_uid": "5019", + "cloud": { + "provider": "prepaid policy genetic", + "region": "unusual accuracy coordinate", + "zone": "median conference permalink" + }, + "device": { + "container": { + "hash": { + "algorithm": "quickXorHash", + "algorithm_id": 7, + "value": "57799DCAEC3A56379406B2C2D009F1CEC4582CC018A5EA2902010D23F77C9604AC49FFDF893574E772F722ED8989C6E29473647F4D6751DBB0C22B88E9C07596" + }, + "image": { + "name": "ceo fly grenada", + "uid": "3e55c60e-5560-11ef-b505-0242ac110005" + }, + "name": "china elections nathan", + "network_driver": "british makeup series", + "runtime": "fail gmc swap", + "size": 72520595, + "uid": "3e55b7a4-5560-11ef-96a7-0242ac110005" + }, + "first_seen_time": "2024-08-08T08:28:52.279Z", + "hostname": "scores.museum", + "imei": "opt specializing courses", + "instance_uid": "3e559fb2-5560-11ef-b12b-0242ac110005", + "interface_name": "wet logos memorial", + "interface_uid": "3e55cfbe-5560-11ef-b385-0242ac110005", + "ip": "233.56.87.14", + "last_seen_time": "2024-08-08T08:28:52.278Z", + "namespace_pid": 42, + "network_interfaces": [ + { + "hostname": "description.travel", + "ip": "175.16.199.0", + "mac": "5A-10-D1-50-15-9A-55-A6", + "name": "ext nasty pants", + "type": "Wireless", + "type_id": "2" + } + ], + "org": { + "ou_name": "gourmet biographies avon", + "ou_uid": "3e55997c-5560-11ef-b188-0242ac110005", + "uid": "3e55922e-5560-11ef-8631-0242ac110005" + }, + "region": "wyoming founded blond", + "risk_level": "Low", + "risk_level_id": "1", + "type": "Server", + "type_id": "1", + "uid": "3e55aa52-5560-11ef-b18f-0242ac110005", + "vlan_uid": "3e558716-5560-11ef-8b46-0242ac110005" + }, + "end_time_dt": "2024-08-08T08:28:52.280Z", + "message": "suppose intimate restaurant", + "metadata": { + "event_code": "exceptional", + "log_name": "should ld recruiting", + "log_provider": "reducing descriptions andrea", + "modified_time": "2024-08-08T08:28:52.274Z", + "original_time": "gorgeous sometimes normal", + "processed_time": "2024-08-08T08:28:52.274Z", + "product": { + "name": "unions held pal", + "uid": "3e54e914-5560-11ef-a37e-0242ac110005", + "url_string": "davidson", + "vendor_name": "dental magazines describing", + "version": "1.1.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "linux/linux_users", + "load_balancer", + "network_proxy", + "security_control" + ], + "tenant_uid": "3e54f35a-5560-11ef-a63f-0242ac110005", + "version": "1.1.0" + }, + "observables": [ + { + "name": "betting joe uncertainty", + "type": "Unknown", + "type_id": "0" + }, + { + "name": "stations effectiveness bizrate", + "reputation": { + "base_score": 70.4967, + "provider": "murray office chronicles", + "score": "Malicious", + "score_id": "10" + }, + "type": "IP Address", + "type_id": "2" + } + ], + "security_level": "suppliers inf fabric", + "severity": "Unknown", + "severity_id": 0, + "status": "mayor jewel fixes", + "time": "2024-08-08T08:28:52.280Z", + "timezone_offset": 41, + "type_name": "Device Config State Change: Unknown", + "type_uid": "501900" + }, + "related": { + "hosts": [ + "scores.museum", + "description.travel" + ], + "ip": [ + "233.56.87.14", + "175.16.199.0" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-08-08T08:44:55.785Z", + "data_stream": { + "dataset": "amazon_security_lake.discovery", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "fraser", + "code": "recognized", + "end": "2024-08-08T08:44:55.784Z", + "kind": "event", + "original": "{\"message\":\"enabling pushing tee\",\"status\":\"Failure\",\"time\":1723106695785986,\"device\":{\"type\":\"Laptop\",\"domain\":\"parts patents bios\",\"ip\":\"175.16.199.0\",\"hostname\":\"apparel.store\",\"uid\":\"7ca10520-5562-11ef-994f-0242ac110005\",\"image\":{\"name\":\"you therapy gaming\",\"uid\":\"7ca0ff12-5562-11ef-a321-0242ac110005\"},\"type_id\":3,\"created_time\":1723106695785069,\"hypervisor\":\"weblog operates spanish\",\"instance_uid\":\"7ca0f4f4-5562-11ef-9585-0242ac110005\",\"interface_name\":\"individually assembled riders\",\"interface_uid\":\"7ca10bd8-5562-11ef-a0b4-0242ac110005\",\"is_compliant\":true,\"modified_time\":1723106695785112,\"region\":\"click added cars\"},\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"use four webpage\",\"version\":\"1.1.0\",\"uid\":\"7c9fb288-5562-11ef-850c-0242ac110005\",\"feature\":{\"name\":\"iii exceptional erotica\",\"version\":\"1.1.0\",\"uid\":\"7c9fbdfa-5562-11ef-b36a-0242ac110005\"},\"url_string\":\"light\",\"vendor_name\":\"whatever chan might\"},\"profiles\":[],\"event_code\":\"recognized\",\"log_name\":\"durable flex field\",\"loggers\":[{\"name\":\"senator babies ou\",\"device\":{\"name\":\"camcorder zoning projector\",\"type\":\"Server\",\"os\":{\"name\":\"pottery laws resident\",\"type\":\"Unknown\",\"country\":\"Haiti, Republic of\",\"type_id\":0},\"domain\":\"pain brilliant html\",\"ip\":\"177.30.168.240\",\"hostname\":\"array.mil\",\"uid\":\"7ca01610-5562-11ef-80c2-0242ac110005\",\"image\":{\"name\":\"threaded reduction registry\",\"uid\":\"7ca00f80-5562-11ef-9605-0242ac110005\"},\"type_id\":1,\"instance_uid\":\"7ca00508-5562-11ef-aef5-0242ac110005\",\"interface_name\":\"smoke shorts historic\",\"interface_uid\":\"7ca01d0e-5562-11ef-8a28-0242ac110005\",\"is_personal\":true,\"modified_time\":1723106695779060,\"network_interfaces\":[{\"type\":\"Wired\",\"ip\":\"162.67.186.104\",\"hostname\":\"majority.int\",\"mac\":\"A5:AD:3C:E2:45:BB:1F:BD\",\"type_id\":1,\"subnet_prefix\":63},{\"name\":\"fujitsu specials encourages\",\"type\":\"Mobile\",\"ip\":\"61.37.184.176\",\"hostname\":\"signal.biz\",\"mac\":\"42:EC:71:C:44:87:4D:3F\",\"type_id\":3}],\"region\":\"enforcement mls cabinet\",\"risk_score\":32,\"subnet_uid\":\"7c9ff360-5562-11ef-a23d-0242ac110005\"},\"product\":{\"version\":\"1.1.0\",\"uid\":\"7ca028a8-5562-11ef-9f4e-0242ac110005\",\"lang\":\"en\",\"cpe_name\":\"eddie m loop\",\"vendor_name\":\"wild stack ing\"},\"uid\":\"7ca02fe2-5562-11ef-85c4-0242ac110005\",\"log_name\":\"virus estimated hospitality\",\"log_provider\":\"snapshot survive ruled\"},{\"name\":\"photo missing lions\",\"version\":\"1.1.0\",\"device\":{\"name\":\"barrier problems southampton\",\"type\":\"Unknown\",\"ip\":\"178.130.62.185\",\"location\":{\"desc\":\"Nauru, Republic of\",\"city\":\"Corrections presence\",\"country\":\"NR\",\"coordinates\":[-87.1695,-2.0139],\"continent\":\"Oceania\"},\"hostname\":\"traveller.org\",\"uid\":\"7ca0bd86-5562-11ef-913a-0242ac110005\",\"groups\":[{\"type\":\"train fm brain\",\"uid\":\"7ca0a350-5562-11ef-a3c7-0242ac110005\",\"privileges\":[\"airlines ricky practitioner\",\"hometown nh fair\"]}],\"type_id\":0,\"subnet\":\"239.0.0.0/8\",\"instance_uid\":\"7ca0b64c-5562-11ef-9d6d-0242ac110005\",\"interface_name\":\"accompanied lesson color\",\"interface_uid\":\"7ca0c466-5562-11ef-abf1-0242ac110005\",\"is_compliant\":true,\"is_personal\":true,\"modified_time\":1723106695783536,\"region\":\"careers eval haiti\",\"subnet_uid\":\"7ca0aaf8-5562-11ef-825e-0242ac110005\",\"uid_alt\":\"square washington foster\"},\"product\":{\"name\":\"sh buttons specialties\",\"version\":\"1.1.0\",\"vendor_name\":\"acrylic pace draws\"},\"uid\":\"7ca0ceca-5562-11ef-844f-0242ac110005\",\"log_name\":\"tagged mainstream equal\",\"log_provider\":\"certified denial agree\"}],\"original_time\":\"fireplace chapel support\",\"tenant_uid\":\"7ca0d924-5562-11ef-9d5f-0242ac110005\"},\"severity\":\"Critical\",\"type_name\":\"Device Config State Change: Other\",\"activity_id\":99,\"type_uid\":501999,\"observables\":[{\"name\":\"savage humanity jail\",\"type\":\"shots\",\"value\":\"lived creator planning\",\"type_id\":99}],\"category_name\":\"Discovery\",\"class_uid\":5019,\"category_uid\":5,\"class_name\":\"Device Config State Change\",\"timezone_offset\":85,\"end_time\":1723106695784773,\"activity_name\":\"fraser\",\"security_states\":[{},{\"state\":\"Protection malfunction\",\"state_id\":5}],\"enrichments\":[{\"data\":\"mpeg\",\"name\":\"needs included bag\",\"type\":\"palestine spin down\",\"value\":\"gay from titans\",\"provider\":\"sherman centers profession\"}],\"prev_security_states\":[{},{}],\"severity_id\":5,\"status_id\":2}", + "outcome": "failure", + "provider": "whatever chan might", + "severity": 5, + "type": [ + "info" + ] + }, + "host": { + "domain": "parts patents bios", + "hostname": "apparel.store", + "id": "7ca10520-5562-11ef-994f-0242ac110005", + "ip": [ + "175.16.199.0" + ], + "type": "Laptop" + }, + "message": "enabling pushing tee", + "ocsf": { + "activity_id": "99", + "activity_name": "fraser", + "category_name": "Discovery", + "category_uid": "5", + "class_name": "Device Config State Change", + "class_uid": "5019", + "device": { + "created_time": "2024-08-08T08:44:55.785Z", + "domain": "parts patents bios", + "hostname": "apparel.store", + "hypervisor": "weblog operates spanish", + "image": { + "name": "you therapy gaming", + "uid": "7ca0ff12-5562-11ef-a321-0242ac110005" + }, + "instance_uid": "7ca0f4f4-5562-11ef-9585-0242ac110005", + "interface_name": "individually assembled riders", + "interface_uid": "7ca10bd8-5562-11ef-a0b4-0242ac110005", + "ip": "175.16.199.0", + "is_compliant": true, + "modified_time": "2024-08-08T08:44:55.785Z", + "region": "click added cars", + "type": "Laptop", + "type_id": "3", + "uid": "7ca10520-5562-11ef-994f-0242ac110005" + }, + "end_time": "2024-08-08T08:44:55.784Z", + "enrichments": [ + { + "data": "mpeg", + "name": "needs included bag", + "provider": "sherman centers profession", + "type": "palestine spin down", + "value": "gay from titans" + } + ], + "message": "enabling pushing tee", + "metadata": { + "event_code": "recognized", + "log_name": "durable flex field", + "loggers": [ + { + "device": { + "domain": "pain brilliant html", + "hostname": "array.mil", + "image": { + "name": "threaded reduction registry", + "uid": "7ca00f80-5562-11ef-9605-0242ac110005" + }, + "instance_uid": "7ca00508-5562-11ef-aef5-0242ac110005", + "interface_name": "smoke shorts historic", + "interface_uid": "7ca01d0e-5562-11ef-8a28-0242ac110005", + "ip": "177.30.168.240", + "is_personal": true, + "modified_time": 1723106695779060, + "name": "camcorder zoning projector", + "network_interfaces": [ + { + "hostname": "majority.int", + "ip": "162.67.186.104", + "mac": "A5:AD:3C:E2:45:BB:1F:BD", + "subnet_prefix": 63, + "type": "Wired", + "type_id": 1 + }, + { + "hostname": "signal.biz", + "ip": "61.37.184.176", + "mac": "42:EC:71:C:44:87:4D:3F", + "name": "fujitsu specials encourages", + "type": "Mobile", + "type_id": 3 + } + ], + "os": { + "country": "Haiti, Republic of", + "name": "pottery laws resident", + "type": "Unknown", + "type_id": 0 + }, + "region": "enforcement mls cabinet", + "risk_score": 32, + "subnet_uid": "7c9ff360-5562-11ef-a23d-0242ac110005", + "type": "Server", + "type_id": 1, + "uid": "7ca01610-5562-11ef-80c2-0242ac110005" + }, + "log_name": "virus estimated hospitality", + "log_provider": "snapshot survive ruled", + "name": "senator babies ou", + "product": { + "cpe_name": "eddie m loop", + "lang": "en", + "uid": "7ca028a8-5562-11ef-9f4e-0242ac110005", + "vendor_name": "wild stack ing", + "version": "1.1.0" + }, + "uid": "7ca02fe2-5562-11ef-85c4-0242ac110005" + }, + { + "device": { + "groups": [ + { + "privileges": [ + "airlines ricky practitioner", + "hometown nh fair" + ], + "type": "train fm brain", + "uid": "7ca0a350-5562-11ef-a3c7-0242ac110005" + } + ], + "hostname": "traveller.org", + "instance_uid": "7ca0b64c-5562-11ef-9d6d-0242ac110005", + "interface_name": "accompanied lesson color", + "interface_uid": "7ca0c466-5562-11ef-abf1-0242ac110005", + "ip": "178.130.62.185", + "is_compliant": true, + "is_personal": true, + "location": { + "city": "Corrections presence", + "continent": "Oceania", + "coordinates": [ + -87.1695, + -2.0139 + ], + "country": "NR", + "desc": "Nauru, Republic of" + }, + "modified_time": 1723106695783536, + "name": "barrier problems southampton", + "region": "careers eval haiti", + "subnet": "239.0.0.0/8", + "subnet_uid": "7ca0aaf8-5562-11ef-825e-0242ac110005", + "type": "Unknown", + "type_id": 0, + "uid": "7ca0bd86-5562-11ef-913a-0242ac110005", + "uid_alt": "square washington foster" + }, + "log_name": "tagged mainstream equal", + "log_provider": "certified denial agree", + "name": "photo missing lions", + "product": { + "name": "sh buttons specialties", + "vendor_name": "acrylic pace draws", + "version": "1.1.0" + }, + "uid": "7ca0ceca-5562-11ef-844f-0242ac110005", + "version": "1.1.0" + } + ], + "original_time": "fireplace chapel support", + "product": { + "feature": { + "name": "iii exceptional erotica", + "uid": "7c9fbdfa-5562-11ef-b36a-0242ac110005", + "version": "1.1.0" + }, + "name": "use four webpage", + "uid": "7c9fb288-5562-11ef-850c-0242ac110005", + "url_string": "light", + "vendor_name": "whatever chan might", + "version": "1.1.0" + }, + "tenant_uid": "7ca0d924-5562-11ef-9d5f-0242ac110005", + "version": "1.1.0" + }, + "observables": [ + { + "name": "savage humanity jail", + "type": "shots", + "type_id": "99", + "value": "lived creator planning" + } + ], + "security_states": [ + { + "state": "Protection malfunction", + "state_id": 5 + } + ], + "severity": "Critical", + "severity_id": 5, + "status": "Failure", + "status_id": "2", + "time": "2024-08-08T08:44:55.785Z", + "timezone_offset": 85, + "type_name": "Device Config State Change: Other", + "type_uid": "501999" + }, + "related": { + "hosts": [ + "parts patents bios", + "apparel.store" + ], + "ip": [ + "175.16.199.0" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] } ] -} \ No newline at end of file +} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log index 9505d2a6cc7e..82014c0613ed 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log @@ -1 +1,5 @@ {"activity_id":2,"activity_name":"Update","category_name":"Findings","category_uid":2,"class_name":"Security Finding","class_uid":2001,"cloud":{"account":{"uid":"522536594833"},"provider":"AWS","region":"us-east-1"},"compliance":{"requirements":["PCI1.2"],"status":"PASSED","status_detail":"CloudWatch alarms do not exist in the account"},"finding":{"created_time":1635449619417,"desc":"This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports [3389, 20, 23, 110, 143, 3306, 8080, 1433, 9200, 9300, 25, 445, 135, 21, 1434, 4333, 5432, 5500, 5601, 22, 3000, 5000, 8088, 8888] that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for the listed ports.","first_seen_time":1635449619417,"last_seen_time":1659636565316,"modified_time":1659636559100,"related_events":[{"product_uid":"arn:aws:securityhub:us-west-2::product/aws/guardduty","uid":"123e4567-e89b-12d3-a456-426655440000"},{"product_uid":"arn:aws:securityhub:us-west-2::product/aws/guardduty","uid":"AcmeNerfHerder-111111111111-x189dx7824"}],"remediation":{"desc":"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.","kb_articles":["https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation"]},"title":"EC2.19 Security groups should not allow unrestricted access to ports with high risk","types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"uid":"test"},"malware":[{"classification_ids":[1],"classifications":["Adware"],"name":"Stringler","path":"/usr/sbin/stringler"}],"metadata":{"product":{"feature":{"name":"Security Hub","uid":"aws-foundational-security-best-practices/v/1.0.0/EC2.19"},"name":"Security Hub","uid":"arn:aws:securityhub:us-east-1::product/aws/securityhub","vendor_name":"AWS","version":"2018-10-08"},"profiles":["cloud"],"version":"1.0.0-rc.2"},"resources":[{"cloud_partition":"aws","labels":["billingCode=Lotus-1-2-3","needsPatching=true"],"region":"us-east-1","type":"AwsEc2SecurityGroup","uid":"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499"}],"severity":"Informational","severity_id":1,"state":"Resolved","state_id":4,"time":1659636559100,"type_name":"Security Finding: Update","type_uid":200102,"unmapped":{"CompanyName":"AWS","Compliance.StatusReasons[].ReasonCode":"CW_ALARMS_NOT_PRESENT","FindingProviderFields.Severity.Label":"INFORMATIONAL","FindingProviderFields.Severity.Original":"INFORMATIONAL","FindingProviderFields.Types[]":"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices","Malware[].State":"OBSERVED","ProductFields.ControlId":"EC2.19","ProductFields.RecommendationUrl":"https://docs.aws.amazon.com/console/securityhub/EC2.19/remediation","ProductFields.RelatedAWSResources:0/name":"securityhub-vpc-sg-restricted-common-ports-2af29baf","ProductFields.RelatedAWSResources:0/type":"AWS::Config::ConfigRule","ProductFields.Resources:0/Id":"arn:aws:ec2:us-east-1:522536594833:security-group/sg-0daf160f08dfed499","ProductFields.StandardsArn":"arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0","ProductFields.StandardsControlArn":"arn:aws:securityhub:us-east-1:522536594833:control/aws-foundational-security-best-practices/v/1.0.0/EC2.19","ProductFields.StandardsSubscriptionArn":"arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0","ProductFields.aws/securityhub/CompanyName":"AWS","ProductFields.aws/securityhub/FindingId":"arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:522536594833:subscription/aws-foundational-security-best-practices/v/1.0.0/EC2.19/finding/bf428107-eee0-4d19-a013-92748ed69eef","ProductFields.aws/securityhub/ProductName":"Security Hub","RecordState":"ACTIVE","Severity.Normalized":"0","Severity.Original":"INFORMATIONAL","Severity.Product":"0","Vulnerabilities[].Cvss[].BaseScore":"4.7,1.0","Vulnerabilities[].Cvss[].BaseVector":"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N,AV:L/AC:M/Au:N/C:C/I:N/A:N","Vulnerabilities[].Cvss[].Version":"V3,V2","Vulnerabilities[].Vendor.VendorSeverity":"Medium","WorkflowState":"NEW"},"vulnerabilities":[{"cve":{"created_time":1579132903000,"cvss":{"base_score":4.7,"vector_string":"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"V3"},"modified_time":1579132903000,"uid":"CVE-2020-12345"},"kb_articles":["https://alas.aws.amazon.com/ALAS-2020-1337.html"],"packages":[{"architecture":"x86_64","epoch":1,"name":"openssl","release":"16.amzn2.0.3","version":"1.0.2k"},{"architecture":"x86_64","epoch":3,"name":"yaml","release":"16.amzn2.0.3","version":"4.3.2"}],"references":["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418"],"related_vulnerabilities":["CVE-2020-12345"],"vendor_name":"Alas"}]} +{"status":"In Progress","time":1722327712967320,"metadata":{"version":"1.1.0","product":{"name":"bouquet forget occupied","version":"1.1.0","uid":"c6afd262-4e4c-11ef-a63c-0242ac110005","feature":{"name":"updating lawyers string","uid":"c6afdb4a-4e4c-11ef-a8c4-0242ac110005"},"cpe_name":"words geographical gets","vendor_name":"trim massive setting"},"sequence":2,"profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"log_name":"shall none shipped","log_provider":"outlined produced examining","original_time":"scope institutions int","tenant_uid":"c6afe64e-4e4c-11ef-bcf9-0242ac110005","logged_time_dt":"2024-07-30T08:21:52.967232Z"},"resource":{"owner":{"name":"Dude","type":"Admin","uid":"c6b0192a-4e4c-11ef-90f9-0242ac110005","type_id":2,"uid_alt":"recommendation highs equipped"},"type":"carb le multimedia","group":{"name":"resorts looking issues"},"namespace":"explain les collections"},"severity":"Fatal","type_name":"Vulnerability Finding: Create","activity_id":1,"type_uid":200201,"category_name":"Findings","class_uid":2002,"category_uid":2,"class_name":"Vulnerability Finding","start_time_dt":"2024-07-30T08:21:52.968170Z","end_time_dt":"2024-07-30T08:21:52.967308Z","timezone_offset":17,"activity_name":"Create","actor":{"user":{"name":"Without","type":"Admin","uid":"c6af496e-4e4c-11ef-b35b-0242ac110005","type_id":2,"account":{"name":"susan amy ventures","type":"Windows Account","uid":"c6af57e2-4e4c-11ef-b613-0242ac110005","type_id":2},"credential_uid":"c6af5ecc-4e4c-11ef-bda8-0242ac110005"}},"cloud":{"org":{"name":"africa za springer","uid":"c6b002c8-4e4c-11ef-b707-0242ac110005","ou_name":"opponent const outlet"},"project_uid":"c6b00a0c-4e4c-11ef-a1c9-0242ac110005","provider":"loving fabulous seating","region":"needed costumes main"},"confidence":"characteristic benz automotive","confidence_id":3,"finding_info":{"title":"vinyl lease crown","uid":"c6af0030-4e4c-11ef-963a-0242ac110005","analytic":{"name":"incentives module joyce","type":"Rule","uid":"c6af34ec-4e4c-11ef-a5db-0242ac110005","category":"sanyo asus escorts","type_id":1},"data_sources":["reliable honey flexibility"],"created_time_dt":"2024-07-30T08:21:52.962788Z","modified_time_dt":"2024-07-30T08:21:52.962804Z"},"severity_id":6,"status_id":2,"vulnerabilities":[{"title":"trek ae danger","references":["suite featured smart","sanyo vbulletin contain"],"cve":{"type":"republicans offset expense","title":"smilies since terminal","uid":"c6af9176-4e4c-11ef-8fde-0242ac110005","references":["brass duty expected"],"created_time":1722327712965081,"cvss":[{"version":"1.1.0","depth":"Base","base_score":97.7035,"overall_score":29.3613}]},"cwe":{"uid":"c6af9f0e-4e4c-11ef-b234-0242ac110005","caption":"blanket toshiba olympics"},"kb_articles":["mounts el significantly","newer length frost"],"packages":[{"name":"nuts nine horn","version":"1.1.0","architecture":"diana zen collector"},{"name":"answered absence oxygen","version":"1.1.0","release":"classroom virtually satisfactory","architecture":"railway offering vietnamese"}]},{"references":["workshop surprising ceramic","grow annually mom"],"severity":"villas haiti links","cve":{"type":"coaching workflow sony","title":"jim patients rick","uid":"c6afb07a-4e4c-11ef-9138-0242ac110005","references":["propecia rebecca savage"],"created_time":1722327712965872,"created_time_dt":"2024-07-30T08:21:52.965881Z","modified_time_dt":"2024-07-30T08:21:52.965891Z"},"cwe":{"uid":"c6afba70-4e4c-11ef-8ac3-0242ac110005"},"kb_articles":["resistant verified wiring","redhead informal frankfurt"]}]} +{"message":"satellite violent subscriptions","status":"Suppressed","time":1722951737015847,"metadata":{"version":"1.1.0","product":{"name":"favorite dictionary butter","version":"1.1.0","uid":"b201250c-53f9-11ef-a42e-0242ac110005","vendor_name":"routing attending username"},"labels":["paper","james"],"profiles":[],"log_name":"variables admin absolutely","log_provider":"facilities channels cradle","log_version":"unless mood revised","original_time":"complaint planning historic"},"severity":"Low","duration":19,"resources":[{"owner":{"name":"Plain","type":"Unknown","uid":"b2005820-53f9-11ef-9b03-0242ac110005","type_id":0,"ldap_person":{"deleted_time":1722951737010636,"job_title":"tp barely fancy"}},"version":"1.1.0","uid":"b2006efa-53f9-11ef-b4fa-0242ac110005","namespace":"inherited proceeds invalid"},{"owner":{"name":"Adsl","type":"User","type_id":1},"version":"1.1.0","group":{"name":"m biography divx","uid":"b200884a-53f9-11ef-b155-0242ac110005"},"labels":["circular","vip"],"namespace":"updating mic expo","criticality":"packaging neon hearings"}],"type_name":"Detection Finding: Create","activity_id":1,"type_uid":200401,"category_name":"Findings","class_uid":2004,"category_uid":2,"class_name":"Detection Finding","activity_name":"Create","confidence_id":2,"evidences":[{"process":{"pid":2,"file":{"attributes":61,"name":"mortgages.mp3","size":3964710393,"type":"Folder","path":"match fuzzy noise/royalty.cbr/mortgages.mp3","signature":{"certificate":{"uid":"b20156da-53f9-11ef-ae03-0242ac110005","subject":"norwegian satisfactory collective","issuer":"consist refers bite","fingerprints":[{"value":"98AA77CF5506DBAB9E87EF8088CEAC7C9C019C46E05DD1EE1ABE03DCDDB251EE8A82D602A74B165599EA81CD3F96BCD31351F02130F1826DE55314362F5E51A0","algorithm":"SHA-512","algorithm_id":4},{"value":"F074E3FC1A4F869EEF665EABF9EF6F7E4E08D51AD47FE695D451386D3DFC826FD679D11BCDF59682C9017FCB065A8C3E4C765AD0D81111D105A79724536E5AF3","algorithm":"TLSH","algorithm_id":6}],"created_time":1722951737017011,"expiration_time":1722951737017020,"serial_number":"headers futures rico"},"algorithm":"Authenticode","algorithm_id":4,"created_time":1722951737017030},"type_id":2,"parent_folder":"match fuzzy noise/royalty.cbr","hashes":[{"value":"989B7EC6D89636B773DD48E84A23A93EF0537374753B6CB2DC513D875E01FE4721CDFD519CCAE9B90092CEF08F3C38EC3C353271FE028C193AEA2DDB17A32653","algorithm":"TLSH","algorithm_id":6}]},"user":{"name":"Brunei","type":"Unknown","uid":"b20169ae-53f9-11ef-a7ab-0242ac110005","type_id":0},"uid":"b2017ba6-53f9-11ef-8664-0242ac110005","cmd_line":"cattle disk nat","created_time":1722951737017869,"parent_process":{"name":"Districts","pid":61,"file":{"name":"points.dat","owner":{"name":"Possession","type":"packaging","uid":"b20198de-53f9-11ef-99e3-0242ac110005","groups":[{"name":"framework chambers motorcycle","domain":"robots opportunities auburn","uid":"b201a2de-53f9-11ef-91ee-0242ac110005"}],"type_id":99},"type":"Local Socket","version":"1.1.0","path":"perfume cleveland crystal/database.vob/points.dat","modifier":{"name":"Tower","type":"Unknown","uid":"b201c520-53f9-11ef-8fe7-0242ac110005","org":{"name":"gabriel harmful teach","uid":"b201cf5c-53f9-11ef-90e0-0242ac110005","ou_name":"chapel library combinations"},"type_id":0,"email_addr":"Lynne@rated.jobs"},"type_id":5,"accessor":{"name":"Record","type":"Unknown","uid":"b201dc40-53f9-11ef-a0fe-0242ac110005","type_id":0,"email_addr":"Zada@czech.museum","ldap_person":{"location":{"desc":"San Marino, Republic of","city":"Component got","country":"SM","coordinates":[-25.0862,-71.9167],"continent":"Europe"},"deleted_time":1722951737020608,"job_title":"tobago rubber abstracts"}},"parent_folder":"perfume cleveland crystal/database.vob","hashes":[{"value":"115CE7973C9A37D3558656DB4BE3719A4E02E1C42BBD3D9FED201E22F5D5A770","algorithm":"magic","algorithm_id":99},{"value":"77F4DE0C4DB55DEC736561AC64C7EA6B","algorithm":"MD5","algorithm_id":1}],"modified_time":1722951737020691},"user":{"name":"April","type":"System","uid":"b201f540-53f9-11ef-b886-0242ac110005","type_id":3,"credential_uid":"b201fbb2-53f9-11ef-b9d8-0242ac110005"},"uid":"b2020184-53f9-11ef-85ea-0242ac110005","cmd_line":"inquiries sept nil","created_time":1722951737021297,"lineage":["barbara flow indiana"],"parent_process":{"pid":98,"session":{"uid":"b2021138-53f9-11ef-a183-0242ac110005","issuer":"boulder candle footwear","created_time":1722951737021699,"is_remote":true},"file":{"name":"bryan.htm","type":"Character Device","path":"fuji collectible creator/describes.tex/bryan.htm","type_id":3,"company_name":"Reagan Vincenza","creator":{"type":"sydney","uid":"b2022628-53f9-11ef-97c3-0242ac110005","type_id":99},"mime_type":"numeric/produces","parent_folder":"fuji collectible creator/describes.tex","modified_time":1722951737022248},"user":{"name":"Inventory","type":"User","groups":[{"name":"drums brisbane belfast","uid":"b2023438-53f9-11ef-b235-0242ac110005"},{"name":"distinction wp inquiries","desc":"subdivision centered matched","uid":"b2023b9a-53f9-11ef-8b76-0242ac110005"}],"type_id":1,"credential_uid":"b20243f6-53f9-11ef-995a-0242ac110005","email_addr":"Salena@tour.coop","uid_alt":"headline press postal"},"uid":"b2024b62-53f9-11ef-85ae-0242ac110005","cmd_line":"correlation jd nintendo","created_time":1722951737023185,"xattributes":{}},"terminated_time":1722951737023238}},"file":{"name":"pounds.sdf","type":"footwear","path":"bent hostel listed/knives.fnt/pounds.sdf","product":{"name":"soldier ut outer","version":"1.1.0","uid":"b20268d6-53f9-11ef-8389-0242ac110005","vendor_name":"prototype blog convertible"},"type_id":99,"mime_type":"quit/helen","parent_folder":"bent hostel listed/knives.fnt","hashes":[{"value":"05241F6680F10C78013CDDC1924651513B262F6318EFD85AC8D5EB13184DBF9742C515B85CF2ED8717B01AEA36CB0796CA62B9229E3047149B40B62FFCBE50AA","algorithm":"TLSH","algorithm_id":6},{"value":"EB108A6BBDAF145D08D811956465AD4382629CF361E1F696E021BE3ABADB6D47","algorithm":"SHA-256","algorithm_id":3}],"modified_time":1722951737024064},"query":{"type":"rrp look city","hostname":"monroe.museum","class":"researcher promotions theaters","opcode_id":3,"packet_uid":42},"connection_info":{"uid":"b2027e84-53f9-11ef-beec-0242ac110005","direction":"Outbound","direction_id":2,"protocol_num":63,"tcp_flags":39},"api":{"request":{"data":"courier","uid":"b2028ac8-53f9-11ef-bcf3-0242ac110005"},"response":{"error":"commissioner kill madness","code":48,"error_message":"whale holdings lol"},"operation":"prophet disabled joel"},"actor":{"process":{"pid":53,"file":{"name":"travel.ico","type":"Regular File","path":"choice estates triple/connecticut.rom/travel.ico","type_id":1,"accessor":{"name":"Japanese","type":"User","type_id":1,"ldap_person":{"hire_time":1722951737025505,"ldap_dn":"essentials incomplete main"},"uid_alt":"cassette dust evidence"},"parent_folder":"choice estates triple/connecticut.rom","confidentiality":"nation fishing professional","hashes":[{"value":"DE54555CB12989F6314B6AE9DDF8FE4F8AD41F970C0D21D5A4D8B7E6C6437A9F","algorithm":"magic","algorithm_id":99},{"value":"C989A5E557F5C7289ABE62F83373C88BDD0E698C72F8C8F511BF4E9E601E3C053FA00EA8B181974F5CDF25BA86E8C9FB4A717B9F8A672E6F45A4DFCEC39E529F","algorithm":"CTPH","algorithm_id":5}],"is_system":false,"security_descriptor":"burden authentication flashing"},"user":{"name":"Families","type":"System","domain":"authors subjects animal","uid":"b202b3e0-53f9-11ef-bc91-0242ac110005","groups":[{"name":"graphic university chile","uid":"b202c178-53f9-11ef-b0e0-0242ac110005"},{"name":"departure projects eastern","type":"direct hoping harder","uid":"b202c876-53f9-11ef-99bc-0242ac110005","privileges":["camcorders hazardous occurred","strong wav finland"]}],"type_id":3,"email_addr":"Hugh@vb.aero","ldap_person":{"location":{"desc":"Libyan Arab Jamahiriya","city":"Relaxation depend","country":"LY","coordinates":[72.6769,27.7735],"continent":"Africa"},"manager":{"name":"Titles","type":"System","domain":"many tvs hand","uid":"b202da8c-53f9-11ef-a9a8-0242ac110005","org":{"name":"declare commit gathering","uid":"b202e55e-53f9-11ef-90d3-0242ac110005"},"type_id":3,"credential_uid":"b202eba8-53f9-11ef-a0ef-0242ac110005"},"job_title":"evident gotten tcp","ldap_cn":"ran experiences isolation"}},"uid":"b202f3be-53f9-11ef-9c3b-0242ac110005","cmd_line":"hydrogen reporting ensemble","created_time":1722951737027494,"integrity":"extra dial resolved","parent_process":{"name":"Findings","file":{"name":"crude.sh","owner":{"type":"Admin","uid":"b2031308-53f9-11ef-b2f8-0242ac110005","groups":[{"uid":"b2031cd6-53f9-11ef-b786-0242ac110005"},{"name":"wrap smile durham","uid":"b2032866-53f9-11ef-bf54-0242ac110005","privileges":["preventing security wales","protest membership rs"]}],"type_id":2},"type":"Block Device","path":"hub clarity henderson/mailing.rss/crude.sh","product":{"name":"fund groundwater dom","version":"1.1.0","uid":"b2033324-53f9-11ef-ba5b-0242ac110005","feature":{"name":"producer depot financing","version":"1.1.0","uid":"b2033bc6-53f9-11ef-91fe-0242ac110005"},"cpe_name":"oven regulatory dairy","vendor_name":"disney intel antibody"},"type_id":4,"parent_folder":"hub clarity henderson/mailing.rss","confidentiality":"Unknown","confidentiality_id":0,"hashes":[{"value":"5894ABC3288BA9FA689F8E5C7EF19816EA9839E4986E552B491A1ABF2D3F5F45738F7B3A0B53C15A19FD24B1B7402365D44871C3D6F00537E075A0007E7E261A","algorithm":"TLSH","algorithm_id":6},{"value":"A6DFAEBD54AB8C6EE7D571201347BC0C5FC04F3599B22FAF9AE6A142D72CB65DE290302FA9AD807BAD6F5F0648F8BF5497C6EE43AAF960B7C3137C8CB706E183","algorithm":"quickXorHash","algorithm_id":7}],"security_descriptor":"cross organic bookings","xattributes":{}},"user":{"name":"Adjust","domain":"wrong expanding proposal","uid":"b2034c56-53f9-11ef-aed8-0242ac110005","credential_uid":"b203526e-53f9-11ef-9e92-0242ac110005","email_addr":"Gerry@poker.biz"},"uid":"b20358d6-53f9-11ef-939b-0242ac110005","cmd_line":"arrested suits personally","created_time":1722951737030083,"parent_process":{"name":"Poverty","pid":42,"file":{"name":"sad.kml","type":"Unknown","path":"random horse explained/soap.csv/sad.kml","signature":{"digest":{"value":"A24F695AAF92949E2578A874832FF516","algorithm":"MD5","algorithm_id":1},"certificate":{"version":"1.1.0","uid":"b2037334-53f9-11ef-880c-0242ac110005","subject":"delay prairie cents","issuer":"thought loans celebrate","fingerprints":[{"value":"70CE515C96733618D3639DA3699227EEF2615296002DB79CFAE31A49F04D171107F820A86048A8A742037DA40CE56FEB5AF132CF0557508C821508DED8E25802","algorithm":"CTPH","algorithm_id":5},{"value":"054F4E3613BCAA252DED4DEC5193B4207F68218A0B57BD676DE5EA08E59343D24FEB8AC279470FB94F032C25AEE110A24BD17FC0EB41182E767A7710BD0F2082","algorithm":"TLSH","algorithm_id":6}],"created_time":1722951737030958,"expiration_time":1722951737030965,"serial_number":"concerned arthritis beam"},"algorithm":"Authenticode","algorithm_id":4,"developer_uid":"b2038324-53f9-11ef-a9fd-0242ac110005"},"uid":"b2038928-53f9-11ef-93ab-0242ac110005","type_id":0,"accessor":{"name":"Affordable","type":"User","domain":"mill nest ministers","uid":"b2039418-53f9-11ef-ace2-0242ac110005","type_id":1,"full_name":"Thu Dewitt","account":{"name":"provider queensland warranties","type":"AWS Account","uid":"b2039db4-53f9-11ef-ac2d-0242ac110005","type_id":10}},"parent_folder":"random horse explained/soap.csv","hashes":[{"value":"552BDF4BBC9329B555B93E7C9B6A38F36C6EDB58B0E7FCA0392F79528CC1B9E6","algorithm":"SHA-256","algorithm_id":3},{"value":"DCF06E858132CA1EDC2384EBDF0200885DD2AC3F","algorithm":"SHA-1","algorithm_id":2}],"modified_time":1722951737031923},"user":{"name":"Continuously","type":"cassette","uid":"b203c596-53f9-11ef-9213-0242ac110005","org":{"name":"vitamins causes lg","uid":"b203cf64-53f9-11ef-a9e6-0242ac110005","ou_name":"most worcester generator"},"type_id":99,"full_name":"Manie Demetra","ldap_person":{"labels":["results","considered"],"deleted_time":1722951737033239,"email_addrs":["Joeann@trials.com","Enrique@zshops.int"],"last_login_time":1722951737033262,"modified_time":1722951737033265}},"tid":39,"uid":"b203dc7a-53f9-11ef-8a2b-0242ac110005","created_time":1722951737033438,"integrity":"Protected","integrity_id":6,"lineage":["arab comparison charlotte","namibia republicans decorative"],"parent_process":{"name":"Labs","pid":22,"session":{"terminal":"signals click categories","uid":"b203f264-53f9-11ef-9ec3-0242ac110005","created_time":1722951737034000,"is_remote":false},"file":{"name":"leaders.ged","type":"anthony","path":"zimbabwe co hyundai/telecom.rom/leaders.ged","type_id":99,"parent_folder":"zimbabwe co hyundai/telecom.rom","hashes":[{"value":"FBBED8C2F97068EC6807B00BE7C3183932F576D73C208D1D8ABD78AAC60411FF78D7442895C204E292CFA8F6FAC25EC3FEE7954AA27C6024B6F47D3A5BEF4AC2","algorithm":"quickXorHash","algorithm_id":7},{"value":"B336DF698D12AC8E54570BA6EA2679F0","algorithm":"MD5","algorithm_id":1}]},"user":{"type":"tears","org":{"name":"bye lenses alabama","uid":"b2040b0a-53f9-11ef-98b5-0242ac110005","ou_name":"antiques compliant tutorial","ou_uid":"b204153c-53f9-11ef-a6ea-0242ac110005"},"type_id":99},"uid":"b2042360-53f9-11ef-9794-0242ac110005","cmd_line":"windsor installed invite","created_time":1722951737035272,"parent_process":{"name":"Asus","pid":64,"session":{"uid":"b2048058-53f9-11ef-8e0f-0242ac110005","uuid":"b20486ca-53f9-11ef-9010-0242ac110005","issuer":"planner providence titles","created_time":1722951737037814,"credential_uid":"b2048dfa-53f9-11ef-8e51-0242ac110005","is_remote":true},"file":{"name":"badge.avi","type":"Unknown","path":"showed conf citizenship/alto.csr/badge.avi","signature":{"certificate":{"version":"1.1.0","subject":"voters crazy chelsea","issuer":"balance rip flags","fingerprints":[{"value":"AD9B86237F7CD511073B023864629995D42D434D7A9A3DE38CC9C353E9263BCA131C239C9851342A16967895231B1436AA8DBBD6229A517C76E3539639BDCEDD","algorithm":"CTPH","algorithm_id":5}],"created_time":1722951737038366,"expiration_time":1722951737038371,"serial_number":"generally grande babies"},"algorithm":"RSA","algorithm_id":2,"developer_uid":"b204a4e8-53f9-11ef-a45f-0242ac110005"},"desc":"jersey pod crafts","type_id":0,"mime_type":"minimal/wisconsin","parent_folder":"showed conf citizenship/alto.csr","hashes":[{"value":"5B612EDB571C479D1A33C2355B8933EF943BD5715B25116AAF91DBF3A842C2BD","algorithm":"SHA-256","algorithm_id":3},{"value":"1A41B0D707D5D14EA20C1DD0A10CED258A1322589440FD67387BED26CE48E453","algorithm":"magic","algorithm_id":99}]},"user":{"name":"Churches","type":"User","uid":"b204b8ca-53f9-11ef-ae39-0242ac110005","org":{"name":"asking bookmark builders","ou_name":"nightlife fragrance into"},"type_id":1,"account":{"name":"essential wishing wanted","type":"Windows Account","uid":"b204c8ce-53f9-11ef-9832-0242ac110005","type_id":2}},"uid":"b204cf68-53f9-11ef-9210-0242ac110005","loaded_modules":["/condition/tunisia/phillips/accounting/tension.pkg","/argue/aboriginal/connectors/journal/clinic.dcr"],"cmd_line":"dryer thereby reliable","created_time":1722951737039702,"parent_process":{"name":"Multi","pid":51,"file":{"attributes":37,"name":"option.swf","type":"Block Device","path":"associate spas climb/canadian.rar/option.swf","product":{"name":"or dynamic distinguished","version":"1.1.0","path":"weddings competent korea","uid":"b205092e-53f9-11ef-b82a-0242ac110005","lang":"en","vendor_name":"hunt vitamins columns"},"type_id":4,"accessor":{"name":"Finish","type":"System","uid":"b205141e-53f9-11ef-bef4-0242ac110005","groups":[{"name":"tablet drivers broader","domain":"orange says vegetation","uid":"b2051dd8-53f9-11ef-9d88-0242ac110005"},{"name":"rid planets gp","domain":"antique hans ez","uid":"b20524b8-53f9-11ef-bfc7-0242ac110005","privileges":["obesity descriptions paintball"]}],"type_id":3},"parent_folder":"associate spas climb/canadian.rar","hashes":[{"value":"D5924A11CBADB27A986421344623CBFE538FD3F096A9A0FDC3F0BC302F3EC0C1","algorithm":"magic","algorithm_id":99},{"value":"E16704D9E243B23B4F4E557748D6EEF6","algorithm":"MD5","algorithm_id":1}],"security_descriptor":"sentences angela guides"},"user":{"name":"Auditor","domain":"france designer commissioner","uid":"b2053246-53f9-11ef-8f1f-0242ac110005","groups":[{"name":"front license tide","type":"scope nebraska suffered","uid":"b2054b5a-53f9-11ef-b10c-0242ac110005"},{"name":"belts transform phone","type":"ir paul vector","uid":"b2055956-53f9-11ef-bac5-0242ac110005"}]},"cmd_line":"int assets shanghai","created_time":1722951737043210,"integrity":"philip energy traveler","parent_process":{"name":"Auctions","pid":97,"file":{"name":"mainland.sav","type":"Character Device","path":"easter advert gregory/briefing.vcd/mainland.sav","uid":"b2057062-53f9-11ef-b33c-0242ac110005","type_id":3,"company_name":"Shay Geoffrey","mime_type":"came/dui","parent_folder":"easter advert gregory/briefing.vcd","hashes":[{"value":"D28CCA18F2C34C4120D0689FFD9EE4F4FFEAE0402B7C59A202FA980D9359A4E54BF2289BF5ED8C083B3EC8735F44C955DB680854EEF42D53E126839B635DA171","algorithm":"TLSH","algorithm_id":6}],"security_descriptor":"ugly embedded sql"},"user":{"name":"Yahoo","uid":"b20585de-53f9-11ef-a722-0242ac110005"},"uid":"b2058d2c-53f9-11ef-9c93-0242ac110005","cmd_line":"computers qt caribbean","created_time":1722951737044530,"integrity":"classifieds conceptual contest","parent_process":{"name":"Portable","pid":15,"user":{"name":"Camel","type":"System","uid":"b205a618-53f9-11ef-b616-0242ac110005","type_id":3},"uid":"b205ac6c-53f9-11ef-b326-0242ac110005","cmd_line":"letter agencies family","created_time":1722951737045332,"parent_process":{"name":"Weed","pid":38,"file":{"name":"leslie.indd","type":"Symbolic Link","path":"rating malawi ash/ny.bin/leslie.indd","signature":{"certificate":{"version":"1.1.0","subject":"conscious forecasts poland","issuer":"henry recognize short","fingerprints":[{"value":"3697621565DCC42F701641C483DD9F531ED1B40987DD5D58FA4EEAC5C6E127657BED12A5ED10012607C476DFE31339C6557044007AE04C2F96C120D7E68F9B46","algorithm":"TLSH","algorithm_id":6},{"value":"CB2785DC1EFEBF4604D971B80C7BA7A49061E6B2","algorithm":"SHA-1","algorithm_id":2}],"created_time":1722951737046152,"expiration_time":1722951737046157,"serial_number":"number emotional belly"},"algorithm":"weekends","algorithm_id":99},"modifier":{"name":"Measurements","type":"User","uid":"b205d93a-53f9-11ef-97c9-0242ac110005","type_id":1,"ldap_person":{"manager":{"name":"Satisfy","type":"Unknown","domain":"combat mall responded","uid":"b205e8bc-53f9-11ef-b220-0242ac110005","org":{"name":"simulations kelkoo picture","uid":"b205fb4a-53f9-11ef-bcdf-0242ac110005","ou_name":"ntsc tab er"},"type_id":0},"cost_center":"believed defeat workout","given_name":"country medicine susan","job_title":"minister hugh opponent"}},"type_id":7,"accessor":{"name":"Differential","type":"User","domain":"second heaven reg","uid":"b2060720-53f9-11ef-b3d3-0242ac110005","type_id":1,"email_addr":"Iliana@easter.jobs"},"creator":{"type":"Admin","uid":"b206126a-53f9-11ef-bcf1-0242ac110005","type_id":2,"full_name":"Zelma Brady","credential_uid":"b2061990-53f9-11ef-92d2-0242ac110005"},"parent_folder":"rating malawi ash/ny.bin","hashes":[{"value":"80354281FAAA2126E5D2CA51A907C1D2F15B2719AAE8EBF70AE4DAFD8F369DC8D23BE2285768C8C6A83CF5496A2440965EC79B4857350AD79273385359E6272C","algorithm":"TLSH","algorithm_id":6},{"value":"2FACE219B9E0ACE4E7841FB7019D658D","algorithm":"MD5","algorithm_id":1}],"modified_time":1722951737048171},"user":{"name":"Smoking","type":"Admin","uid":"b20633f8-53f9-11ef-84d6-0242ac110005","groups":[{"name":"lyric cent failure","uid":"b2063dc6-53f9-11ef-be9b-0242ac110005"},{"name":"tests australian manufacturing","domain":"indonesia performances dispute","uid":"b20644a6-53f9-11ef-88ec-0242ac110005"}],"type_id":2},"uid":"b2064a96-53f9-11ef-9a3a-0242ac110005","cmd_line":"abandoned plaintiff consult","created_time":1722951737049379,"parent_process":{"name":"Shore","pid":47,"file":{"name":"grip.py","type":"Regular File","path":"travesti promotes incentives/ask.c/grip.py","type_id":1,"accessor":{"name":"Composition","type":"Unknown","uid":"b206ba3a-53f9-11ef-8d45-0242ac110005","type_id":0,"account":{"type":"Unknown","uid":"b206dd4e-53f9-11ef-8a0d-0242ac110005","type_id":0}},"parent_folder":"travesti promotes incentives/ask.c","accessed_time":1722951737053129,"confidentiality":"scholarships introducing scientific","modified_time":1722951737053154},"user":{"name":"Indicators","org":{"name":"assisted difficulty submit","uid":"b206eb0e-53f9-11ef-93f9-0242ac110005","ou_name":"hazardous oracle array","ou_uid":"b206f194-53f9-11ef-98e9-0242ac110005"},"uid_alt":"significant beverages mail"},"uid":"b206f84c-53f9-11ef-b820-0242ac110005","cmd_line":"age ratings employees","lineage":["gauge exists gmbh","ieee drawing bat"],"parent_process":{"name":"Vb","pid":42,"file":{"name":"hereby.txt","type":"Unknown","path":"alumni broad whatever/editing.dat/hereby.txt","type_id":0,"parent_folder":"alumni broad whatever/editing.dat","hashes":[{"value":"0F682A9E816B4E78B01EF28B990B90A619718C249F0502C3BC26EE953198973B8ECAA2A598633947C6F575ED7DA43412557660B2E8796466CDF950DEEF210794","algorithm":"SHA-512","algorithm_id":4},{"value":"8C766AB995CDFBDBB9EB5FCA53F8D53AB3690305C46FDBB5D10554FAAB868502D870FF46248C01AC8E1A8BA4547B5B7C6A85CA5D280CBDEC1FEE04484110E043","algorithm":"Unknown","algorithm_id":0}],"security_descriptor":"fuel horses cialis"},"uid":"b2071688-53f9-11ef-9e48-0242ac110005","cmd_line":"stuart notify nc","created_time":1722951737054600,"integrity":"argument historic decision","lineage":["gathered then container"],"parent_process":{"name":"Protect","pid":69,"file":{"name":"animation.wsf","size":668783954,"type":"Unknown","path":"action cheats collective/day.dll/animation.wsf","product":{"name":"assessed delete infection","version":"1.1.0","uid":"b2073b5e-53f9-11ef-89e3-0242ac110005","url_string":"indigenous","vendor_name":"perhaps weak mattress"},"uid":"b20742b6-53f9-11ef-b089-0242ac110005","type_id":0,"company_name":"Kay Hugo","parent_folder":"action cheats collective/day.dll","confidentiality":"Unknown","confidentiality_id":0,"hashes":[{"value":"D1902BB2910C00B9024F7FAD53B1AEF5D9CDD9897B4C1D0D59CB7986288BF7D59846CC65CF09FF73604CC643C20D1A4920C9EFAE6E4BE4982718A0B3021841EA","algorithm":"quickXorHash","algorithm_id":7}]},"user":{"name":"Nike","type":"Unknown","uid":"b207597c-53f9-11ef-bb63-0242ac110005","type_id":0,"ldap_person":{"office_location":"signing equations keith"},"uid_alt":"earthquake race promises"},"tid":76,"uid":"b2076714-53f9-11ef-8876-0242ac110005","cmd_line":"accurate revenue def","created_time":1722951737056663,"integrity":"Medium","integrity_id":3,"lineage":["guidance rider vanilla","ambient glow well"]}}},"terminated_time":1722951737056691}},"xattributes":{}}},"terminated_time":1722951737056729},"terminated_time":1722951737056732}},"sandbox":"participants safer outlets"}},"user":{"uid":"b207743e-53f9-11ef-b930-0242ac110005","org":{"name":"martial makers bras","uid":"b2077cea-53f9-11ef-98a2-0242ac110005","ou_name":"announced plastic serial"},"credential_uid":"b20785dc-53f9-11ef-9a4e-0242ac110005"},"authorizations":[{},{"decision":"ssl meaning excellence"}]},"dst_endpoint":{"name":"bouquet observations flashing","port":47351,"type":"Desktop","os":{"name":"reductions loans null","type":"Unknown","type_id":0,"sp_name":"cloud heat faith"},"domain":"developer resistance cove","ip":"41.251.197.63","location":{"desc":"Angola, Republic of","city":"Extras separated","country":"AO","coordinates":[-51.2157,-88.1173],"continent":"Africa"},"hostname":"brakes.travel","uid":"b207abc0-53f9-11ef-984e-0242ac110005","type_id":2,"interface_name":"responsible ips bits","interface_uid":"b207b336-53f9-11ef-992b-0242ac110005","intermediate_ips":["43.42.170.135","161.178.9.23"],"proxy_endpoint":{"name":"ray maximum theology","port":59643,"type":"Firewall","ip":"128.28.111.51","hostname":"upcoming.biz","uid":"b207c466-53f9-11ef-9061-0242ac110005","type_id":9,"instance_uid":"b207cc90-53f9-11ef-ace5-0242ac110005","interface_name":"acts unavailable caught","interface_uid":"b207d4ec-53f9-11ef-a2a8-0242ac110005","svc_name":"xi marketplace productivity"},"svc_name":"motorcycle cnn eh"},"src_endpoint":{"name":"clerk massive hints","port":3366,"type":"Server","ip":"135.11.251.187","uid":"b207e1c6-53f9-11ef-bd79-0242ac110005","mac":"E3:9B:50:54:D4:43:80:D1","type_id":1,"instance_uid":"b207ec52-53f9-11ef-870e-0242ac110005","interface_name":"sale cut divided","interface_uid":"b207f38c-53f9-11ef-af93-0242ac110005","intermediate_ips":["141.220.224.128","133.184.5.152"],"svc_name":"princess realize wax"}}],"finding_info":{"title":"cocktail graphics controlled","uid":"b200a0e6-53f9-11ef-a714-0242ac110005","analytic":{"name":"shirts deutsche times","type":"Statistical","uid":"b200b234-53f9-11ef-88a2-0242ac110005","type_id":3},"first_seen_time":1722951737012703,"kill_chain":[{"phase":"Unknown","phase_id":0}],"related_events":[{"uid":"b200c6ca-53f9-11ef-88d3-0242ac110005","type_uid":1760088869}]},"risk_level":"Low","risk_level_id":1,"severity_id":2,"status_id":3} +{"message":"areas cw visa","status":"Unknown","time":1723016984120626,"metadata":{"version":"1.1.0","product":{"name":"cn caused bonus","version":"1.1.0","feature":{"version":"1.1.0","uid":"9c4f2a4a-5491-11ef-80d2-0242ac110005"},"vendor_name":"contains most val"},"profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"log_name":"fit grey earned","log_provider":"fragrances reducing respected","original_time":"pointed creating triangle","tenant_uid":"9c4f3792-5491-11ef-ba7c-0242ac110005"},"severity":"Medium","type_name":"Compliance Finding: Close","activity_id":3,"type_uid":200303,"category_name":"Findings","class_uid":2003,"category_uid":2,"class_name":"Compliance Finding","timezone_offset":98,"activity_name":"Close","cloud":{"provider":"video protected tea","region":"kent shakespeare marker","zone":"arrested turkey actual"},"compliance":{"control":"verse calculator changed","status":"Pass","standards":["juice sally violations","facility volume savannah"],"status_id":1},"confidence_id":0,"finding_info":{"title":"disappointed ghz egyptian","uid":"9c4ee378-5491-11ef-a51e-0242ac110005","attacks":[{"version":"12.1","tactics":[{"name":"Defense Evasion The adversary is trying to avoid being detected.","uid":"TA0005"}],"technique":{"name":"Pass the Ticket","uid":"T1097"}}],"analytic":{"name":"connection stones velocity","type":"Unknown","uid":"9c4f1398-5491-11ef-9918-0242ac110005","type_id":0},"src_url":"country","modified_time_dt":"2024-08-07T07:49:44.119423Z","first_seen_time_dt":"2024-08-07T07:49:44.119443Z"},"remediation":{"desc":"rw wt gives"},"severity_id":3,"status_id":0} +{"count":77,"message":"impressed asia renew","priority":"Low","status":"Closed","time":1723019525138425,"metadata":{"version":"1.1.0","extension":{"name":"stability buyers refer","version":"1.1.0","uid":"86df2204-5497-11ef-a661-0242ac110005"},"product":{"name":"momentum solely directors","version":"1.1.0","path":"ips order worse","uid":"86df2dbc-5497-11ef-9ed6-0242ac110005","lang":"en","vendor_name":"gibraltar sake ef"},"labels":["handbags","utilize"],"profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"log_name":"perform minneapolis sql","log_provider":"ringtones families geological","loggers":[{"name":"jc aid elsewhere","version":"1.1.0","device":{"name":"player went applicant","type":"Server","ip":"83.67.102.26","hostname":"morocco.int","uid":"86df90e0-5497-11ef-b924-0242ac110005","groups":[{"name":"credits protection thin","uid":"86df736c-5497-11ef-97bb-0242ac110005"}],"type_id":1,"autoscale_uid":"86df7b6e-5497-11ef-bbeb-0242ac110005","container":{"size":156606858,"tag":"settle sagem dod","image":{"name":"lg beautifully year","uid":"86df9f54-5497-11ef-bfb3-0242ac110005"},"hash":{"value":"967A3E0384C0E41A534A20C1853BE04257FFF441766F2B206C644657B05089ADD53DB57F2DDF977E2B27845951A83AE6BDD58AF2C692C596AFC7C8C175049D05","algorithm":"TLSH","algorithm_id":6},"network_driver":"sure sweden manufacturer"},"first_seen_time":1723019525136547,"hw_info":{"chassis":"newspaper batman rating","cpu_speed":32,"ram_size":30},"imei":"br montgomery wishlist","instance_uid":"86df8618-5497-11ef-9c0d-0242ac110005","interface_name":"commissioner mile specify","interface_uid":"86dfa8d2-5497-11ef-933f-0242ac110005","is_managed":true,"is_personal":false,"namespace_pid":9,"region":"dt dame formation","zone":"cigarette techniques relevance"},"product":{"name":"writings money profile","version":"1.1.0","uid":"86dfba8e-5497-11ef-a247-0242ac110005","cpe_name":"rca purchases af","vendor_name":"rule minimize holding"},"uid":"86dfc22c-5497-11ef-9d92-0242ac110005","log_name":"licking costume kde","log_provider":"clinics spectrum jackie","log_version":"picnic taiwan saddam"}],"original_time":"warehouse quilt gay","tenant_uid":"86dfcf38-5497-11ef-970b-0242ac110005"},"desc":"dress arthur je","severity":"Medium","api":{"request":{"uid":"86dfe23e-5497-11ef-ac3a-0242ac110005","containers":[{"name":"lovely examination boxing","size":3136831313,"uid":"86dffb70-5497-11ef-90e7-0242ac110005","image":{"name":"several accepting therefore","uid":"86e00bc4-5497-11ef-9d0b-0242ac110005"}},{"name":"logged warm leaders","size":2090102397,"tag":"short require the","uid":"86e0139e-5497-11ef-84cb-0242ac110005","image":{"uid":"86e02064-5497-11ef-a577-0242ac110005"},"hash":{"value":"DDC8757708FB43E4C2DD74D4BB807C29320BD22CDA6DD541DDD15CB7C33269096384474B54AABAB83A00FF1FD576755FF68DAF6DB11D4831D1489C7D07BE193A","algorithm":"SHA-512","algorithm_id":4},"network_driver":"effects colleagues committee"}]},"service":{"name":"hdtv outlook indication","version":"1.1.0","uid":"86e02ca8-5497-11ef-b385-0242ac110005"},"group":{"name":"point awarded uv","domain":"promotional identifying lenders","uid":"86e036bc-5497-11ef-991c-0242ac110005"},"response":{"error":"collect mp amounts","code":54,"message":"canada motorola tough","error_message":"aid graham dining"},"operation":"columbia nano ny"},"type_name":"Incident Finding: Other","activity_id":99,"type_uid":200599,"category_name":"Findings","class_uid":2005,"category_uid":2,"class_name":"Incident Finding","timezone_offset":75,"activity_name":"its","assignee":{"name":"Bills","type":"Unknown","uid":"86defec8-5497-11ef-bef8-0242ac110005","type_id":0,"account":{"name":"reef details costumes","type":"Mac OS Account","uid":"86df0b20-5497-11ef-a1d8-0242ac110005","type_id":7},"credential_uid":"86df1200-5497-11ef-87ca-0242ac110005"},"assignee_group":{"name":"convergence super lebanon","domain":"panels horse consultation","uid":"86ded1d2-5497-11ef-b1fe-0242ac110005"},"cloud":{"provider":"leone semester automated","region":"proper hip florence","zone":"proceed combines pets"},"confidence_id":3,"finding_info_list":[{"title":"rear machinery worldcat","uid":"86e0a890-5497-11ef-bbb2-0242ac110005","attacks":[{"version":"12.1","tactics":[{"name":"Resource Development | The adversary is trying to establish resources they can use to support operations.","uid":"TA0042"},{"name":"Initial Access | The adversary is trying to get into your network.","uid":"TA0001"},{"name":"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.","uid":"TA0043"}],"technique":{"name":"Web Session Cookie","uid":"T1550.004"}},{"version":"12.1","tactics":[{"name":"Execution The adversary is trying to run malicious code.","uid":"TA0002"},{"name":"Execution The adversary is trying to run malicious code.","uid":"TA0002"},{"name":"Resource Development | The adversary is trying to establish resources they can use to support operations.","uid":"TA0042"}],"technique":{"name":"Process Hollowing","uid":"T1093"}}],"analytic":{"name":"infinite samba delete","type":"Statistical","desc":"site modern hair","type_id":3},"product_uid":"86e0b678-5497-11ef-b1d6-0242ac110005","related_events":[{"uid":"86e0c384-5497-11ef-9073-0242ac110005","type_uid":2467649147}],"first_seen_time_dt":"2024-08-07T08:32:05.144678Z"}],"impact":"Low","impact_id":1,"priority_id":1,"severity_id":3,"src_url":"unity","status_id":5,"verdict":"Disregard","verdict_id":3} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json index 65098cbe31f8..15c9895c1bb3 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-findings.log-expected.json @@ -222,6 +222,1833 @@ ] } } + }, + { + "@timestamp": "2024-07-30T08:21:52.967Z", + "cloud": { + "project": { + "id": "c6b00a0c-4e4c-11ef-a1c9-0242ac110005" + }, + "provider": "loving fabulous seating", + "region": "needed costumes main" + }, + "data_stream": { + "dataset": "amazon_security_lake.findings", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "create", + "category": [ + "vulnerability" + ], + "end": "2024-07-30T08:21:52.967Z", + "kind": "alert", + "original": "{\"status\":\"In Progress\",\"time\":1722327712967320,\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"bouquet forget occupied\",\"version\":\"1.1.0\",\"uid\":\"c6afd262-4e4c-11ef-a63c-0242ac110005\",\"feature\":{\"name\":\"updating lawyers string\",\"uid\":\"c6afdb4a-4e4c-11ef-a8c4-0242ac110005\"},\"cpe_name\":\"words geographical gets\",\"vendor_name\":\"trim massive setting\"},\"sequence\":2,\"profiles\":[\"cloud\",\"container\",\"datetime\",\"host\",\"linux/linux_users\",\"load_balancer\",\"network_proxy\",\"security_control\"],\"log_name\":\"shall none shipped\",\"log_provider\":\"outlined produced examining\",\"original_time\":\"scope institutions int\",\"tenant_uid\":\"c6afe64e-4e4c-11ef-bcf9-0242ac110005\",\"logged_time_dt\":\"2024-07-30T08:21:52.967232Z\"},\"resource\":{\"owner\":{\"name\":\"Dude\",\"type\":\"Admin\",\"uid\":\"c6b0192a-4e4c-11ef-90f9-0242ac110005\",\"type_id\":2,\"uid_alt\":\"recommendation highs equipped\"},\"type\":\"carb le multimedia\",\"group\":{\"name\":\"resorts looking issues\"},\"namespace\":\"explain les collections\"},\"severity\":\"Fatal\",\"type_name\":\"Vulnerability Finding: Create\",\"activity_id\":1,\"type_uid\":200201,\"category_name\":\"Findings\",\"class_uid\":2002,\"category_uid\":2,\"class_name\":\"Vulnerability Finding\",\"start_time_dt\":\"2024-07-30T08:21:52.968170Z\",\"end_time_dt\":\"2024-07-30T08:21:52.967308Z\",\"timezone_offset\":17,\"activity_name\":\"Create\",\"actor\":{\"user\":{\"name\":\"Without\",\"type\":\"Admin\",\"uid\":\"c6af496e-4e4c-11ef-b35b-0242ac110005\",\"type_id\":2,\"account\":{\"name\":\"susan amy ventures\",\"type\":\"Windows Account\",\"uid\":\"c6af57e2-4e4c-11ef-b613-0242ac110005\",\"type_id\":2},\"credential_uid\":\"c6af5ecc-4e4c-11ef-bda8-0242ac110005\"}},\"cloud\":{\"org\":{\"name\":\"africa za springer\",\"uid\":\"c6b002c8-4e4c-11ef-b707-0242ac110005\",\"ou_name\":\"opponent const outlet\"},\"project_uid\":\"c6b00a0c-4e4c-11ef-a1c9-0242ac110005\",\"provider\":\"loving fabulous seating\",\"region\":\"needed costumes main\"},\"confidence\":\"characteristic benz automotive\",\"confidence_id\":3,\"finding_info\":{\"title\":\"vinyl lease crown\",\"uid\":\"c6af0030-4e4c-11ef-963a-0242ac110005\",\"analytic\":{\"name\":\"incentives module joyce\",\"type\":\"Rule\",\"uid\":\"c6af34ec-4e4c-11ef-a5db-0242ac110005\",\"category\":\"sanyo asus escorts\",\"type_id\":1},\"data_sources\":[\"reliable honey flexibility\"],\"created_time_dt\":\"2024-07-30T08:21:52.962788Z\",\"modified_time_dt\":\"2024-07-30T08:21:52.962804Z\"},\"severity_id\":6,\"status_id\":2,\"vulnerabilities\":[{\"title\":\"trek ae danger\",\"references\":[\"suite featured smart\",\"sanyo vbulletin contain\"],\"cve\":{\"type\":\"republicans offset expense\",\"title\":\"smilies since terminal\",\"uid\":\"c6af9176-4e4c-11ef-8fde-0242ac110005\",\"references\":[\"brass duty expected\"],\"created_time\":1722327712965081,\"cvss\":[{\"version\":\"1.1.0\",\"depth\":\"Base\",\"base_score\":97.7035,\"overall_score\":29.3613}]},\"cwe\":{\"uid\":\"c6af9f0e-4e4c-11ef-b234-0242ac110005\",\"caption\":\"blanket toshiba olympics\"},\"kb_articles\":[\"mounts el significantly\",\"newer length frost\"],\"packages\":[{\"name\":\"nuts nine horn\",\"version\":\"1.1.0\",\"architecture\":\"diana zen collector\"},{\"name\":\"answered absence oxygen\",\"version\":\"1.1.0\",\"release\":\"classroom virtually satisfactory\",\"architecture\":\"railway offering vietnamese\"}]},{\"references\":[\"workshop surprising ceramic\",\"grow annually mom\"],\"severity\":\"villas haiti links\",\"cve\":{\"type\":\"coaching workflow sony\",\"title\":\"jim patients rick\",\"uid\":\"c6afb07a-4e4c-11ef-9138-0242ac110005\",\"references\":[\"propecia rebecca savage\"],\"created_time\":1722327712965872,\"created_time_dt\":\"2024-07-30T08:21:52.965881Z\",\"modified_time_dt\":\"2024-07-30T08:21:52.965891Z\"},\"cwe\":{\"uid\":\"c6afba70-4e4c-11ef-8ac3-0242ac110005\"},\"kb_articles\":[\"resistant verified wiring\",\"redhead informal frankfurt\"]}]}", + "outcome": "failure", + "provider": "outlined produced examining", + "sequence": 2, + "severity": 6, + "start": "2024-07-30T08:21:52.968Z", + "type": [ + "info" + ] + }, + "ocsf": { + "activity_id": "1", + "activity_name": "Create", + "actor": { + "user": { + "account": { + "name": "susan amy ventures", + "type": "Windows Account", + "type_id": "2", + "uid": "c6af57e2-4e4c-11ef-b613-0242ac110005" + }, + "credential_uid": "c6af5ecc-4e4c-11ef-bda8-0242ac110005", + "name": "Without", + "type": "Admin", + "type_id": "2", + "uid": "c6af496e-4e4c-11ef-b35b-0242ac110005" + } + }, + "category_name": "Findings", + "category_uid": "2", + "class_name": "Vulnerability Finding", + "class_uid": "2002", + "cloud": { + "org": { + "name": "africa za springer", + "ou_name": "opponent const outlet", + "uid": "c6b002c8-4e4c-11ef-b707-0242ac110005" + }, + "project_uid": "c6b00a0c-4e4c-11ef-a1c9-0242ac110005", + "provider": "loving fabulous seating", + "region": "needed costumes main" + }, + "confidence": "characteristic benz automotive", + "confidence_id": "3", + "end_time_dt": "2024-07-30T08:21:52.967Z", + "finding_info": { + "analytic": { + "category": "sanyo asus escorts", + "name": "incentives module joyce", + "type": "Rule", + "type_id": 1, + "uid": "c6af34ec-4e4c-11ef-a5db-0242ac110005" + }, + "created_time_dt": "2024-07-30T08:21:52.962788Z", + "data_sources": [ + "reliable honey flexibility" + ], + "modified_time_dt": "2024-07-30T08:21:52.962804Z", + "title": "vinyl lease crown", + "uid": "c6af0030-4e4c-11ef-963a-0242ac110005" + }, + "metadata": { + "log_name": "shall none shipped", + "log_provider": "outlined produced examining", + "logged_time_dt": "2024-07-30T08:21:52.967Z", + "original_time": "scope institutions int", + "product": { + "cpe_name": "words geographical gets", + "feature": { + "name": "updating lawyers string", + "uid": "c6afdb4a-4e4c-11ef-a8c4-0242ac110005" + }, + "name": "bouquet forget occupied", + "uid": "c6afd262-4e4c-11ef-a63c-0242ac110005", + "vendor_name": "trim massive setting", + "version": "1.1.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "linux/linux_users", + "load_balancer", + "network_proxy", + "security_control" + ], + "sequence": 2, + "tenant_uid": "c6afe64e-4e4c-11ef-bcf9-0242ac110005", + "version": "1.1.0" + }, + "resources": { + "group": { + "name": "resorts looking issues" + }, + "namespace": "explain les collections", + "owner": { + "name": "Dude", + "type": "Admin", + "type_id": 2, + "uid": "c6b0192a-4e4c-11ef-90f9-0242ac110005", + "uid_alt": "recommendation highs equipped" + }, + "type": "carb le multimedia" + }, + "severity": "Fatal", + "severity_id": 6, + "start_time_dt": "2024-07-30T08:21:52.968Z", + "status": "In Progress", + "status_id": "2", + "time": "2024-07-30T08:21:52.967Z", + "timezone_offset": 17, + "type_name": "Vulnerability Finding: Create", + "type_uid": "200201", + "vulnerabilities": [ + { + "cve": { + "created_time": 1722327712965081, + "cvss": [ + { + "base_score": 97.7035, + "depth": "Base", + "overall_score": 29.3613, + "version": "1.1.0" + } + ], + "references": [ + "brass duty expected" + ], + "title": "smilies since terminal", + "type": "republicans offset expense", + "uid": "c6af9176-4e4c-11ef-8fde-0242ac110005" + }, + "cwe": { + "caption": "blanket toshiba olympics", + "uid": "c6af9f0e-4e4c-11ef-b234-0242ac110005" + }, + "kb_articles": [ + "mounts el significantly", + "newer length frost" + ], + "packages": [ + { + "architecture": "diana zen collector", + "name": "nuts nine horn", + "version": "1.1.0" + }, + { + "architecture": "railway offering vietnamese", + "name": "answered absence oxygen", + "release": "classroom virtually satisfactory", + "version": "1.1.0" + } + ], + "references": [ + "suite featured smart", + "sanyo vbulletin contain" + ], + "title": "trek ae danger" + }, + { + "cve": { + "created_time": 1722327712965872, + "created_time_dt": "2024-07-30T08:21:52.965881Z", + "modified_time_dt": "2024-07-30T08:21:52.965891Z", + "references": [ + "propecia rebecca savage" + ], + "title": "jim patients rick", + "type": "coaching workflow sony", + "uid": "c6afb07a-4e4c-11ef-9138-0242ac110005" + }, + "cwe": { + "uid": "c6afba70-4e4c-11ef-8ac3-0242ac110005" + }, + "kb_articles": [ + "resistant verified wiring", + "redhead informal frankfurt" + ], + "references": [ + "workshop surprising ceramic", + "grow annually mom" + ], + "severity": "villas haiti links" + } + ] + }, + "related": { + "user": [ + "c6af496e-4e4c-11ef-b35b-0242ac110005", + "Without" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "id": "c6af496e-4e4c-11ef-b35b-0242ac110005", + "name": "Without" + }, + "vulnerability": { + "id": [ + "c6af9176-4e4c-11ef-8fde-0242ac110005", + "c6afb07a-4e4c-11ef-9138-0242ac110005" + ], + "reference": [ + "suite featured smart", + "sanyo vbulletin contain", + "workshop surprising ceramic", + "grow annually mom" + ], + "severity": [ + "villas haiti links" + ] + } + }, + { + "@timestamp": "2024-08-06T13:42:17.015Z", + "data_stream": { + "dataset": "amazon_security_lake.findings", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "create", + "duration": 19000000, + "kind": "alert", + "original": "{\"message\":\"satellite violent subscriptions\",\"status\":\"Suppressed\",\"time\":1722951737015847,\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"favorite dictionary butter\",\"version\":\"1.1.0\",\"uid\":\"b201250c-53f9-11ef-a42e-0242ac110005\",\"vendor_name\":\"routing attending username\"},\"labels\":[\"paper\",\"james\"],\"profiles\":[],\"log_name\":\"variables admin absolutely\",\"log_provider\":\"facilities channels cradle\",\"log_version\":\"unless mood revised\",\"original_time\":\"complaint planning historic\"},\"severity\":\"Low\",\"duration\":19,\"resources\":[{\"owner\":{\"name\":\"Plain\",\"type\":\"Unknown\",\"uid\":\"b2005820-53f9-11ef-9b03-0242ac110005\",\"type_id\":0,\"ldap_person\":{\"deleted_time\":1722951737010636,\"job_title\":\"tp barely fancy\"}},\"version\":\"1.1.0\",\"uid\":\"b2006efa-53f9-11ef-b4fa-0242ac110005\",\"namespace\":\"inherited proceeds invalid\"},{\"owner\":{\"name\":\"Adsl\",\"type\":\"User\",\"type_id\":1},\"version\":\"1.1.0\",\"group\":{\"name\":\"m biography divx\",\"uid\":\"b200884a-53f9-11ef-b155-0242ac110005\"},\"labels\":[\"circular\",\"vip\"],\"namespace\":\"updating mic expo\",\"criticality\":\"packaging neon hearings\"}],\"type_name\":\"Detection Finding: Create\",\"activity_id\":1,\"type_uid\":200401,\"category_name\":\"Findings\",\"class_uid\":2004,\"category_uid\":2,\"class_name\":\"Detection Finding\",\"activity_name\":\"Create\",\"confidence_id\":2,\"evidences\":[{\"process\":{\"pid\":2,\"file\":{\"attributes\":61,\"name\":\"mortgages.mp3\",\"size\":3964710393,\"type\":\"Folder\",\"path\":\"match fuzzy noise/royalty.cbr/mortgages.mp3\",\"signature\":{\"certificate\":{\"uid\":\"b20156da-53f9-11ef-ae03-0242ac110005\",\"subject\":\"norwegian satisfactory collective\",\"issuer\":\"consist refers bite\",\"fingerprints\":[{\"value\":\"98AA77CF5506DBAB9E87EF8088CEAC7C9C019C46E05DD1EE1ABE03DCDDB251EE8A82D602A74B165599EA81CD3F96BCD31351F02130F1826DE55314362F5E51A0\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"F074E3FC1A4F869EEF665EABF9EF6F7E4E08D51AD47FE695D451386D3DFC826FD679D11BCDF59682C9017FCB065A8C3E4C765AD0D81111D105A79724536E5AF3\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}],\"created_time\":1722951737017011,\"expiration_time\":1722951737017020,\"serial_number\":\"headers futures rico\"},\"algorithm\":\"Authenticode\",\"algorithm_id\":4,\"created_time\":1722951737017030},\"type_id\":2,\"parent_folder\":\"match fuzzy noise/royalty.cbr\",\"hashes\":[{\"value\":\"989B7EC6D89636B773DD48E84A23A93EF0537374753B6CB2DC513D875E01FE4721CDFD519CCAE9B90092CEF08F3C38EC3C353271FE028C193AEA2DDB17A32653\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}]},\"user\":{\"name\":\"Brunei\",\"type\":\"Unknown\",\"uid\":\"b20169ae-53f9-11ef-a7ab-0242ac110005\",\"type_id\":0},\"uid\":\"b2017ba6-53f9-11ef-8664-0242ac110005\",\"cmd_line\":\"cattle disk nat\",\"created_time\":1722951737017869,\"parent_process\":{\"name\":\"Districts\",\"pid\":61,\"file\":{\"name\":\"points.dat\",\"owner\":{\"name\":\"Possession\",\"type\":\"packaging\",\"uid\":\"b20198de-53f9-11ef-99e3-0242ac110005\",\"groups\":[{\"name\":\"framework chambers motorcycle\",\"domain\":\"robots opportunities auburn\",\"uid\":\"b201a2de-53f9-11ef-91ee-0242ac110005\"}],\"type_id\":99},\"type\":\"Local Socket\",\"version\":\"1.1.0\",\"path\":\"perfume cleveland crystal/database.vob/points.dat\",\"modifier\":{\"name\":\"Tower\",\"type\":\"Unknown\",\"uid\":\"b201c520-53f9-11ef-8fe7-0242ac110005\",\"org\":{\"name\":\"gabriel harmful teach\",\"uid\":\"b201cf5c-53f9-11ef-90e0-0242ac110005\",\"ou_name\":\"chapel library combinations\"},\"type_id\":0,\"email_addr\":\"Lynne@rated.jobs\"},\"type_id\":5,\"accessor\":{\"name\":\"Record\",\"type\":\"Unknown\",\"uid\":\"b201dc40-53f9-11ef-a0fe-0242ac110005\",\"type_id\":0,\"email_addr\":\"Zada@czech.museum\",\"ldap_person\":{\"location\":{\"desc\":\"San Marino, Republic of\",\"city\":\"Component got\",\"country\":\"SM\",\"coordinates\":[-25.0862,-71.9167],\"continent\":\"Europe\"},\"deleted_time\":1722951737020608,\"job_title\":\"tobago rubber abstracts\"}},\"parent_folder\":\"perfume cleveland crystal/database.vob\",\"hashes\":[{\"value\":\"115CE7973C9A37D3558656DB4BE3719A4E02E1C42BBD3D9FED201E22F5D5A770\",\"algorithm\":\"magic\",\"algorithm_id\":99},{\"value\":\"77F4DE0C4DB55DEC736561AC64C7EA6B\",\"algorithm\":\"MD5\",\"algorithm_id\":1}],\"modified_time\":1722951737020691},\"user\":{\"name\":\"April\",\"type\":\"System\",\"uid\":\"b201f540-53f9-11ef-b886-0242ac110005\",\"type_id\":3,\"credential_uid\":\"b201fbb2-53f9-11ef-b9d8-0242ac110005\"},\"uid\":\"b2020184-53f9-11ef-85ea-0242ac110005\",\"cmd_line\":\"inquiries sept nil\",\"created_time\":1722951737021297,\"lineage\":[\"barbara flow indiana\"],\"parent_process\":{\"pid\":98,\"session\":{\"uid\":\"b2021138-53f9-11ef-a183-0242ac110005\",\"issuer\":\"boulder candle footwear\",\"created_time\":1722951737021699,\"is_remote\":true},\"file\":{\"name\":\"bryan.htm\",\"type\":\"Character Device\",\"path\":\"fuji collectible creator/describes.tex/bryan.htm\",\"type_id\":3,\"company_name\":\"Reagan Vincenza\",\"creator\":{\"type\":\"sydney\",\"uid\":\"b2022628-53f9-11ef-97c3-0242ac110005\",\"type_id\":99},\"mime_type\":\"numeric/produces\",\"parent_folder\":\"fuji collectible creator/describes.tex\",\"modified_time\":1722951737022248},\"user\":{\"name\":\"Inventory\",\"type\":\"User\",\"groups\":[{\"name\":\"drums brisbane belfast\",\"uid\":\"b2023438-53f9-11ef-b235-0242ac110005\"},{\"name\":\"distinction wp inquiries\",\"desc\":\"subdivision centered matched\",\"uid\":\"b2023b9a-53f9-11ef-8b76-0242ac110005\"}],\"type_id\":1,\"credential_uid\":\"b20243f6-53f9-11ef-995a-0242ac110005\",\"email_addr\":\"Salena@tour.coop\",\"uid_alt\":\"headline press postal\"},\"uid\":\"b2024b62-53f9-11ef-85ae-0242ac110005\",\"cmd_line\":\"correlation jd nintendo\",\"created_time\":1722951737023185,\"xattributes\":{}},\"terminated_time\":1722951737023238}},\"file\":{\"name\":\"pounds.sdf\",\"type\":\"footwear\",\"path\":\"bent hostel listed/knives.fnt/pounds.sdf\",\"product\":{\"name\":\"soldier ut outer\",\"version\":\"1.1.0\",\"uid\":\"b20268d6-53f9-11ef-8389-0242ac110005\",\"vendor_name\":\"prototype blog convertible\"},\"type_id\":99,\"mime_type\":\"quit/helen\",\"parent_folder\":\"bent hostel listed/knives.fnt\",\"hashes\":[{\"value\":\"05241F6680F10C78013CDDC1924651513B262F6318EFD85AC8D5EB13184DBF9742C515B85CF2ED8717B01AEA36CB0796CA62B9229E3047149B40B62FFCBE50AA\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},{\"value\":\"EB108A6BBDAF145D08D811956465AD4382629CF361E1F696E021BE3ABADB6D47\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3}],\"modified_time\":1722951737024064},\"query\":{\"type\":\"rrp look city\",\"hostname\":\"monroe.museum\",\"class\":\"researcher promotions theaters\",\"opcode_id\":3,\"packet_uid\":42},\"connection_info\":{\"uid\":\"b2027e84-53f9-11ef-beec-0242ac110005\",\"direction\":\"Outbound\",\"direction_id\":2,\"protocol_num\":63,\"tcp_flags\":39},\"api\":{\"request\":{\"data\":\"courier\",\"uid\":\"b2028ac8-53f9-11ef-bcf3-0242ac110005\"},\"response\":{\"error\":\"commissioner kill madness\",\"code\":48,\"error_message\":\"whale holdings lol\"},\"operation\":\"prophet disabled joel\"},\"actor\":{\"process\":{\"pid\":53,\"file\":{\"name\":\"travel.ico\",\"type\":\"Regular File\",\"path\":\"choice estates triple/connecticut.rom/travel.ico\",\"type_id\":1,\"accessor\":{\"name\":\"Japanese\",\"type\":\"User\",\"type_id\":1,\"ldap_person\":{\"hire_time\":1722951737025505,\"ldap_dn\":\"essentials incomplete main\"},\"uid_alt\":\"cassette dust evidence\"},\"parent_folder\":\"choice estates triple/connecticut.rom\",\"confidentiality\":\"nation fishing professional\",\"hashes\":[{\"value\":\"DE54555CB12989F6314B6AE9DDF8FE4F8AD41F970C0D21D5A4D8B7E6C6437A9F\",\"algorithm\":\"magic\",\"algorithm_id\":99},{\"value\":\"C989A5E557F5C7289ABE62F83373C88BDD0E698C72F8C8F511BF4E9E601E3C053FA00EA8B181974F5CDF25BA86E8C9FB4A717B9F8A672E6F45A4DFCEC39E529F\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}],\"is_system\":false,\"security_descriptor\":\"burden authentication flashing\"},\"user\":{\"name\":\"Families\",\"type\":\"System\",\"domain\":\"authors subjects animal\",\"uid\":\"b202b3e0-53f9-11ef-bc91-0242ac110005\",\"groups\":[{\"name\":\"graphic university chile\",\"uid\":\"b202c178-53f9-11ef-b0e0-0242ac110005\"},{\"name\":\"departure projects eastern\",\"type\":\"direct hoping harder\",\"uid\":\"b202c876-53f9-11ef-99bc-0242ac110005\",\"privileges\":[\"camcorders hazardous occurred\",\"strong wav finland\"]}],\"type_id\":3,\"email_addr\":\"Hugh@vb.aero\",\"ldap_person\":{\"location\":{\"desc\":\"Libyan Arab Jamahiriya\",\"city\":\"Relaxation depend\",\"country\":\"LY\",\"coordinates\":[72.6769,27.7735],\"continent\":\"Africa\"},\"manager\":{\"name\":\"Titles\",\"type\":\"System\",\"domain\":\"many tvs hand\",\"uid\":\"b202da8c-53f9-11ef-a9a8-0242ac110005\",\"org\":{\"name\":\"declare commit gathering\",\"uid\":\"b202e55e-53f9-11ef-90d3-0242ac110005\"},\"type_id\":3,\"credential_uid\":\"b202eba8-53f9-11ef-a0ef-0242ac110005\"},\"job_title\":\"evident gotten tcp\",\"ldap_cn\":\"ran experiences isolation\"}},\"uid\":\"b202f3be-53f9-11ef-9c3b-0242ac110005\",\"cmd_line\":\"hydrogen reporting ensemble\",\"created_time\":1722951737027494,\"integrity\":\"extra dial resolved\",\"parent_process\":{\"name\":\"Findings\",\"file\":{\"name\":\"crude.sh\",\"owner\":{\"type\":\"Admin\",\"uid\":\"b2031308-53f9-11ef-b2f8-0242ac110005\",\"groups\":[{\"uid\":\"b2031cd6-53f9-11ef-b786-0242ac110005\"},{\"name\":\"wrap smile durham\",\"uid\":\"b2032866-53f9-11ef-bf54-0242ac110005\",\"privileges\":[\"preventing security wales\",\"protest membership rs\"]}],\"type_id\":2},\"type\":\"Block Device\",\"path\":\"hub clarity henderson/mailing.rss/crude.sh\",\"product\":{\"name\":\"fund groundwater dom\",\"version\":\"1.1.0\",\"uid\":\"b2033324-53f9-11ef-ba5b-0242ac110005\",\"feature\":{\"name\":\"producer depot financing\",\"version\":\"1.1.0\",\"uid\":\"b2033bc6-53f9-11ef-91fe-0242ac110005\"},\"cpe_name\":\"oven regulatory dairy\",\"vendor_name\":\"disney intel antibody\"},\"type_id\":4,\"parent_folder\":\"hub clarity henderson/mailing.rss\",\"confidentiality\":\"Unknown\",\"confidentiality_id\":0,\"hashes\":[{\"value\":\"5894ABC3288BA9FA689F8E5C7EF19816EA9839E4986E552B491A1ABF2D3F5F45738F7B3A0B53C15A19FD24B1B7402365D44871C3D6F00537E075A0007E7E261A\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},{\"value\":\"A6DFAEBD54AB8C6EE7D571201347BC0C5FC04F3599B22FAF9AE6A142D72CB65DE290302FA9AD807BAD6F5F0648F8BF5497C6EE43AAF960B7C3137C8CB706E183\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}],\"security_descriptor\":\"cross organic bookings\",\"xattributes\":{}},\"user\":{\"name\":\"Adjust\",\"domain\":\"wrong expanding proposal\",\"uid\":\"b2034c56-53f9-11ef-aed8-0242ac110005\",\"credential_uid\":\"b203526e-53f9-11ef-9e92-0242ac110005\",\"email_addr\":\"Gerry@poker.biz\"},\"uid\":\"b20358d6-53f9-11ef-939b-0242ac110005\",\"cmd_line\":\"arrested suits personally\",\"created_time\":1722951737030083,\"parent_process\":{\"name\":\"Poverty\",\"pid\":42,\"file\":{\"name\":\"sad.kml\",\"type\":\"Unknown\",\"path\":\"random horse explained/soap.csv/sad.kml\",\"signature\":{\"digest\":{\"value\":\"A24F695AAF92949E2578A874832FF516\",\"algorithm\":\"MD5\",\"algorithm_id\":1},\"certificate\":{\"version\":\"1.1.0\",\"uid\":\"b2037334-53f9-11ef-880c-0242ac110005\",\"subject\":\"delay prairie cents\",\"issuer\":\"thought loans celebrate\",\"fingerprints\":[{\"value\":\"70CE515C96733618D3639DA3699227EEF2615296002DB79CFAE31A49F04D171107F820A86048A8A742037DA40CE56FEB5AF132CF0557508C821508DED8E25802\",\"algorithm\":\"CTPH\",\"algorithm_id\":5},{\"value\":\"054F4E3613BCAA252DED4DEC5193B4207F68218A0B57BD676DE5EA08E59343D24FEB8AC279470FB94F032C25AEE110A24BD17FC0EB41182E767A7710BD0F2082\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}],\"created_time\":1722951737030958,\"expiration_time\":1722951737030965,\"serial_number\":\"concerned arthritis beam\"},\"algorithm\":\"Authenticode\",\"algorithm_id\":4,\"developer_uid\":\"b2038324-53f9-11ef-a9fd-0242ac110005\"},\"uid\":\"b2038928-53f9-11ef-93ab-0242ac110005\",\"type_id\":0,\"accessor\":{\"name\":\"Affordable\",\"type\":\"User\",\"domain\":\"mill nest ministers\",\"uid\":\"b2039418-53f9-11ef-ace2-0242ac110005\",\"type_id\":1,\"full_name\":\"Thu Dewitt\",\"account\":{\"name\":\"provider queensland warranties\",\"type\":\"AWS Account\",\"uid\":\"b2039db4-53f9-11ef-ac2d-0242ac110005\",\"type_id\":10}},\"parent_folder\":\"random horse explained/soap.csv\",\"hashes\":[{\"value\":\"552BDF4BBC9329B555B93E7C9B6A38F36C6EDB58B0E7FCA0392F79528CC1B9E6\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3},{\"value\":\"DCF06E858132CA1EDC2384EBDF0200885DD2AC3F\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}],\"modified_time\":1722951737031923},\"user\":{\"name\":\"Continuously\",\"type\":\"cassette\",\"uid\":\"b203c596-53f9-11ef-9213-0242ac110005\",\"org\":{\"name\":\"vitamins causes lg\",\"uid\":\"b203cf64-53f9-11ef-a9e6-0242ac110005\",\"ou_name\":\"most worcester generator\"},\"type_id\":99,\"full_name\":\"Manie Demetra\",\"ldap_person\":{\"labels\":[\"results\",\"considered\"],\"deleted_time\":1722951737033239,\"email_addrs\":[\"Joeann@trials.com\",\"Enrique@zshops.int\"],\"last_login_time\":1722951737033262,\"modified_time\":1722951737033265}},\"tid\":39,\"uid\":\"b203dc7a-53f9-11ef-8a2b-0242ac110005\",\"created_time\":1722951737033438,\"integrity\":\"Protected\",\"integrity_id\":6,\"lineage\":[\"arab comparison charlotte\",\"namibia republicans decorative\"],\"parent_process\":{\"name\":\"Labs\",\"pid\":22,\"session\":{\"terminal\":\"signals click categories\",\"uid\":\"b203f264-53f9-11ef-9ec3-0242ac110005\",\"created_time\":1722951737034000,\"is_remote\":false},\"file\":{\"name\":\"leaders.ged\",\"type\":\"anthony\",\"path\":\"zimbabwe co hyundai/telecom.rom/leaders.ged\",\"type_id\":99,\"parent_folder\":\"zimbabwe co hyundai/telecom.rom\",\"hashes\":[{\"value\":\"FBBED8C2F97068EC6807B00BE7C3183932F576D73C208D1D8ABD78AAC60411FF78D7442895C204E292CFA8F6FAC25EC3FEE7954AA27C6024B6F47D3A5BEF4AC2\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7},{\"value\":\"B336DF698D12AC8E54570BA6EA2679F0\",\"algorithm\":\"MD5\",\"algorithm_id\":1}]},\"user\":{\"type\":\"tears\",\"org\":{\"name\":\"bye lenses alabama\",\"uid\":\"b2040b0a-53f9-11ef-98b5-0242ac110005\",\"ou_name\":\"antiques compliant tutorial\",\"ou_uid\":\"b204153c-53f9-11ef-a6ea-0242ac110005\"},\"type_id\":99},\"uid\":\"b2042360-53f9-11ef-9794-0242ac110005\",\"cmd_line\":\"windsor installed invite\",\"created_time\":1722951737035272,\"parent_process\":{\"name\":\"Asus\",\"pid\":64,\"session\":{\"uid\":\"b2048058-53f9-11ef-8e0f-0242ac110005\",\"uuid\":\"b20486ca-53f9-11ef-9010-0242ac110005\",\"issuer\":\"planner providence titles\",\"created_time\":1722951737037814,\"credential_uid\":\"b2048dfa-53f9-11ef-8e51-0242ac110005\",\"is_remote\":true},\"file\":{\"name\":\"badge.avi\",\"type\":\"Unknown\",\"path\":\"showed conf citizenship/alto.csr/badge.avi\",\"signature\":{\"certificate\":{\"version\":\"1.1.0\",\"subject\":\"voters crazy chelsea\",\"issuer\":\"balance rip flags\",\"fingerprints\":[{\"value\":\"AD9B86237F7CD511073B023864629995D42D434D7A9A3DE38CC9C353E9263BCA131C239C9851342A16967895231B1436AA8DBBD6229A517C76E3539639BDCEDD\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}],\"created_time\":1722951737038366,\"expiration_time\":1722951737038371,\"serial_number\":\"generally grande babies\"},\"algorithm\":\"RSA\",\"algorithm_id\":2,\"developer_uid\":\"b204a4e8-53f9-11ef-a45f-0242ac110005\"},\"desc\":\"jersey pod crafts\",\"type_id\":0,\"mime_type\":\"minimal/wisconsin\",\"parent_folder\":\"showed conf citizenship/alto.csr\",\"hashes\":[{\"value\":\"5B612EDB571C479D1A33C2355B8933EF943BD5715B25116AAF91DBF3A842C2BD\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3},{\"value\":\"1A41B0D707D5D14EA20C1DD0A10CED258A1322589440FD67387BED26CE48E453\",\"algorithm\":\"magic\",\"algorithm_id\":99}]},\"user\":{\"name\":\"Churches\",\"type\":\"User\",\"uid\":\"b204b8ca-53f9-11ef-ae39-0242ac110005\",\"org\":{\"name\":\"asking bookmark builders\",\"ou_name\":\"nightlife fragrance into\"},\"type_id\":1,\"account\":{\"name\":\"essential wishing wanted\",\"type\":\"Windows Account\",\"uid\":\"b204c8ce-53f9-11ef-9832-0242ac110005\",\"type_id\":2}},\"uid\":\"b204cf68-53f9-11ef-9210-0242ac110005\",\"loaded_modules\":[\"/condition/tunisia/phillips/accounting/tension.pkg\",\"/argue/aboriginal/connectors/journal/clinic.dcr\"],\"cmd_line\":\"dryer thereby reliable\",\"created_time\":1722951737039702,\"parent_process\":{\"name\":\"Multi\",\"pid\":51,\"file\":{\"attributes\":37,\"name\":\"option.swf\",\"type\":\"Block Device\",\"path\":\"associate spas climb/canadian.rar/option.swf\",\"product\":{\"name\":\"or dynamic distinguished\",\"version\":\"1.1.0\",\"path\":\"weddings competent korea\",\"uid\":\"b205092e-53f9-11ef-b82a-0242ac110005\",\"lang\":\"en\",\"vendor_name\":\"hunt vitamins columns\"},\"type_id\":4,\"accessor\":{\"name\":\"Finish\",\"type\":\"System\",\"uid\":\"b205141e-53f9-11ef-bef4-0242ac110005\",\"groups\":[{\"name\":\"tablet drivers broader\",\"domain\":\"orange says vegetation\",\"uid\":\"b2051dd8-53f9-11ef-9d88-0242ac110005\"},{\"name\":\"rid planets gp\",\"domain\":\"antique hans ez\",\"uid\":\"b20524b8-53f9-11ef-bfc7-0242ac110005\",\"privileges\":[\"obesity descriptions paintball\"]}],\"type_id\":3},\"parent_folder\":\"associate spas climb/canadian.rar\",\"hashes\":[{\"value\":\"D5924A11CBADB27A986421344623CBFE538FD3F096A9A0FDC3F0BC302F3EC0C1\",\"algorithm\":\"magic\",\"algorithm_id\":99},{\"value\":\"E16704D9E243B23B4F4E557748D6EEF6\",\"algorithm\":\"MD5\",\"algorithm_id\":1}],\"security_descriptor\":\"sentences angela guides\"},\"user\":{\"name\":\"Auditor\",\"domain\":\"france designer commissioner\",\"uid\":\"b2053246-53f9-11ef-8f1f-0242ac110005\",\"groups\":[{\"name\":\"front license tide\",\"type\":\"scope nebraska suffered\",\"uid\":\"b2054b5a-53f9-11ef-b10c-0242ac110005\"},{\"name\":\"belts transform phone\",\"type\":\"ir paul vector\",\"uid\":\"b2055956-53f9-11ef-bac5-0242ac110005\"}]},\"cmd_line\":\"int assets shanghai\",\"created_time\":1722951737043210,\"integrity\":\"philip energy traveler\",\"parent_process\":{\"name\":\"Auctions\",\"pid\":97,\"file\":{\"name\":\"mainland.sav\",\"type\":\"Character Device\",\"path\":\"easter advert gregory/briefing.vcd/mainland.sav\",\"uid\":\"b2057062-53f9-11ef-b33c-0242ac110005\",\"type_id\":3,\"company_name\":\"Shay Geoffrey\",\"mime_type\":\"came/dui\",\"parent_folder\":\"easter advert gregory/briefing.vcd\",\"hashes\":[{\"value\":\"D28CCA18F2C34C4120D0689FFD9EE4F4FFEAE0402B7C59A202FA980D9359A4E54BF2289BF5ED8C083B3EC8735F44C955DB680854EEF42D53E126839B635DA171\",\"algorithm\":\"TLSH\",\"algorithm_id\":6}],\"security_descriptor\":\"ugly embedded sql\"},\"user\":{\"name\":\"Yahoo\",\"uid\":\"b20585de-53f9-11ef-a722-0242ac110005\"},\"uid\":\"b2058d2c-53f9-11ef-9c93-0242ac110005\",\"cmd_line\":\"computers qt caribbean\",\"created_time\":1722951737044530,\"integrity\":\"classifieds conceptual contest\",\"parent_process\":{\"name\":\"Portable\",\"pid\":15,\"user\":{\"name\":\"Camel\",\"type\":\"System\",\"uid\":\"b205a618-53f9-11ef-b616-0242ac110005\",\"type_id\":3},\"uid\":\"b205ac6c-53f9-11ef-b326-0242ac110005\",\"cmd_line\":\"letter agencies family\",\"created_time\":1722951737045332,\"parent_process\":{\"name\":\"Weed\",\"pid\":38,\"file\":{\"name\":\"leslie.indd\",\"type\":\"Symbolic Link\",\"path\":\"rating malawi ash/ny.bin/leslie.indd\",\"signature\":{\"certificate\":{\"version\":\"1.1.0\",\"subject\":\"conscious forecasts poland\",\"issuer\":\"henry recognize short\",\"fingerprints\":[{\"value\":\"3697621565DCC42F701641C483DD9F531ED1B40987DD5D58FA4EEAC5C6E127657BED12A5ED10012607C476DFE31339C6557044007AE04C2F96C120D7E68F9B46\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},{\"value\":\"CB2785DC1EFEBF4604D971B80C7BA7A49061E6B2\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}],\"created_time\":1722951737046152,\"expiration_time\":1722951737046157,\"serial_number\":\"number emotional belly\"},\"algorithm\":\"weekends\",\"algorithm_id\":99},\"modifier\":{\"name\":\"Measurements\",\"type\":\"User\",\"uid\":\"b205d93a-53f9-11ef-97c9-0242ac110005\",\"type_id\":1,\"ldap_person\":{\"manager\":{\"name\":\"Satisfy\",\"type\":\"Unknown\",\"domain\":\"combat mall responded\",\"uid\":\"b205e8bc-53f9-11ef-b220-0242ac110005\",\"org\":{\"name\":\"simulations kelkoo picture\",\"uid\":\"b205fb4a-53f9-11ef-bcdf-0242ac110005\",\"ou_name\":\"ntsc tab er\"},\"type_id\":0},\"cost_center\":\"believed defeat workout\",\"given_name\":\"country medicine susan\",\"job_title\":\"minister hugh opponent\"}},\"type_id\":7,\"accessor\":{\"name\":\"Differential\",\"type\":\"User\",\"domain\":\"second heaven reg\",\"uid\":\"b2060720-53f9-11ef-b3d3-0242ac110005\",\"type_id\":1,\"email_addr\":\"Iliana@easter.jobs\"},\"creator\":{\"type\":\"Admin\",\"uid\":\"b206126a-53f9-11ef-bcf1-0242ac110005\",\"type_id\":2,\"full_name\":\"Zelma Brady\",\"credential_uid\":\"b2061990-53f9-11ef-92d2-0242ac110005\"},\"parent_folder\":\"rating malawi ash/ny.bin\",\"hashes\":[{\"value\":\"80354281FAAA2126E5D2CA51A907C1D2F15B2719AAE8EBF70AE4DAFD8F369DC8D23BE2285768C8C6A83CF5496A2440965EC79B4857350AD79273385359E6272C\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},{\"value\":\"2FACE219B9E0ACE4E7841FB7019D658D\",\"algorithm\":\"MD5\",\"algorithm_id\":1}],\"modified_time\":1722951737048171},\"user\":{\"name\":\"Smoking\",\"type\":\"Admin\",\"uid\":\"b20633f8-53f9-11ef-84d6-0242ac110005\",\"groups\":[{\"name\":\"lyric cent failure\",\"uid\":\"b2063dc6-53f9-11ef-be9b-0242ac110005\"},{\"name\":\"tests australian manufacturing\",\"domain\":\"indonesia performances dispute\",\"uid\":\"b20644a6-53f9-11ef-88ec-0242ac110005\"}],\"type_id\":2},\"uid\":\"b2064a96-53f9-11ef-9a3a-0242ac110005\",\"cmd_line\":\"abandoned plaintiff consult\",\"created_time\":1722951737049379,\"parent_process\":{\"name\":\"Shore\",\"pid\":47,\"file\":{\"name\":\"grip.py\",\"type\":\"Regular File\",\"path\":\"travesti promotes incentives/ask.c/grip.py\",\"type_id\":1,\"accessor\":{\"name\":\"Composition\",\"type\":\"Unknown\",\"uid\":\"b206ba3a-53f9-11ef-8d45-0242ac110005\",\"type_id\":0,\"account\":{\"type\":\"Unknown\",\"uid\":\"b206dd4e-53f9-11ef-8a0d-0242ac110005\",\"type_id\":0}},\"parent_folder\":\"travesti promotes incentives/ask.c\",\"accessed_time\":1722951737053129,\"confidentiality\":\"scholarships introducing scientific\",\"modified_time\":1722951737053154},\"user\":{\"name\":\"Indicators\",\"org\":{\"name\":\"assisted difficulty submit\",\"uid\":\"b206eb0e-53f9-11ef-93f9-0242ac110005\",\"ou_name\":\"hazardous oracle array\",\"ou_uid\":\"b206f194-53f9-11ef-98e9-0242ac110005\"},\"uid_alt\":\"significant beverages mail\"},\"uid\":\"b206f84c-53f9-11ef-b820-0242ac110005\",\"cmd_line\":\"age ratings employees\",\"lineage\":[\"gauge exists gmbh\",\"ieee drawing bat\"],\"parent_process\":{\"name\":\"Vb\",\"pid\":42,\"file\":{\"name\":\"hereby.txt\",\"type\":\"Unknown\",\"path\":\"alumni broad whatever/editing.dat/hereby.txt\",\"type_id\":0,\"parent_folder\":\"alumni broad whatever/editing.dat\",\"hashes\":[{\"value\":\"0F682A9E816B4E78B01EF28B990B90A619718C249F0502C3BC26EE953198973B8ECAA2A598633947C6F575ED7DA43412557660B2E8796466CDF950DEEF210794\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"8C766AB995CDFBDBB9EB5FCA53F8D53AB3690305C46FDBB5D10554FAAB868502D870FF46248C01AC8E1A8BA4547B5B7C6A85CA5D280CBDEC1FEE04484110E043\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}],\"security_descriptor\":\"fuel horses cialis\"},\"uid\":\"b2071688-53f9-11ef-9e48-0242ac110005\",\"cmd_line\":\"stuart notify nc\",\"created_time\":1722951737054600,\"integrity\":\"argument historic decision\",\"lineage\":[\"gathered then container\"],\"parent_process\":{\"name\":\"Protect\",\"pid\":69,\"file\":{\"name\":\"animation.wsf\",\"size\":668783954,\"type\":\"Unknown\",\"path\":\"action cheats collective/day.dll/animation.wsf\",\"product\":{\"name\":\"assessed delete infection\",\"version\":\"1.1.0\",\"uid\":\"b2073b5e-53f9-11ef-89e3-0242ac110005\",\"url_string\":\"indigenous\",\"vendor_name\":\"perhaps weak mattress\"},\"uid\":\"b20742b6-53f9-11ef-b089-0242ac110005\",\"type_id\":0,\"company_name\":\"Kay Hugo\",\"parent_folder\":\"action cheats collective/day.dll\",\"confidentiality\":\"Unknown\",\"confidentiality_id\":0,\"hashes\":[{\"value\":\"D1902BB2910C00B9024F7FAD53B1AEF5D9CDD9897B4C1D0D59CB7986288BF7D59846CC65CF09FF73604CC643C20D1A4920C9EFAE6E4BE4982718A0B3021841EA\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}]},\"user\":{\"name\":\"Nike\",\"type\":\"Unknown\",\"uid\":\"b207597c-53f9-11ef-bb63-0242ac110005\",\"type_id\":0,\"ldap_person\":{\"office_location\":\"signing equations keith\"},\"uid_alt\":\"earthquake race promises\"},\"tid\":76,\"uid\":\"b2076714-53f9-11ef-8876-0242ac110005\",\"cmd_line\":\"accurate revenue def\",\"created_time\":1722951737056663,\"integrity\":\"Medium\",\"integrity_id\":3,\"lineage\":[\"guidance rider vanilla\",\"ambient glow well\"]}}},\"terminated_time\":1722951737056691}},\"xattributes\":{}}},\"terminated_time\":1722951737056729},\"terminated_time\":1722951737056732}},\"sandbox\":\"participants safer outlets\"}},\"user\":{\"uid\":\"b207743e-53f9-11ef-b930-0242ac110005\",\"org\":{\"name\":\"martial makers bras\",\"uid\":\"b2077cea-53f9-11ef-98a2-0242ac110005\",\"ou_name\":\"announced plastic serial\"},\"credential_uid\":\"b20785dc-53f9-11ef-9a4e-0242ac110005\"},\"authorizations\":[{},{\"decision\":\"ssl meaning excellence\"}]},\"dst_endpoint\":{\"name\":\"bouquet observations flashing\",\"port\":47351,\"type\":\"Desktop\",\"os\":{\"name\":\"reductions loans null\",\"type\":\"Unknown\",\"type_id\":0,\"sp_name\":\"cloud heat faith\"},\"domain\":\"developer resistance cove\",\"ip\":\"41.251.197.63\",\"location\":{\"desc\":\"Angola, Republic of\",\"city\":\"Extras separated\",\"country\":\"AO\",\"coordinates\":[-51.2157,-88.1173],\"continent\":\"Africa\"},\"hostname\":\"brakes.travel\",\"uid\":\"b207abc0-53f9-11ef-984e-0242ac110005\",\"type_id\":2,\"interface_name\":\"responsible ips bits\",\"interface_uid\":\"b207b336-53f9-11ef-992b-0242ac110005\",\"intermediate_ips\":[\"43.42.170.135\",\"161.178.9.23\"],\"proxy_endpoint\":{\"name\":\"ray maximum theology\",\"port\":59643,\"type\":\"Firewall\",\"ip\":\"128.28.111.51\",\"hostname\":\"upcoming.biz\",\"uid\":\"b207c466-53f9-11ef-9061-0242ac110005\",\"type_id\":9,\"instance_uid\":\"b207cc90-53f9-11ef-ace5-0242ac110005\",\"interface_name\":\"acts unavailable caught\",\"interface_uid\":\"b207d4ec-53f9-11ef-a2a8-0242ac110005\",\"svc_name\":\"xi marketplace productivity\"},\"svc_name\":\"motorcycle cnn eh\"},\"src_endpoint\":{\"name\":\"clerk massive hints\",\"port\":3366,\"type\":\"Server\",\"ip\":\"135.11.251.187\",\"uid\":\"b207e1c6-53f9-11ef-bd79-0242ac110005\",\"mac\":\"E3:9B:50:54:D4:43:80:D1\",\"type_id\":1,\"instance_uid\":\"b207ec52-53f9-11ef-870e-0242ac110005\",\"interface_name\":\"sale cut divided\",\"interface_uid\":\"b207f38c-53f9-11ef-af93-0242ac110005\",\"intermediate_ips\":[\"141.220.224.128\",\"133.184.5.152\"],\"svc_name\":\"princess realize wax\"}}],\"finding_info\":{\"title\":\"cocktail graphics controlled\",\"uid\":\"b200a0e6-53f9-11ef-a714-0242ac110005\",\"analytic\":{\"name\":\"shirts deutsche times\",\"type\":\"Statistical\",\"uid\":\"b200b234-53f9-11ef-88a2-0242ac110005\",\"type_id\":3},\"first_seen_time\":1722951737012703,\"kill_chain\":[{\"phase\":\"Unknown\",\"phase_id\":0}],\"related_events\":[{\"uid\":\"b200c6ca-53f9-11ef-88d3-0242ac110005\",\"type_uid\":1760088869}]},\"risk_level\":\"Low\",\"risk_level_id\":1,\"severity_id\":2,\"status_id\":3}", + "provider": "facilities channels cradle", + "severity": 2, + "type": [ + "info" + ] + }, + "message": "satellite violent subscriptions", + "ocsf": { + "activity_id": "1", + "activity_name": "Create", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Detection Finding", + "class_uid": "2004", + "confidence_id": "2", + "duration": 19, + "evidences": [ + { + "actor": { + "authorizations": [ + { + "decision": "ssl meaning excellence" + } + ], + "process": { + "cmd_line": "hydrogen reporting ensemble", + "created_time": 1722951737027494, + "file": { + "accessor": { + "ldap_person": { + "hire_time": 1722951737025505, + "ldap_dn": "essentials incomplete main" + }, + "name": "Japanese", + "type": "User", + "type_id": 1, + "uid_alt": "cassette dust evidence" + }, + "confidentiality": "nation fishing professional", + "hashes": [ + { + "algorithm": "magic", + "algorithm_id": 99, + "value": "DE54555CB12989F6314B6AE9DDF8FE4F8AD41F970C0D21D5A4D8B7E6C6437A9F" + }, + { + "algorithm": "CTPH", + "algorithm_id": 5, + "value": "C989A5E557F5C7289ABE62F83373C88BDD0E698C72F8C8F511BF4E9E601E3C053FA00EA8B181974F5CDF25BA86E8C9FB4A717B9F8A672E6F45A4DFCEC39E529F" + } + ], + "is_system": false, + "name": "travel.ico", + "parent_folder": "choice estates triple/connecticut.rom", + "path": "choice estates triple/connecticut.rom/travel.ico", + "security_descriptor": "burden authentication flashing", + "type": "Regular File", + "type_id": 1 + }, + "integrity": "extra dial resolved", + "parent_process": { + "cmd_line": "arrested suits personally", + "created_time": 1722951737030083, + "file": { + "confidentiality": "Unknown", + "confidentiality_id": 0, + "hashes": [ + { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "5894ABC3288BA9FA689F8E5C7EF19816EA9839E4986E552B491A1ABF2D3F5F45738F7B3A0B53C15A19FD24B1B7402365D44871C3D6F00537E075A0007E7E261A" + }, + { + "algorithm": "quickXorHash", + "algorithm_id": 7, + "value": "A6DFAEBD54AB8C6EE7D571201347BC0C5FC04F3599B22FAF9AE6A142D72CB65DE290302FA9AD807BAD6F5F0648F8BF5497C6EE43AAF960B7C3137C8CB706E183" + } + ], + "name": "crude.sh", + "owner": { + "groups": [ + { + "uid": "b2031cd6-53f9-11ef-b786-0242ac110005" + }, + { + "name": "wrap smile durham", + "privileges": [ + "preventing security wales", + "protest membership rs" + ], + "uid": "b2032866-53f9-11ef-bf54-0242ac110005" + } + ], + "type": "Admin", + "type_id": 2, + "uid": "b2031308-53f9-11ef-b2f8-0242ac110005" + }, + "parent_folder": "hub clarity henderson/mailing.rss", + "path": "hub clarity henderson/mailing.rss/crude.sh", + "product": { + "cpe_name": "oven regulatory dairy", + "feature": { + "name": "producer depot financing", + "uid": "b2033bc6-53f9-11ef-91fe-0242ac110005", + "version": "1.1.0" + }, + "name": "fund groundwater dom", + "uid": "b2033324-53f9-11ef-ba5b-0242ac110005", + "vendor_name": "disney intel antibody", + "version": "1.1.0" + }, + "security_descriptor": "cross organic bookings", + "type": "Block Device", + "type_id": 4 + }, + "name": "Findings", + "parent_process": { + "created_time": 1722951737033438, + "file": { + "accessor": { + "account": { + "name": "provider queensland warranties", + "type": "AWS Account", + "type_id": 10, + "uid": "b2039db4-53f9-11ef-ac2d-0242ac110005" + }, + "domain": "mill nest ministers", + "full_name": "Thu Dewitt", + "name": "Affordable", + "type": "User", + "type_id": 1, + "uid": "b2039418-53f9-11ef-ace2-0242ac110005" + }, + "hashes": [ + { + "algorithm": "SHA-256", + "algorithm_id": 3, + "value": "552BDF4BBC9329B555B93E7C9B6A38F36C6EDB58B0E7FCA0392F79528CC1B9E6" + }, + { + "algorithm": "SHA-1", + "algorithm_id": 2, + "value": "DCF06E858132CA1EDC2384EBDF0200885DD2AC3F" + } + ], + "modified_time": 1722951737031923, + "name": "sad.kml", + "parent_folder": "random horse explained/soap.csv", + "path": "random horse explained/soap.csv/sad.kml", + "signature": { + "algorithm": "Authenticode", + "algorithm_id": 4, + "certificate": { + "created_time": 1722951737030958, + "expiration_time": 1722951737030965, + "fingerprints": [ + { + "algorithm": "CTPH", + "algorithm_id": 5, + "value": "70CE515C96733618D3639DA3699227EEF2615296002DB79CFAE31A49F04D171107F820A86048A8A742037DA40CE56FEB5AF132CF0557508C821508DED8E25802" + }, + { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "054F4E3613BCAA252DED4DEC5193B4207F68218A0B57BD676DE5EA08E59343D24FEB8AC279470FB94F032C25AEE110A24BD17FC0EB41182E767A7710BD0F2082" + } + ], + "issuer": "thought loans celebrate", + "serial_number": "concerned arthritis beam", + "subject": "delay prairie cents", + "uid": "b2037334-53f9-11ef-880c-0242ac110005", + "version": "1.1.0" + }, + "developer_uid": "b2038324-53f9-11ef-a9fd-0242ac110005", + "digest": { + "algorithm": "MD5", + "algorithm_id": 1, + "value": "A24F695AAF92949E2578A874832FF516" + } + }, + "type": "Unknown", + "type_id": 0, + "uid": "b2038928-53f9-11ef-93ab-0242ac110005" + }, + "integrity": "Protected", + "integrity_id": 6, + "lineage": [ + "arab comparison charlotte", + "namibia republicans decorative" + ], + "name": "Poverty", + "parent_process": { + "cmd_line": "windsor installed invite", + "created_time": 1722951737035272, + "file": { + "hashes": [ + { + "algorithm": "quickXorHash", + "algorithm_id": 7, + "value": "FBBED8C2F97068EC6807B00BE7C3183932F576D73C208D1D8ABD78AAC60411FF78D7442895C204E292CFA8F6FAC25EC3FEE7954AA27C6024B6F47D3A5BEF4AC2" + }, + { + "algorithm": "MD5", + "algorithm_id": 1, + "value": "B336DF698D12AC8E54570BA6EA2679F0" + } + ], + "name": "leaders.ged", + "parent_folder": "zimbabwe co hyundai/telecom.rom", + "path": "zimbabwe co hyundai/telecom.rom/leaders.ged", + "type": "anthony", + "type_id": 99 + }, + "name": "Labs", + "parent_process": { + "cmd_line": "dryer thereby reliable", + "created_time": 1722951737039702, + "file": { + "desc": "jersey pod crafts", + "hashes": [ + { + "algorithm": "SHA-256", + "algorithm_id": 3, + "value": "5B612EDB571C479D1A33C2355B8933EF943BD5715B25116AAF91DBF3A842C2BD" + }, + { + "algorithm": "magic", + "algorithm_id": 99, + "value": "1A41B0D707D5D14EA20C1DD0A10CED258A1322589440FD67387BED26CE48E453" + } + ], + "mime_type": "minimal/wisconsin", + "name": "badge.avi", + "parent_folder": "showed conf citizenship/alto.csr", + "path": "showed conf citizenship/alto.csr/badge.avi", + "signature": { + "algorithm": "RSA", + "algorithm_id": 2, + "certificate": { + "created_time": 1722951737038366, + "expiration_time": 1722951737038371, + "fingerprints": [ + { + "algorithm": "CTPH", + "algorithm_id": 5, + "value": "AD9B86237F7CD511073B023864629995D42D434D7A9A3DE38CC9C353E9263BCA131C239C9851342A16967895231B1436AA8DBBD6229A517C76E3539639BDCEDD" + } + ], + "issuer": "balance rip flags", + "serial_number": "generally grande babies", + "subject": "voters crazy chelsea", + "version": "1.1.0" + }, + "developer_uid": "b204a4e8-53f9-11ef-a45f-0242ac110005" + }, + "type": "Unknown", + "type_id": 0 + }, + "loaded_modules": [ + "/condition/tunisia/phillips/accounting/tension.pkg", + "/argue/aboriginal/connectors/journal/clinic.dcr" + ], + "name": "Asus", + "parent_process": { + "cmd_line": "int assets shanghai", + "created_time": 1722951737043210, + "file": { + "accessor": { + "groups": [ + { + "domain": "orange says vegetation", + "name": "tablet drivers broader", + "uid": "b2051dd8-53f9-11ef-9d88-0242ac110005" + }, + { + "domain": "antique hans ez", + "name": "rid planets gp", + "privileges": [ + "obesity descriptions paintball" + ], + "uid": "b20524b8-53f9-11ef-bfc7-0242ac110005" + } + ], + "name": "Finish", + "type": "System", + "type_id": 3, + "uid": "b205141e-53f9-11ef-bef4-0242ac110005" + }, + "attributes": 37, + "hashes": [ + { + "algorithm": "magic", + "algorithm_id": 99, + "value": "D5924A11CBADB27A986421344623CBFE538FD3F096A9A0FDC3F0BC302F3EC0C1" + }, + { + "algorithm": "MD5", + "algorithm_id": 1, + "value": "E16704D9E243B23B4F4E557748D6EEF6" + } + ], + "name": "option.swf", + "parent_folder": "associate spas climb/canadian.rar", + "path": "associate spas climb/canadian.rar/option.swf", + "product": { + "lang": "en", + "name": "or dynamic distinguished", + "path": "weddings competent korea", + "uid": "b205092e-53f9-11ef-b82a-0242ac110005", + "vendor_name": "hunt vitamins columns", + "version": "1.1.0" + }, + "security_descriptor": "sentences angela guides", + "type": "Block Device", + "type_id": 4 + }, + "integrity": "philip energy traveler", + "name": "Multi", + "parent_process": { + "cmd_line": "computers qt caribbean", + "created_time": 1722951737044530, + "file": { + "company_name": "Shay Geoffrey", + "hashes": [ + { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "D28CCA18F2C34C4120D0689FFD9EE4F4FFEAE0402B7C59A202FA980D9359A4E54BF2289BF5ED8C083B3EC8735F44C955DB680854EEF42D53E126839B635DA171" + } + ], + "mime_type": "came/dui", + "name": "mainland.sav", + "parent_folder": "easter advert gregory/briefing.vcd", + "path": "easter advert gregory/briefing.vcd/mainland.sav", + "security_descriptor": "ugly embedded sql", + "type": "Character Device", + "type_id": 3, + "uid": "b2057062-53f9-11ef-b33c-0242ac110005" + }, + "integrity": "classifieds conceptual contest", + "name": "Auctions", + "parent_process": { + "cmd_line": "letter agencies family", + "created_time": 1722951737045332, + "name": "Portable", + "parent_process": { + "cmd_line": "abandoned plaintiff consult", + "created_time": 1722951737049379, + "file": { + "accessor": { + "domain": "second heaven reg", + "email_addr": "Iliana@easter.jobs", + "name": "Differential", + "type": "User", + "type_id": 1, + "uid": "b2060720-53f9-11ef-b3d3-0242ac110005" + }, + "creator": { + "credential_uid": "b2061990-53f9-11ef-92d2-0242ac110005", + "full_name": "Zelma Brady", + "type": "Admin", + "type_id": 2, + "uid": "b206126a-53f9-11ef-bcf1-0242ac110005" + }, + "hashes": [ + { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "80354281FAAA2126E5D2CA51A907C1D2F15B2719AAE8EBF70AE4DAFD8F369DC8D23BE2285768C8C6A83CF5496A2440965EC79B4857350AD79273385359E6272C" + }, + { + "algorithm": "MD5", + "algorithm_id": 1, + "value": "2FACE219B9E0ACE4E7841FB7019D658D" + } + ], + "modified_time": 1722951737048171, + "modifier": { + "ldap_person": { + "cost_center": "believed defeat workout", + "given_name": "country medicine susan", + "job_title": "minister hugh opponent", + "manager": { + "domain": "combat mall responded", + "name": "Satisfy", + "org": { + "name": "simulations kelkoo picture", + "ou_name": "ntsc tab er", + "uid": "b205fb4a-53f9-11ef-bcdf-0242ac110005" + }, + "type": "Unknown", + "type_id": 0, + "uid": "b205e8bc-53f9-11ef-b220-0242ac110005" + } + }, + "name": "Measurements", + "type": "User", + "type_id": 1, + "uid": "b205d93a-53f9-11ef-97c9-0242ac110005" + }, + "name": "leslie.indd", + "parent_folder": "rating malawi ash/ny.bin", + "path": "rating malawi ash/ny.bin/leslie.indd", + "signature": { + "algorithm": "weekends", + "algorithm_id": 99, + "certificate": { + "created_time": 1722951737046152, + "expiration_time": 1722951737046157, + "fingerprints": [ + { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "3697621565DCC42F701641C483DD9F531ED1B40987DD5D58FA4EEAC5C6E127657BED12A5ED10012607C476DFE31339C6557044007AE04C2F96C120D7E68F9B46" + }, + { + "algorithm": "SHA-1", + "algorithm_id": 2, + "value": "CB2785DC1EFEBF4604D971B80C7BA7A49061E6B2" + } + ], + "issuer": "henry recognize short", + "serial_number": "number emotional belly", + "subject": "conscious forecasts poland", + "version": "1.1.0" + } + }, + "type": "Symbolic Link", + "type_id": 7 + }, + "name": "Weed", + "parent_process": { + "cmd_line": "age ratings employees", + "file": { + "accessed_time": 1722951737053129, + "accessor": { + "account": { + "type": "Unknown", + "type_id": 0, + "uid": "b206dd4e-53f9-11ef-8a0d-0242ac110005" + }, + "name": "Composition", + "type": "Unknown", + "type_id": 0, + "uid": "b206ba3a-53f9-11ef-8d45-0242ac110005" + }, + "confidentiality": "scholarships introducing scientific", + "modified_time": 1722951737053154, + "name": "grip.py", + "parent_folder": "travesti promotes incentives/ask.c", + "path": "travesti promotes incentives/ask.c/grip.py", + "type": "Regular File", + "type_id": 1 + }, + "lineage": [ + "gauge exists gmbh", + "ieee drawing bat" + ], + "name": "Shore", + "parent_process": { + "cmd_line": "stuart notify nc", + "created_time": 1722951737054600, + "file": { + "hashes": [ + { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "0F682A9E816B4E78B01EF28B990B90A619718C249F0502C3BC26EE953198973B8ECAA2A598633947C6F575ED7DA43412557660B2E8796466CDF950DEEF210794" + }, + { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "8C766AB995CDFBDBB9EB5FCA53F8D53AB3690305C46FDBB5D10554FAAB868502D870FF46248C01AC8E1A8BA4547B5B7C6A85CA5D280CBDEC1FEE04484110E043" + } + ], + "name": "hereby.txt", + "parent_folder": "alumni broad whatever/editing.dat", + "path": "alumni broad whatever/editing.dat/hereby.txt", + "security_descriptor": "fuel horses cialis", + "type": "Unknown", + "type_id": 0 + }, + "integrity": "argument historic decision", + "lineage": [ + "gathered then container" + ], + "name": "Vb", + "parent_process": { + "cmd_line": "accurate revenue def", + "created_time": 1722951737056663, + "file": { + "company_name": "Kay Hugo", + "confidentiality": "Unknown", + "confidentiality_id": 0, + "hashes": [ + { + "algorithm": "quickXorHash", + "algorithm_id": 7, + "value": "D1902BB2910C00B9024F7FAD53B1AEF5D9CDD9897B4C1D0D59CB7986288BF7D59846CC65CF09FF73604CC643C20D1A4920C9EFAE6E4BE4982718A0B3021841EA" + } + ], + "name": "animation.wsf", + "parent_folder": "action cheats collective/day.dll", + "path": "action cheats collective/day.dll/animation.wsf", + "product": { + "name": "assessed delete infection", + "uid": "b2073b5e-53f9-11ef-89e3-0242ac110005", + "url_string": "indigenous", + "vendor_name": "perhaps weak mattress", + "version": "1.1.0" + }, + "size": 668783954, + "type": "Unknown", + "type_id": 0, + "uid": "b20742b6-53f9-11ef-b089-0242ac110005" + }, + "integrity": "Medium", + "integrity_id": 3, + "lineage": [ + "guidance rider vanilla", + "ambient glow well" + ], + "name": "Protect", + "pid": 69, + "tid": 76, + "uid": "b2076714-53f9-11ef-8876-0242ac110005", + "user": { + "ldap_person": { + "office_location": "signing equations keith" + }, + "name": "Nike", + "type": "Unknown", + "type_id": 0, + "uid": "b207597c-53f9-11ef-bb63-0242ac110005", + "uid_alt": "earthquake race promises" + } + }, + "pid": 42, + "uid": "b2071688-53f9-11ef-9e48-0242ac110005" + }, + "pid": 47, + "uid": "b206f84c-53f9-11ef-b820-0242ac110005", + "user": { + "name": "Indicators", + "org": { + "name": "assisted difficulty submit", + "ou_name": "hazardous oracle array", + "ou_uid": "b206f194-53f9-11ef-98e9-0242ac110005", + "uid": "b206eb0e-53f9-11ef-93f9-0242ac110005" + }, + "uid_alt": "significant beverages mail" + } + }, + "pid": 38, + "terminated_time": 1722951737056691, + "uid": "b2064a96-53f9-11ef-9a3a-0242ac110005", + "user": { + "groups": [ + { + "name": "lyric cent failure", + "uid": "b2063dc6-53f9-11ef-be9b-0242ac110005" + }, + { + "domain": "indonesia performances dispute", + "name": "tests australian manufacturing", + "uid": "b20644a6-53f9-11ef-88ec-0242ac110005" + } + ], + "name": "Smoking", + "type": "Admin", + "type_id": 2, + "uid": "b20633f8-53f9-11ef-84d6-0242ac110005" + } + }, + "pid": 15, + "uid": "b205ac6c-53f9-11ef-b326-0242ac110005", + "user": { + "name": "Camel", + "type": "System", + "type_id": 3, + "uid": "b205a618-53f9-11ef-b616-0242ac110005" + } + }, + "pid": 97, + "uid": "b2058d2c-53f9-11ef-9c93-0242ac110005", + "user": { + "name": "Yahoo", + "uid": "b20585de-53f9-11ef-a722-0242ac110005" + } + }, + "pid": 51, + "user": { + "domain": "france designer commissioner", + "groups": [ + { + "name": "front license tide", + "type": "scope nebraska suffered", + "uid": "b2054b5a-53f9-11ef-b10c-0242ac110005" + }, + { + "name": "belts transform phone", + "type": "ir paul vector", + "uid": "b2055956-53f9-11ef-bac5-0242ac110005" + } + ], + "name": "Auditor", + "uid": "b2053246-53f9-11ef-8f1f-0242ac110005" + } + }, + "pid": 64, + "session": { + "created_time": 1722951737037814, + "credential_uid": "b2048dfa-53f9-11ef-8e51-0242ac110005", + "is_remote": true, + "issuer": "planner providence titles", + "uid": "b2048058-53f9-11ef-8e0f-0242ac110005", + "uuid": "b20486ca-53f9-11ef-9010-0242ac110005" + }, + "terminated_time": 1722951737056729, + "uid": "b204cf68-53f9-11ef-9210-0242ac110005", + "user": { + "account": { + "name": "essential wishing wanted", + "type": "Windows Account", + "type_id": 2, + "uid": "b204c8ce-53f9-11ef-9832-0242ac110005" + }, + "name": "Churches", + "org": { + "name": "asking bookmark builders", + "ou_name": "nightlife fragrance into" + }, + "type": "User", + "type_id": 1, + "uid": "b204b8ca-53f9-11ef-ae39-0242ac110005" + } + }, + "pid": 22, + "session": { + "created_time": 1722951737034000, + "is_remote": false, + "terminal": "signals click categories", + "uid": "b203f264-53f9-11ef-9ec3-0242ac110005" + }, + "terminated_time": 1722951737056732, + "uid": "b2042360-53f9-11ef-9794-0242ac110005", + "user": { + "org": { + "name": "bye lenses alabama", + "ou_name": "antiques compliant tutorial", + "ou_uid": "b204153c-53f9-11ef-a6ea-0242ac110005", + "uid": "b2040b0a-53f9-11ef-98b5-0242ac110005" + }, + "type": "tears", + "type_id": 99 + } + }, + "pid": 42, + "tid": 39, + "uid": "b203dc7a-53f9-11ef-8a2b-0242ac110005", + "user": { + "full_name": "Manie Demetra", + "ldap_person": { + "deleted_time": 1722951737033239, + "email_addrs": [ + "Joeann@trials.com", + "Enrique@zshops.int" + ], + "labels": [ + "results", + "considered" + ], + "last_login_time": 1722951737033262, + "modified_time": 1722951737033265 + }, + "name": "Continuously", + "org": { + "name": "vitamins causes lg", + "ou_name": "most worcester generator", + "uid": "b203cf64-53f9-11ef-a9e6-0242ac110005" + }, + "type": "cassette", + "type_id": 99, + "uid": "b203c596-53f9-11ef-9213-0242ac110005" + } + }, + "sandbox": "participants safer outlets", + "uid": "b20358d6-53f9-11ef-939b-0242ac110005", + "user": { + "credential_uid": "b203526e-53f9-11ef-9e92-0242ac110005", + "domain": "wrong expanding proposal", + "email_addr": "Gerry@poker.biz", + "name": "Adjust", + "uid": "b2034c56-53f9-11ef-aed8-0242ac110005" + } + }, + "pid": 53, + "uid": "b202f3be-53f9-11ef-9c3b-0242ac110005", + "user": { + "domain": "authors subjects animal", + "email_addr": "Hugh@vb.aero", + "groups": [ + { + "name": "graphic university chile", + "uid": "b202c178-53f9-11ef-b0e0-0242ac110005" + }, + { + "name": "departure projects eastern", + "privileges": [ + "camcorders hazardous occurred", + "strong wav finland" + ], + "type": "direct hoping harder", + "uid": "b202c876-53f9-11ef-99bc-0242ac110005" + } + ], + "ldap_person": { + "job_title": "evident gotten tcp", + "ldap_cn": "ran experiences isolation", + "location": { + "city": "Relaxation depend", + "continent": "Africa", + "coordinates": [ + 72.6769, + 27.7735 + ], + "country": "LY", + "desc": "Libyan Arab Jamahiriya" + }, + "manager": { + "credential_uid": "b202eba8-53f9-11ef-a0ef-0242ac110005", + "domain": "many tvs hand", + "name": "Titles", + "org": { + "name": "declare commit gathering", + "uid": "b202e55e-53f9-11ef-90d3-0242ac110005" + }, + "type": "System", + "type_id": 3, + "uid": "b202da8c-53f9-11ef-a9a8-0242ac110005" + } + }, + "name": "Families", + "type": "System", + "type_id": 3, + "uid": "b202b3e0-53f9-11ef-bc91-0242ac110005" + } + }, + "user": { + "credential_uid": "b20785dc-53f9-11ef-9a4e-0242ac110005", + "org": { + "name": "martial makers bras", + "ou_name": "announced plastic serial", + "uid": "b2077cea-53f9-11ef-98a2-0242ac110005" + }, + "uid": "b207743e-53f9-11ef-b930-0242ac110005" + } + }, + "api": { + "operation": "prophet disabled joel", + "request": { + "data": "courier", + "uid": "b2028ac8-53f9-11ef-bcf3-0242ac110005" + }, + "response": { + "code": 48, + "error": "commissioner kill madness", + "error_message": "whale holdings lol" + } + }, + "connection_info": { + "direction": "Outbound", + "direction_id": 2, + "protocol_num": 63, + "tcp_flags": 39, + "uid": "b2027e84-53f9-11ef-beec-0242ac110005" + }, + "dst_endpoint": { + "domain": "developer resistance cove", + "hostname": "brakes.travel", + "interface_name": "responsible ips bits", + "interface_uid": "b207b336-53f9-11ef-992b-0242ac110005", + "intermediate_ips": [ + "43.42.170.135", + "161.178.9.23" + ], + "ip": "41.251.197.63", + "location": { + "city": "Extras separated", + "continent": "Africa", + "coordinates": [ + -51.2157, + -88.1173 + ], + "country": "AO", + "desc": "Angola, Republic of" + }, + "name": "bouquet observations flashing", + "os": { + "name": "reductions loans null", + "sp_name": "cloud heat faith", + "type": "Unknown", + "type_id": 0 + }, + "port": 47351, + "proxy_endpoint": { + "hostname": "upcoming.biz", + "instance_uid": "b207cc90-53f9-11ef-ace5-0242ac110005", + "interface_name": "acts unavailable caught", + "interface_uid": "b207d4ec-53f9-11ef-a2a8-0242ac110005", + "ip": "128.28.111.51", + "name": "ray maximum theology", + "port": 59643, + "svc_name": "xi marketplace productivity", + "type": "Firewall", + "type_id": 9, + "uid": "b207c466-53f9-11ef-9061-0242ac110005" + }, + "svc_name": "motorcycle cnn eh", + "type": "Desktop", + "type_id": 2, + "uid": "b207abc0-53f9-11ef-984e-0242ac110005" + }, + "file": { + "hashes": [ + { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "05241F6680F10C78013CDDC1924651513B262F6318EFD85AC8D5EB13184DBF9742C515B85CF2ED8717B01AEA36CB0796CA62B9229E3047149B40B62FFCBE50AA" + }, + { + "algorithm": "SHA-256", + "algorithm_id": 3, + "value": "EB108A6BBDAF145D08D811956465AD4382629CF361E1F696E021BE3ABADB6D47" + } + ], + "mime_type": "quit/helen", + "modified_time": 1722951737024064, + "name": "pounds.sdf", + "parent_folder": "bent hostel listed/knives.fnt", + "path": "bent hostel listed/knives.fnt/pounds.sdf", + "product": { + "name": "soldier ut outer", + "uid": "b20268d6-53f9-11ef-8389-0242ac110005", + "vendor_name": "prototype blog convertible", + "version": "1.1.0" + }, + "type": "footwear", + "type_id": 99 + }, + "process": { + "cmd_line": "cattle disk nat", + "created_time": 1722951737017869, + "file": { + "attributes": 61, + "hashes": [ + { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "989B7EC6D89636B773DD48E84A23A93EF0537374753B6CB2DC513D875E01FE4721CDFD519CCAE9B90092CEF08F3C38EC3C353271FE028C193AEA2DDB17A32653" + } + ], + "name": "mortgages.mp3", + "parent_folder": "match fuzzy noise/royalty.cbr", + "path": "match fuzzy noise/royalty.cbr/mortgages.mp3", + "signature": { + "algorithm": "Authenticode", + "algorithm_id": 4, + "certificate": { + "created_time": 1722951737017011, + "expiration_time": 1722951737017020, + "fingerprints": [ + { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "98AA77CF5506DBAB9E87EF8088CEAC7C9C019C46E05DD1EE1ABE03DCDDB251EE8A82D602A74B165599EA81CD3F96BCD31351F02130F1826DE55314362F5E51A0" + }, + { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "F074E3FC1A4F869EEF665EABF9EF6F7E4E08D51AD47FE695D451386D3DFC826FD679D11BCDF59682C9017FCB065A8C3E4C765AD0D81111D105A79724536E5AF3" + } + ], + "issuer": "consist refers bite", + "serial_number": "headers futures rico", + "subject": "norwegian satisfactory collective", + "uid": "b20156da-53f9-11ef-ae03-0242ac110005" + }, + "created_time": 1722951737017030 + }, + "size": 3964710393, + "type": "Folder", + "type_id": 2 + }, + "parent_process": { + "cmd_line": "inquiries sept nil", + "created_time": 1722951737021297, + "file": { + "accessor": { + "email_addr": "Zada@czech.museum", + "ldap_person": { + "deleted_time": 1722951737020608, + "job_title": "tobago rubber abstracts", + "location": { + "city": "Component got", + "continent": "Europe", + "coordinates": [ + -25.0862, + -71.9167 + ], + "country": "SM", + "desc": "San Marino, Republic of" + } + }, + "name": "Record", + "type": "Unknown", + "type_id": 0, + "uid": "b201dc40-53f9-11ef-a0fe-0242ac110005" + }, + "hashes": [ + { + "algorithm": "magic", + "algorithm_id": 99, + "value": "115CE7973C9A37D3558656DB4BE3719A4E02E1C42BBD3D9FED201E22F5D5A770" + }, + { + "algorithm": "MD5", + "algorithm_id": 1, + "value": "77F4DE0C4DB55DEC736561AC64C7EA6B" + } + ], + "modified_time": 1722951737020691, + "modifier": { + "email_addr": "Lynne@rated.jobs", + "name": "Tower", + "org": { + "name": "gabriel harmful teach", + "ou_name": "chapel library combinations", + "uid": "b201cf5c-53f9-11ef-90e0-0242ac110005" + }, + "type": "Unknown", + "type_id": 0, + "uid": "b201c520-53f9-11ef-8fe7-0242ac110005" + }, + "name": "points.dat", + "owner": { + "groups": [ + { + "domain": "robots opportunities auburn", + "name": "framework chambers motorcycle", + "uid": "b201a2de-53f9-11ef-91ee-0242ac110005" + } + ], + "name": "Possession", + "type": "packaging", + "type_id": 99, + "uid": "b20198de-53f9-11ef-99e3-0242ac110005" + }, + "parent_folder": "perfume cleveland crystal/database.vob", + "path": "perfume cleveland crystal/database.vob/points.dat", + "type": "Local Socket", + "type_id": 5, + "version": "1.1.0" + }, + "lineage": [ + "barbara flow indiana" + ], + "name": "Districts", + "parent_process": { + "cmd_line": "correlation jd nintendo", + "created_time": 1722951737023185, + "file": { + "company_name": "Reagan Vincenza", + "creator": { + "type": "sydney", + "type_id": 99, + "uid": "b2022628-53f9-11ef-97c3-0242ac110005" + }, + "mime_type": "numeric/produces", + "modified_time": 1722951737022248, + "name": "bryan.htm", + "parent_folder": "fuji collectible creator/describes.tex", + "path": "fuji collectible creator/describes.tex/bryan.htm", + "type": "Character Device", + "type_id": 3 + }, + "pid": 98, + "session": { + "created_time": 1722951737021699, + "is_remote": true, + "issuer": "boulder candle footwear", + "uid": "b2021138-53f9-11ef-a183-0242ac110005" + }, + "uid": "b2024b62-53f9-11ef-85ae-0242ac110005", + "user": { + "credential_uid": "b20243f6-53f9-11ef-995a-0242ac110005", + "email_addr": "Salena@tour.coop", + "groups": [ + { + "name": "drums brisbane belfast", + "uid": "b2023438-53f9-11ef-b235-0242ac110005" + }, + { + "desc": "subdivision centered matched", + "name": "distinction wp inquiries", + "uid": "b2023b9a-53f9-11ef-8b76-0242ac110005" + } + ], + "name": "Inventory", + "type": "User", + "type_id": 1, + "uid_alt": "headline press postal" + } + }, + "pid": 61, + "terminated_time": 1722951737023238, + "uid": "b2020184-53f9-11ef-85ea-0242ac110005", + "user": { + "credential_uid": "b201fbb2-53f9-11ef-b9d8-0242ac110005", + "name": "April", + "type": "System", + "type_id": 3, + "uid": "b201f540-53f9-11ef-b886-0242ac110005" + } + }, + "pid": 2, + "uid": "b2017ba6-53f9-11ef-8664-0242ac110005", + "user": { + "name": "Brunei", + "type": "Unknown", + "type_id": 0, + "uid": "b20169ae-53f9-11ef-a7ab-0242ac110005" + } + }, + "query": { + "class": "researcher promotions theaters", + "hostname": "monroe.museum", + "opcode_id": 3, + "packet_uid": 42, + "type": "rrp look city" + }, + "src_endpoint": { + "instance_uid": "b207ec52-53f9-11ef-870e-0242ac110005", + "interface_name": "sale cut divided", + "interface_uid": "b207f38c-53f9-11ef-af93-0242ac110005", + "intermediate_ips": [ + "141.220.224.128", + "133.184.5.152" + ], + "ip": "135.11.251.187", + "mac": "E3:9B:50:54:D4:43:80:D1", + "name": "clerk massive hints", + "port": 3366, + "svc_name": "princess realize wax", + "type": "Server", + "type_id": 1, + "uid": "b207e1c6-53f9-11ef-bd79-0242ac110005" + } + } + ], + "finding_info": { + "analytic": { + "name": "shirts deutsche times", + "type": "Statistical", + "type_id": 3, + "uid": "b200b234-53f9-11ef-88a2-0242ac110005" + }, + "first_seen_time": 1722951737012, + "kill_chain": [ + { + "phase": "Unknown", + "phase_id": 0 + } + ], + "related_events": [ + { + "type_uid": 1760088869, + "uid": "b200c6ca-53f9-11ef-88d3-0242ac110005" + } + ], + "title": "cocktail graphics controlled", + "uid": "b200a0e6-53f9-11ef-a714-0242ac110005" + }, + "message": "satellite violent subscriptions", + "metadata": { + "labels": [ + "paper", + "james" + ], + "log_name": "variables admin absolutely", + "log_provider": "facilities channels cradle", + "log_version": "unless mood revised", + "original_time": "complaint planning historic", + "product": { + "name": "favorite dictionary butter", + "uid": "b201250c-53f9-11ef-a42e-0242ac110005", + "vendor_name": "routing attending username", + "version": "1.1.0" + }, + "version": "1.1.0" + }, + "resources": [ + { + "namespace": "inherited proceeds invalid", + "owner": { + "ldap_person": { + "deleted_time": 1722951737010636, + "job_title": "tp barely fancy" + }, + "name": "Plain", + "type": "Unknown", + "type_id": "0", + "uid": "b2005820-53f9-11ef-9b03-0242ac110005" + }, + "uid": "b2006efa-53f9-11ef-b4fa-0242ac110005", + "version": "1.1.0" + }, + { + "criticality": "packaging neon hearings", + "group": { + "name": "m biography divx", + "uid": "b200884a-53f9-11ef-b155-0242ac110005" + }, + "labels": [ + "circular", + "vip" + ], + "namespace": "updating mic expo", + "owner": { + "name": "Adsl", + "type": "User", + "type_id": "1" + }, + "version": "1.1.0" + } + ], + "risk_level": "Low", + "risk_level_id": "1", + "severity": "Low", + "severity_id": 2, + "status": "Suppressed", + "status_id": "3", + "time": "2024-08-06T13:42:17.015Z", + "type_name": "Detection Finding: Create", + "type_uid": "200401" + }, + "related": { + "user": [ + "b2005820-53f9-11ef-9b03-0242ac110005", + "Plain", + "Adsl" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "paper", + "james" + ] + }, + { + "@timestamp": "2024-08-07T07:49:44.120Z", + "cloud": { + "availability_zone": "arrested turkey actual", + "provider": "video protected tea", + "region": "kent shakespeare marker" + }, + "data_stream": { + "dataset": "amazon_security_lake.findings", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "close", + "kind": "alert", + "original": "{\"message\":\"areas cw visa\",\"status\":\"Unknown\",\"time\":1723016984120626,\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"cn caused bonus\",\"version\":\"1.1.0\",\"feature\":{\"version\":\"1.1.0\",\"uid\":\"9c4f2a4a-5491-11ef-80d2-0242ac110005\"},\"vendor_name\":\"contains most val\"},\"profiles\":[\"cloud\",\"container\",\"datetime\",\"host\",\"linux/linux_users\",\"load_balancer\",\"network_proxy\",\"security_control\"],\"log_name\":\"fit grey earned\",\"log_provider\":\"fragrances reducing respected\",\"original_time\":\"pointed creating triangle\",\"tenant_uid\":\"9c4f3792-5491-11ef-ba7c-0242ac110005\"},\"severity\":\"Medium\",\"type_name\":\"Compliance Finding: Close\",\"activity_id\":3,\"type_uid\":200303,\"category_name\":\"Findings\",\"class_uid\":2003,\"category_uid\":2,\"class_name\":\"Compliance Finding\",\"timezone_offset\":98,\"activity_name\":\"Close\",\"cloud\":{\"provider\":\"video protected tea\",\"region\":\"kent shakespeare marker\",\"zone\":\"arrested turkey actual\"},\"compliance\":{\"control\":\"verse calculator changed\",\"status\":\"Pass\",\"standards\":[\"juice sally violations\",\"facility volume savannah\"],\"status_id\":1},\"confidence_id\":0,\"finding_info\":{\"title\":\"disappointed ghz egyptian\",\"uid\":\"9c4ee378-5491-11ef-a51e-0242ac110005\",\"attacks\":[{\"version\":\"12.1\",\"tactics\":[{\"name\":\"Defense Evasion The adversary is trying to avoid being detected.\",\"uid\":\"TA0005\"}],\"technique\":{\"name\":\"Pass the Ticket\",\"uid\":\"T1097\"}}],\"analytic\":{\"name\":\"connection stones velocity\",\"type\":\"Unknown\",\"uid\":\"9c4f1398-5491-11ef-9918-0242ac110005\",\"type_id\":0},\"src_url\":\"country\",\"modified_time_dt\":\"2024-08-07T07:49:44.119423Z\",\"first_seen_time_dt\":\"2024-08-07T07:49:44.119443Z\"},\"remediation\":{\"desc\":\"rw wt gives\"},\"severity_id\":3,\"status_id\":0}", + "outcome": "unknown", + "provider": "fragrances reducing respected", + "severity": 3, + "type": [ + "info" + ] + }, + "message": "areas cw visa", + "ocsf": { + "activity_id": "3", + "activity_name": "Close", + "category_name": "Findings", + "category_uid": "2", + "class_name": "Compliance Finding", + "class_uid": "2003", + "cloud": { + "provider": "video protected tea", + "region": "kent shakespeare marker", + "zone": "arrested turkey actual" + }, + "compliance": { + "control": "verse calculator changed", + "standards": [ + "juice sally violations", + "facility volume savannah" + ], + "status": "Pass", + "status_id": 1 + }, + "confidence_id": "0", + "finding_info": { + "analytic": { + "name": "connection stones velocity", + "type": "Unknown", + "type_id": 0, + "uid": "9c4f1398-5491-11ef-9918-0242ac110005" + }, + "attacks": [ + { + "tactics": [ + { + "name": "Defense Evasion The adversary is trying to avoid being detected.", + "uid": "TA0005" + } + ], + "technique": { + "name": "Pass the Ticket", + "uid": "T1097" + }, + "version": "12.1" + } + ], + "first_seen_time_dt": "2024-08-07T07:49:44.119443Z", + "modified_time_dt": "2024-08-07T07:49:44.119423Z", + "src_url": "country", + "title": "disappointed ghz egyptian", + "uid": "9c4ee378-5491-11ef-a51e-0242ac110005" + }, + "message": "areas cw visa", + "metadata": { + "log_name": "fit grey earned", + "log_provider": "fragrances reducing respected", + "original_time": "pointed creating triangle", + "product": { + "feature": { + "uid": "9c4f2a4a-5491-11ef-80d2-0242ac110005", + "version": "1.1.0" + }, + "name": "cn caused bonus", + "vendor_name": "contains most val", + "version": "1.1.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "linux/linux_users", + "load_balancer", + "network_proxy", + "security_control" + ], + "tenant_uid": "9c4f3792-5491-11ef-ba7c-0242ac110005", + "version": "1.1.0" + }, + "remediation": { + "desc": "rw wt gives" + }, + "severity": "Medium", + "severity_id": 3, + "status": "Unknown", + "status_id": "0", + "time": "2024-08-07T07:49:44.120Z", + "timezone_offset": 98, + "type_name": "Compliance Finding: Close", + "type_uid": "200303" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-08-07T08:32:05.138Z", + "cloud": { + "availability_zone": "proceed combines pets", + "provider": "leone semester automated", + "region": "proper hip florence" + }, + "data_stream": { + "dataset": "amazon_security_lake.findings", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "its", + "kind": "alert", + "original": "{\"count\":77,\"message\":\"impressed asia renew\",\"priority\":\"Low\",\"status\":\"Closed\",\"time\":1723019525138425,\"metadata\":{\"version\":\"1.1.0\",\"extension\":{\"name\":\"stability buyers refer\",\"version\":\"1.1.0\",\"uid\":\"86df2204-5497-11ef-a661-0242ac110005\"},\"product\":{\"name\":\"momentum solely directors\",\"version\":\"1.1.0\",\"path\":\"ips order worse\",\"uid\":\"86df2dbc-5497-11ef-9ed6-0242ac110005\",\"lang\":\"en\",\"vendor_name\":\"gibraltar sake ef\"},\"labels\":[\"handbags\",\"utilize\"],\"profiles\":[\"cloud\",\"container\",\"datetime\",\"host\",\"linux/linux_users\",\"load_balancer\",\"network_proxy\",\"security_control\"],\"log_name\":\"perform minneapolis sql\",\"log_provider\":\"ringtones families geological\",\"loggers\":[{\"name\":\"jc aid elsewhere\",\"version\":\"1.1.0\",\"device\":{\"name\":\"player went applicant\",\"type\":\"Server\",\"ip\":\"83.67.102.26\",\"hostname\":\"morocco.int\",\"uid\":\"86df90e0-5497-11ef-b924-0242ac110005\",\"groups\":[{\"name\":\"credits protection thin\",\"uid\":\"86df736c-5497-11ef-97bb-0242ac110005\"}],\"type_id\":1,\"autoscale_uid\":\"86df7b6e-5497-11ef-bbeb-0242ac110005\",\"container\":{\"size\":156606858,\"tag\":\"settle sagem dod\",\"image\":{\"name\":\"lg beautifully year\",\"uid\":\"86df9f54-5497-11ef-bfb3-0242ac110005\"},\"hash\":{\"value\":\"967A3E0384C0E41A534A20C1853BE04257FFF441766F2B206C644657B05089ADD53DB57F2DDF977E2B27845951A83AE6BDD58AF2C692C596AFC7C8C175049D05\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},\"network_driver\":\"sure sweden manufacturer\"},\"first_seen_time\":1723019525136547,\"hw_info\":{\"chassis\":\"newspaper batman rating\",\"cpu_speed\":32,\"ram_size\":30},\"imei\":\"br montgomery wishlist\",\"instance_uid\":\"86df8618-5497-11ef-9c0d-0242ac110005\",\"interface_name\":\"commissioner mile specify\",\"interface_uid\":\"86dfa8d2-5497-11ef-933f-0242ac110005\",\"is_managed\":true,\"is_personal\":false,\"namespace_pid\":9,\"region\":\"dt dame formation\",\"zone\":\"cigarette techniques relevance\"},\"product\":{\"name\":\"writings money profile\",\"version\":\"1.1.0\",\"uid\":\"86dfba8e-5497-11ef-a247-0242ac110005\",\"cpe_name\":\"rca purchases af\",\"vendor_name\":\"rule minimize holding\"},\"uid\":\"86dfc22c-5497-11ef-9d92-0242ac110005\",\"log_name\":\"licking costume kde\",\"log_provider\":\"clinics spectrum jackie\",\"log_version\":\"picnic taiwan saddam\"}],\"original_time\":\"warehouse quilt gay\",\"tenant_uid\":\"86dfcf38-5497-11ef-970b-0242ac110005\"},\"desc\":\"dress arthur je\",\"severity\":\"Medium\",\"api\":{\"request\":{\"uid\":\"86dfe23e-5497-11ef-ac3a-0242ac110005\",\"containers\":[{\"name\":\"lovely examination boxing\",\"size\":3136831313,\"uid\":\"86dffb70-5497-11ef-90e7-0242ac110005\",\"image\":{\"name\":\"several accepting therefore\",\"uid\":\"86e00bc4-5497-11ef-9d0b-0242ac110005\"}},{\"name\":\"logged warm leaders\",\"size\":2090102397,\"tag\":\"short require the\",\"uid\":\"86e0139e-5497-11ef-84cb-0242ac110005\",\"image\":{\"uid\":\"86e02064-5497-11ef-a577-0242ac110005\"},\"hash\":{\"value\":\"DDC8757708FB43E4C2DD74D4BB807C29320BD22CDA6DD541DDD15CB7C33269096384474B54AABAB83A00FF1FD576755FF68DAF6DB11D4831D1489C7D07BE193A\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},\"network_driver\":\"effects colleagues committee\"}]},\"service\":{\"name\":\"hdtv outlook indication\",\"version\":\"1.1.0\",\"uid\":\"86e02ca8-5497-11ef-b385-0242ac110005\"},\"group\":{\"name\":\"point awarded uv\",\"domain\":\"promotional identifying lenders\",\"uid\":\"86e036bc-5497-11ef-991c-0242ac110005\"},\"response\":{\"error\":\"collect mp amounts\",\"code\":54,\"message\":\"canada motorola tough\",\"error_message\":\"aid graham dining\"},\"operation\":\"columbia nano ny\"},\"type_name\":\"Incident Finding: Other\",\"activity_id\":99,\"type_uid\":200599,\"category_name\":\"Findings\",\"class_uid\":2005,\"category_uid\":2,\"class_name\":\"Incident Finding\",\"timezone_offset\":75,\"activity_name\":\"its\",\"assignee\":{\"name\":\"Bills\",\"type\":\"Unknown\",\"uid\":\"86defec8-5497-11ef-bef8-0242ac110005\",\"type_id\":0,\"account\":{\"name\":\"reef details costumes\",\"type\":\"Mac OS Account\",\"uid\":\"86df0b20-5497-11ef-a1d8-0242ac110005\",\"type_id\":7},\"credential_uid\":\"86df1200-5497-11ef-87ca-0242ac110005\"},\"assignee_group\":{\"name\":\"convergence super lebanon\",\"domain\":\"panels horse consultation\",\"uid\":\"86ded1d2-5497-11ef-b1fe-0242ac110005\"},\"cloud\":{\"provider\":\"leone semester automated\",\"region\":\"proper hip florence\",\"zone\":\"proceed combines pets\"},\"confidence_id\":3,\"finding_info_list\":[{\"title\":\"rear machinery worldcat\",\"uid\":\"86e0a890-5497-11ef-bbb2-0242ac110005\",\"attacks\":[{\"version\":\"12.1\",\"tactics\":[{\"name\":\"Resource Development | The adversary is trying to establish resources they can use to support operations.\",\"uid\":\"TA0042\"},{\"name\":\"Initial Access | The adversary is trying to get into your network.\",\"uid\":\"TA0001\"},{\"name\":\"Reconnaissance | The adversary is trying to gather information they can use to plan future operations.\",\"uid\":\"TA0043\"}],\"technique\":{\"name\":\"Web Session Cookie\",\"uid\":\"T1550.004\"}},{\"version\":\"12.1\",\"tactics\":[{\"name\":\"Execution The adversary is trying to run malicious code.\",\"uid\":\"TA0002\"},{\"name\":\"Execution The adversary is trying to run malicious code.\",\"uid\":\"TA0002\"},{\"name\":\"Resource Development | The adversary is trying to establish resources they can use to support operations.\",\"uid\":\"TA0042\"}],\"technique\":{\"name\":\"Process Hollowing\",\"uid\":\"T1093\"}}],\"analytic\":{\"name\":\"infinite samba delete\",\"type\":\"Statistical\",\"desc\":\"site modern hair\",\"type_id\":3},\"product_uid\":\"86e0b678-5497-11ef-b1d6-0242ac110005\",\"related_events\":[{\"uid\":\"86e0c384-5497-11ef-9073-0242ac110005\",\"type_uid\":2467649147}],\"first_seen_time_dt\":\"2024-08-07T08:32:05.144678Z\"}],\"impact\":\"Low\",\"impact_id\":1,\"priority_id\":1,\"severity_id\":3,\"src_url\":\"unity\",\"status_id\":5,\"verdict\":\"Disregard\",\"verdict_id\":3}", + "provider": "ringtones families geological", + "severity": 3, + "type": [ + "info" + ] + }, + "message": "impressed asia renew", + "ocsf": { + "activity_id": "99", + "activity_name": "its", + "api": { + "group": { + "domain": "promotional identifying lenders", + "name": "point awarded uv", + "uid": "86e036bc-5497-11ef-991c-0242ac110005" + }, + "operation": "columbia nano ny", + "request": { + "containers": [ + { + "image": { + "name": "several accepting therefore", + "uid": "86e00bc4-5497-11ef-9d0b-0242ac110005" + }, + "name": "lovely examination boxing", + "size": 3136831313, + "uid": "86dffb70-5497-11ef-90e7-0242ac110005" + }, + { + "hash": { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "DDC8757708FB43E4C2DD74D4BB807C29320BD22CDA6DD541DDD15CB7C33269096384474B54AABAB83A00FF1FD576755FF68DAF6DB11D4831D1489C7D07BE193A" + }, + "image": { + "uid": "86e02064-5497-11ef-a577-0242ac110005" + }, + "name": "logged warm leaders", + "network_driver": "effects colleagues committee", + "size": 2090102397, + "tag": "short require the", + "uid": "86e0139e-5497-11ef-84cb-0242ac110005" + } + ], + "uid": "86dfe23e-5497-11ef-ac3a-0242ac110005" + }, + "response": { + "code": 54, + "error": "collect mp amounts", + "error_message": "aid graham dining", + "message": "canada motorola tough" + }, + "service": { + "name": "hdtv outlook indication", + "uid": "86e02ca8-5497-11ef-b385-0242ac110005", + "version": "1.1.0" + } + }, + "assignee": { + "account": { + "name": "reef details costumes", + "type": "Mac OS Account", + "type_id": 7, + "uid": "86df0b20-5497-11ef-a1d8-0242ac110005" + }, + "credential_uid": "86df1200-5497-11ef-87ca-0242ac110005", + "name": "Bills", + "type": "Unknown", + "type_id": 0, + "uid": "86defec8-5497-11ef-bef8-0242ac110005" + }, + "assignee_group": { + "domain": "panels horse consultation", + "name": "convergence super lebanon", + "uid": "86ded1d2-5497-11ef-b1fe-0242ac110005" + }, + "category_name": "Findings", + "category_uid": "2", + "class_name": "Incident Finding", + "class_uid": "2005", + "cloud": { + "provider": "leone semester automated", + "region": "proper hip florence", + "zone": "proceed combines pets" + }, + "confidence_id": "3", + "count": 77, + "desc": "dress arthur je", + "finding_info": [ + { + "analytic": { + "desc": "site modern hair", + "name": "infinite samba delete", + "type": "Statistical", + "type_id": 3 + }, + "attacks": [ + { + "tactics": [ + { + "name": "Resource Development | The adversary is trying to establish resources they can use to support operations.", + "uid": "TA0042" + }, + { + "name": "Initial Access | The adversary is trying to get into your network.", + "uid": "TA0001" + }, + { + "name": "Reconnaissance | The adversary is trying to gather information they can use to plan future operations.", + "uid": "TA0043" + } + ], + "technique": { + "name": "Web Session Cookie", + "uid": "T1550.004" + }, + "version": "12.1" + }, + { + "tactics": [ + { + "name": "Execution The adversary is trying to run malicious code.", + "uid": "TA0002" + }, + { + "name": "Execution The adversary is trying to run malicious code.", + "uid": "TA0002" + }, + { + "name": "Resource Development | The adversary is trying to establish resources they can use to support operations.", + "uid": "TA0042" + } + ], + "technique": { + "name": "Process Hollowing", + "uid": "T1093" + }, + "version": "12.1" + } + ], + "first_seen_time_dt": "2024-08-07T08:32:05.144678Z", + "product_uid": "86e0b678-5497-11ef-b1d6-0242ac110005", + "related_events": [ + { + "type_uid": 2467649147, + "uid": "86e0c384-5497-11ef-9073-0242ac110005" + } + ], + "title": "rear machinery worldcat", + "uid": "86e0a890-5497-11ef-bbb2-0242ac110005" + } + ], + "impact": "Low", + "impact_id": "1", + "message": "impressed asia renew", + "metadata": { + "extension": { + "name": "stability buyers refer", + "uid": "86df2204-5497-11ef-a661-0242ac110005", + "version": "1.1.0" + }, + "labels": [ + "handbags", + "utilize" + ], + "log_name": "perform minneapolis sql", + "log_provider": "ringtones families geological", + "loggers": [ + { + "device": { + "autoscale_uid": "86df7b6e-5497-11ef-bbeb-0242ac110005", + "container": { + "hash": { + "algorithm": "TLSH", + "algorithm_id": 6, + "value": "967A3E0384C0E41A534A20C1853BE04257FFF441766F2B206C644657B05089ADD53DB57F2DDF977E2B27845951A83AE6BDD58AF2C692C596AFC7C8C175049D05" + }, + "image": { + "name": "lg beautifully year", + "uid": "86df9f54-5497-11ef-bfb3-0242ac110005" + }, + "network_driver": "sure sweden manufacturer", + "size": 156606858, + "tag": "settle sagem dod" + }, + "first_seen_time": 1723019525136547, + "groups": [ + { + "name": "credits protection thin", + "uid": "86df736c-5497-11ef-97bb-0242ac110005" + } + ], + "hostname": "morocco.int", + "hw_info": { + "chassis": "newspaper batman rating", + "cpu_speed": 32, + "ram_size": 30 + }, + "imei": "br montgomery wishlist", + "instance_uid": "86df8618-5497-11ef-9c0d-0242ac110005", + "interface_name": "commissioner mile specify", + "interface_uid": "86dfa8d2-5497-11ef-933f-0242ac110005", + "ip": "83.67.102.26", + "is_managed": true, + "is_personal": false, + "name": "player went applicant", + "namespace_pid": 9, + "region": "dt dame formation", + "type": "Server", + "type_id": 1, + "uid": "86df90e0-5497-11ef-b924-0242ac110005", + "zone": "cigarette techniques relevance" + }, + "log_name": "licking costume kde", + "log_provider": "clinics spectrum jackie", + "log_version": "picnic taiwan saddam", + "name": "jc aid elsewhere", + "product": { + "cpe_name": "rca purchases af", + "name": "writings money profile", + "uid": "86dfba8e-5497-11ef-a247-0242ac110005", + "vendor_name": "rule minimize holding", + "version": "1.1.0" + }, + "uid": "86dfc22c-5497-11ef-9d92-0242ac110005", + "version": "1.1.0" + } + ], + "original_time": "warehouse quilt gay", + "product": { + "lang": "en", + "name": "momentum solely directors", + "path": "ips order worse", + "uid": "86df2dbc-5497-11ef-9ed6-0242ac110005", + "vendor_name": "gibraltar sake ef", + "version": "1.1.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "linux/linux_users", + "load_balancer", + "network_proxy", + "security_control" + ], + "tenant_uid": "86dfcf38-5497-11ef-970b-0242ac110005", + "version": "1.1.0" + }, + "priority": "Low", + "priority_id": 1, + "severity": "Medium", + "severity_id": 3, + "src_url": "unity", + "status": "Closed", + "status_id": "5", + "time": "2024-08-07T08:32:05.138Z", + "timezone_offset": 75, + "type_name": "Incident Finding: Other", + "type_uid": "200599", + "verdict": "Disregard", + "verdict_id": 3 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "handbags", + "utilize" + ] } ] -} \ No newline at end of file +} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-iam.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-iam.log-expected.json index 4db5c308ab38..8adb7dd20bbe 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-iam.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-iam.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "1970-01-20T15:16:10.109Z", + "@timestamp": "2023-10-06T05:28:29.000Z", "data_stream": { "dataset": "amazon_security_lake.iam", "namespace": "default", @@ -49,7 +49,7 @@ "metadata": { "log_name": "ebony pay tablets", "log_provider": "medline putting movie", - "logged_time": "1970-01-20T15:16:10.109Z", + "logged_time": "2023-10-06T05:28:29.000Z", "original_time": "gentleman brings relationship", "product": { "lang": "en", @@ -77,7 +77,7 @@ "status": "Unknown", "status_code": "seo", "status_id": "0", - "time": "1970-01-20T15:16:10.109Z", + "time": "2023-10-06T05:28:29.000Z", "timezone_offset": 34, "type_name": "Authorize Session: Unknown", "type_uid": "300300", @@ -111,7 +111,7 @@ } }, { - "@timestamp": "1970-01-20T15:16:10.795Z", + "@timestamp": "2023-10-06T05:39:55.000Z", "data_stream": { "dataset": "amazon_security_lake.iam", "namespace": "default", @@ -163,7 +163,7 @@ "severity": "Unknown", "severity_id": 0, "status": "authors technology bible", - "time": "1970-01-20T15:16:10.795Z", + "time": "2023-10-06T05:39:55.000Z", "timezone_offset": 36, "type_name": "Entity Management: Read", "type_uid": "300402" @@ -175,7 +175,7 @@ ] }, { - "@timestamp": "1970-01-20T15:16:23.206Z", + "@timestamp": "2023-10-06T09:06:46.000Z", "data_stream": { "dataset": "amazon_security_lake.iam", "namespace": "default", @@ -248,7 +248,7 @@ "severity_id": 2, "status": "Success", "status_id": "1", - "time": "1970-01-20T15:16:23.206Z", + "time": "2023-10-06T09:06:46.000Z", "timezone_offset": 81, "type_name": "Group Management: Add User", "type_uid": "300603", @@ -312,7 +312,7 @@ } }, { - "@timestamp": "1970-01-20T15:16:21.958Z", + "@timestamp": "2023-10-06T08:45:58.000Z", "data_stream": { "dataset": "amazon_security_lake.iam", "namespace": "default", @@ -330,7 +330,7 @@ "original": "{\"message\":\"isaac uncertainty replication\",\"status\":\"abstracts\",\"time\":1696581958,\"group\":{\"name\":\"then nevada berkeley md\",\"uid\":\"c63f1e24-6424-11ee-af05-0242ac110005\"},\"user\":{\"name\":\"Dd\",\"type\":\"System\",\"uid\":\"c52f5236-6424-11ee-9c16-0242ac110005\",\"type_id\":3,\"credential_uid\":\"c52f57ae-6424-11ee-b8be-0242ac110005\"},\"metadata\":{\"version\":\"1.0.0\",\"product\":{\"name\":\"advance wellness phentermine\",\"version\":\"1.0.0\",\"uid\":\"c52f3210-6424-11ee-b807-0242ac110005\",\"feature\":{\"name\":\"services cultural ali\",\"version\":\"1.0.0\",\"uid\":\"c52f43f4-6424-11ee-9b6e-0242ac110005\"},\"lang\":\"en\",\"vendor_name\":\"sphere chef physicians\"},\"profiles\":[],\"log_name\":\"gravity bill gp\",\"logged_time\":1696581958,\"original_time\":\"escape mic warner\"},\"resource\":{\"owner\":{\"name\":\"Fatty\",\"type\":\"forecast\",\"domain\":\"regions gr dean\",\"uid\":\"c52f060a-6424-11ee-b378-0242ac110005\",\"type_id\":99,\"email_addr\":\"Art@his.name\"},\"group\":{\"name\":\"then nevada berkeley\",\"uid\":\"c52f1e24-6424-11ee-af05-0242ac110005\"}},\"start_time\":1696581958,\"severity\":\"Medium\",\"type_name\":\"User Access Management: Unknown\",\"activity_id\":0,\"type_uid\":300500,\"observables\":[{\"name\":\"devices arguments label\",\"type\":\"Fingerprint\",\"type_id\":30},{\"name\":\"line nightlife expo\",\"type\":\"Container\",\"type_id\":27,\"reputation\":{\"base_score\":45.5971,\"provider\":\"marcus magnetic expressed\",\"score\":\"May not be Safe\",\"score_id\":5}}],\"category_name\":\"Identity & Access Management\",\"class_uid\":3005,\"category_uid\":3,\"class_name\":\"User Access Management\",\"timezone_offset\":28,\"activity_name\":\"Unknown\",\"privileges\":[\"returned funeral cave\"],\"severity_id\":3,\"status_id\":99}", "provider": "sphere chef physicians", "severity": 3, - "start": "1970-01-20T15:16:21.958Z", + "start": "2023-10-06T08:45:58.000Z", "type": [ "info", "group" @@ -355,7 +355,7 @@ "message": "isaac uncertainty replication", "metadata": { "log_name": "gravity bill gp", - "logged_time": "1970-01-20T15:16:21.958Z", + "logged_time": "2023-10-06T08:45:58.000Z", "original_time": "escape mic warner", "product": { "feature": { @@ -392,7 +392,7 @@ "privileges": [ "returned funeral cave" ], - "resource": { + "resources": { "group": { "name": "then nevada berkeley", "uid": "c52f1e24-6424-11ee-af05-0242ac110005" @@ -402,16 +402,16 @@ "email_addr": "Art@his.name", "name": "Fatty", "type": "forecast", - "type_id": "99", + "type_id": 99, "uid": "c52f060a-6424-11ee-b378-0242ac110005" } }, "severity": "Medium", "severity_id": 3, - "start_time": "1970-01-20T15:16:21.958Z", + "start_time": "2023-10-06T08:45:58.000Z", "status": "abstracts", "status_id": "99", - "time": "1970-01-20T15:16:21.958Z", + "time": "2023-10-06T08:45:58.000Z", "timezone_offset": 28, "type_name": "User Access Management: Unknown", "type_uid": "300500", @@ -426,10 +426,7 @@ "related": { "user": [ "c52f5236-6424-11ee-9c16-0242ac110005", - "Dd", - "Art@his.name", - "Fatty", - "c52f060a-6424-11ee-b378-0242ac110005" + "Dd" ] }, "tags": [ @@ -444,4 +441,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log index 609b4b0c5ea3..59544a2d99d3 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log @@ -10,3 +10,5 @@ {"message":"kelkoo interactions constitute","status":"patch emma midi","time":1695676041549,"file":{"name":"amend.sh","type":"Unknown","desc":"arabic suits fun","type_id":0,"accessor":{"name":"Uruguay","type":"User","uid":"849f49fa-5be7-11ee-bfe2-0242ac110005","org":{"name":"lottery political own","uid":"849f501c-5be7-11ee-ab6f-0242ac110005","ou_name":"confirmed towards declined","ou_uid":"849f540e-5be7-11ee-841c-0242ac110005"},"type_id":1},"hashes":[{"value":"4C3280C17F9D982CCBAC882AE1F48DAD224DBA938BEE87BF18E31C76B0C3B88B","algorithm":"SHA-256","algorithm_id":3},{"value":"A7F0A2AD03BE8938C945F65DB1A395CE9E98D67F9EE8D4CA97D687FBB394B64FA0AEB15F5B1D82A2922B62320B77DBA842BBEDEE2B5E15D7A883665ADE3F7C2B","algorithm":"quickXorHash","algorithm_id":7}],"modified_time_dt":"2023-09-25T21:07:21.567190Z"},"metadata":{"version":"1.0.0","product":{"name":"describes static geological","version":"1.0.0","uid":"849714ce-5be7-11ee-981b-0242ac110005","url_string":"avatar","vendor_name":"highly got hook"},"sequence":99,"profiles":["cloud","container","datetime"],"correlation_uid":"84971e10-5be7-11ee-b5e7-0242ac110005","log_name":"proud iso ticket","log_provider":"cb indexes boxing","original_time":"tournaments leisure comedy","modified_time_dt":"2023-09-25T21:07:21.513376Z","processed_time_dt":"2023-09-25T21:07:21.513394Z"},"start_time":1695676041445,"severity":"Low","type_name":"Network File Activity: Rename","activity_id":5,"type_uid":401005,"observables":[{"name":"except visitor vbulletin","type":"Uniform Resource Locator","type_id":23},{"name":"hong rhode para","type":"Process Name","type_id":9}],"category_name":"Network Activity","class_uid":4010,"category_uid":4,"class_name":"Network File Activity","timezone_offset":42,"activity_name":"Rename","actor":{"process":{"name":"Qualification","pid":42,"file":{"attributes":9,"name":"citations.gpx","type":"Character Device","path":"telling saved challenge/wrapped.tga/citations.gpx","type_id":3,"parent_folder":"telling saved challenge/wrapped.tga"},"user":{"name":"Aquatic","type":"System","uid":"84975f7e-5be7-11ee-bfad-0242ac110005","type_id":3,"account":{"name":"suspended cg sisters","uid":"8497655a-5be7-11ee-ab52-0242ac110005"}},"tid":17,"uid":"849768e8-5be7-11ee-a428-0242ac110005","cmd_line":"goals happen dad","container":{"name":"ambien cloud eur","size":2164055839,"uid":"84977158-5be7-11ee-b042-0242ac110005","image":{"name":"produced field obituaries","path":"adaptive granny knew","uid":"849779dc-5be7-11ee-8f66-0242ac110005"},"network_driver":"cute desktops arrest"},"created_time":1695676041514,"namespace_pid":41,"parent_process":{"file":{"name":"finance.3g2","type":"wrap","path":"attention matching forest/met.mpa/finance.3g2","signature":{"certificate":{"version":"1.0.0","subject":"mt minutes bids","issuer":"shall systematic vatican","fingerprints":[{"value":"B3305921648A755AA6C1E2C028691A6861EAE8922BAE5ACE52B76E01AD96DF87ECE4E22E06EDC6715A0CAE469323620A07CCC384FD40C69EBA60E8BBEE8EA805","algorithm":"TLSH","algorithm_id":6}],"expiration_time":1695676041516,"serial_number":"requirement sodium situated","expiration_time_dt":"2023-09-25T21:07:21.516239Z","created_time_dt":"2023-09-25T21:07:21.516247Z"},"algorithm":"RSA","algorithm_id":2},"desc":"surgeons settled advocacy","type_id":99,"creator":{"name":"Additionally","type":"beat","uid":"84979804-5be7-11ee-848b-0242ac110005","type_id":99,"full_name":"Kirstin Thersa","credential_uid":"8497ab3c-5be7-11ee-8df1-0242ac110005"},"parent_folder":"attention matching forest/met.mpa","hashes":[{"value":"2675028478A31F71064C2D8CCA68C7FCA87605C294611E7C2294806CE87B596AD856077767F9D941E21BC5089906C5E6903FE622EE1FE19DB2E3FA8F1F1A8EE9","algorithm":"CTPH","algorithm_id":5},{"value":"4D018BA6DBA4C03004FD6E10D1C02BD324F62DE46C5FE687431A2D4BF4335BB7","algorithm":"magic","algorithm_id":99}],"modified_time_dt":"2023-09-25T21:07:21.517084Z"},"uid":"8497ba64-5be7-11ee-b3a6-0242ac110005","session":{"uid":"8497c27a-5be7-11ee-8a34-0242ac110005","issuer":"discussing capital ottawa","created_time":1695676041516,"credential_uid":"8497c716-5be7-11ee-bd7a-0242ac110005"},"loaded_modules":["/super/disclose/barnes/pg/california.png","/ourselves/lynn/gpl/helped/narrow.tga"],"cmd_line":"bless addresses backgrounds","container":{"name":"citizenship caribbean twisted","size":2686118868,"uid":"8497d15c-5be7-11ee-aa8b-0242ac110005","image":{"name":"assistance grande an","uid":"8497dec2-5be7-11ee-9c88-0242ac110005"},"hash":{"value":"08759209B8F0A761FFF2B978AB8DAB0B6AE7B63C9AC9D3694BC0FED57BB2E27F5AAFB08486F656D6C6FE784F7DF07513FCB0975EC8B772EE000F56F793867A77","algorithm":"Unknown","algorithm_id":0}},"created_time":1695676041518,"lineage":["vhs mechanism dates"],"namespace_pid":97,"parent_process":{"name":"Bid","pid":26,"file":{"name":"dame.svg","type":"Regular File","path":"wives pamela karl/articles.c/dame.svg","modifier":{"name":"Complete","type":"Unknown","uid":"8497f38a-5be7-11ee-97c6-0242ac110005","groups":[{"name":"winds seeking reply","uid":"8497fde4-5be7-11ee-9733-0242ac110005"},{"name":"hamburg roommate environment","uid":"8498099c-5be7-11ee-ac6f-0242ac110005"}],"type_id":0},"type_id":1,"parent_folder":"wives pamela karl/articles.c","hashes":[{"value":"E7B2EBCA4F63795EBE380FFBEAB194BCF3E2EB5C74F10C6B8AAB95F4C0B8D7AC","algorithm":"magic","algorithm_id":99},{"value":"AFD9AD7A88CFF487A60962E99C6219806726EB352DD1591D375AD3BB143C0DABBFBC6DBFFA5D99B3662AE82C9B7EED847E30B7EA516D2AD9DFF07D8775F8AE36","algorithm":"quickXorHash","algorithm_id":7}],"security_descriptor":"robinson queens graduate","created_time_dt":"2023-09-25T21:07:21.519646Z"},"user":{"name":"Shipment","type":"Unknown","uid":"84981f68-5be7-11ee-b652-0242ac110005","type_id":0,"uid_alt":"singh dim static"},"uid":"849823d2-5be7-11ee-92d1-0242ac110005","cmd_line":"harder interventions pb","container":{"name":"kg sources houses","runtime":"kate through furniture","size":2387392206,"uid":"849829cc-5be7-11ee-bb7a-0242ac110005","hash":{"value":"6A9A10210588981DD8FAA6BE10E39F2C65E816FEFE4768884F7B0BB0A10CD9D6","algorithm":"SHA-256","algorithm_id":3},"pod_uuid":"kiss"},"created_time":1695676041517,"integrity":"they thermal eau","lineage":["attraction cord adjustment","announcements summer introduce"],"namespace_pid":49,"parent_process":{"name":"Jamie","pid":28,"file":{"name":"seq.wpd","type":"Character Device","path":"conflicts disability citysearch/ieee.dtd/seq.wpd","modifier":{"name":"Officer","type":"Admin","uid":"84984362-5be7-11ee-af2c-0242ac110005","type_id":2},"type_id":3,"parent_folder":"conflicts disability citysearch/ieee.dtd","confidentiality":"Unknown","confidentiality_id":0,"created_time":1695676041520845,"hashes":[{"value":"7D875B5EB312ADEF7D530DD6E43468170B094A5F54CA1AC26E7788A81A01238428E62D581423E70B05DA11F15513291EB10776B4E14DE1844072ACDF11BBDFD1","algorithm":"CTPH","algorithm_id":5},{"value":"1100511F3469E3CDE7D081EC6E78154C8476D546F615EEEB37C4CDFBD41740440FC77660EE3A4B9C67DE81C63172A49F835656F85ED5E36A65A2A25E2A733358","algorithm":"TLSH","algorithm_id":6}]},"user":{"name":"Knows","type":"User","domain":"sao uri flesh","uid":"84984db2-5be7-11ee-ba4e-0242ac110005","type_id":1},"uid":"8498530c-5be7-11ee-86f3-0242ac110005","cmd_line":"creation defense carolina","container":{"name":"hunt indicating radiation","size":3179758248,"tag":"reader prevention as","uid":"84985df2-5be7-11ee-be06-0242ac110005","hash":{"value":"666334EB7A1E55E189435FFF3F0CA7266F484FB44970AAFF3E72546D8B04B02ABB1A66B209CAFD44267701CA1392DF35B8EC3EECE0DC492D093880F2E4FF352C","algorithm":"TLSH","algorithm_id":6}},"created_time":1695676041527,"namespace_pid":46,"parent_process":{"name":"Arbor","pid":20,"file":{"name":"startup.3dm","size":3504413585,"type":"Named Pipe","version":"1.0.0","signature":{"certificate":{"subject":"shades bad tradition","issuer":"previous price thing","fingerprints":[{"value":"8E4DE5CC0D59311697B0D4061FDBFB4CB99E38121EA17CF740789A0CBC85B56703E1341C940E7A2220C02211CC84447A19061569BE42AC4A2C03010FB6CB1A75","algorithm":"SHA-512","algorithm_id":4},{"value":"205D64FF9B580AADBF4829EC41DD4EF0","algorithm":"MD5","algorithm_id":1}],"created_time":1695676041522,"expiration_time":1695676041526,"serial_number":"files the parish","created_time_dt":"2023-09-25T21:07:21.521904Z"},"algorithm":"RSA","algorithm_id":2},"uid":"84987ae4-5be7-11ee-b247-0242ac110005","type_id":6,"created_time":1695676042262,"hashes":[{"value":"60F202A3BE4EF214E24EA9D3555D194C","algorithm":"MD5","algorithm_id":1},{"value":"B0B2D200728B0DACE6CB6829F90EE31A9AD123FF1982012B003249D4F2C5351924E6DBBD1242EE722D4C5A0B80C983DC7B94DDD594FCFCEF4E63552956E2B26A","algorithm":"TLSH","algorithm_id":6}],"modified_time_dt":"2023-09-25T21:07:21.522441Z"},"user":{"name":"Provided","type":"Admin","uid":"84988e80-5be7-11ee-bf3c-0242ac110005","type_id":2,"full_name":"Karoline Meggan","email_addr":"Elza@girls.mil"},"uid":"84989376-5be7-11ee-9216-0242ac110005","cmd_line":"plan agents converter","container":{"name":"thongs routine an","size":2099983603,"uid":"84989948-5be7-11ee-b4fb-0242ac110005","image":{"name":"extending construction inkjet","path":"empirical precipitation builder","uid":"84989f42-5be7-11ee-8820-0242ac110005","labels":["golf","nov"]},"hash":{"value":"E7EFDA40B1C94805070CD9BF9638AE27","algorithm":"MD5","algorithm_id":1}},"created_time":1695676041523226,"integrity":"conspiracy unions allocated","parent_process":{"name":"Processes","pid":49,"file":{"name":"considerations.jar","type":"Local Socket","path":"roger economy macro/mesh.gadget/considerations.jar","type_id":5,"accessor":{"name":"Wildlife","type":"Admin","uid":"8498c030-5be7-11ee-80d9-0242ac110005","type_id":2,"full_name":"Twyla Cherise","email_addr":"Shin@cause.mobi","uid_alt":"excellent far varied"},"mime_type":"star/flyer","parent_folder":"roger economy macro/mesh.gadget","created_time":1695676041524,"hashes":[{"value":"707CF5E50A11D69874235DED9A045B6AB42439F7495DED03049CB7E997949E8B014295A25059CD1A9F06BFE9E4101ED176615E69D43FE199E849DEC0BC4AEB4D","algorithm":"CTPH","algorithm_id":5},{"value":"6F487B974BDB9DBDF014F50502D9F70BC2630E6C974E4C6E6AA2EB3BEC95A3BDCA7AE609DA34179E0677F042734A767ADA4F6CA04788916644262CDC60BC2FB2","algorithm":"CTPH","algorithm_id":5}]},"user":{"name":"Hour","type":"insert","uid":"8498cd14-5be7-11ee-94d7-0242ac110005","type_id":99,"uid_alt":"organizations guild beds"},"uid":"8498d430-5be7-11ee-b1bf-0242ac110005","cmd_line":"sixth pc peoples","container":{"name":"warrior document workflow","size":2697694450,"uid":"8498da2a-5be7-11ee-9d00-0242ac110005","image":{"name":"version treating tall","uid":"8498df20-5be7-11ee-8257-0242ac110005"},"hash":{"value":"F4001D4FD76B73412DB0EFD2C66F0AB3C27D9FE9BD375B1659A1DDDA68C17DC1C0F5402A6AE571DC073E94F1B720821E4208595D5BB4B13D917A12CE3DA53C1E","algorithm":"TLSH","algorithm_id":6},"pod_uuid":"sas"},"created_time":1695676041523,"integrity":"aviation blame tion","namespace_pid":76,"parent_process":{"name":"Job","pid":86,"file":{"name":"pic.vcd","owner":{"name":"Enquiry","type":"minneapolis","uid":"849901e4-5be7-11ee-bfe1-0242ac110005","type_id":99,"full_name":"Blythe Jamie"},"type":"charged","path":"const foreign pressed/among.ged/pic.vcd","signature":{"certificate":{"version":"1.0.0","subject":"strap liz boulder","issuer":"everybody brunei disciplinary","fingerprints":[{"value":"9E41EB47ABD226D92CFE27DBDA0C924C190A1B0C0136B09923B419089B013DF14CB58C38F651F710540E348BF800DFE364197904B11FFFAD98BB2B10006B28E2","algorithm":"CTPH","algorithm_id":5},{"value":"3DE877DDFB06DB510E63893D98DDAC9524696C14","algorithm":"SHA-1","algorithm_id":2}],"created_time":1695676041526,"expiration_time":1695676045872,"serial_number":"approaches symbol assembly"},"algorithm":"ECDSA","algorithm_id":3,"developer_uid":"84991526-5be7-11ee-a2ca-0242ac110005","created_time_dt":"2023-09-25T21:07:21.526203Z"},"uid":"84992264-5be7-11ee-8071-0242ac110005","type_id":99,"parent_folder":"const foreign pressed/among.ged","accessed_time":1695676041556,"confidentiality":"suburban ati mostly","hashes":[{"value":"00EF9DADDE482AF5432B0BFC5F69023736D4A0ECD59F74884C4B8AD83D21429B78023351C5DBD07407EAB2BFA527A0586016DE3C92F37913920E221F7D452802","algorithm":"Unknown","algorithm_id":0}],"is_system":false,"modified_time_dt":"2023-09-25T21:07:21.526727Z","created_time_dt":"2023-09-25T21:07:21.526737Z"},"user":{"name":"Rice","type":"Unknown","uid":"84993312-5be7-11ee-b956-0242ac110005","type_id":0,"email_addr":"Renita@pete.cat"},"uid":"8499377c-5be7-11ee-9164-0242ac110005","container":{"name":"acquired minority slip","size":2257875576,"uid":"84993ce0-5be7-11ee-8a18-0242ac110005","image":{"tag":"vocal trim jon","uid":"849944f6-5be7-11ee-bc62-0242ac110005"}},"namespace_pid":29,"parent_process":{"pid":67,"file":{"name":"tuner.pdb","type":"Named Pipe","version":"1.0.0","path":"architectural pink phil/overview.dtd/tuner.pdb","type_id":6,"parent_folder":"architectural pink phil/overview.dtd","hashes":[{"value":"44CA9EA761C2131C73960AD47472741B13D305EE2D07FE91E8F1B47F4F062B8A16DD3611E4439E4C163A7CF42F1AE5989CF9683117DB801FD1BC222A16618E19","algorithm":"quickXorHash","algorithm_id":7},{"value":"C25DDA249CDECE9D908CC33ADCD16AA05E20290F","algorithm":"SHA-1","algorithm_id":2}],"xattributes":{}},"user":{"name":"Fantastic","type":"Admin","uid":"84995d06-5be7-11ee-8223-0242ac110005","org":{"name":"dryer asn trying","uid":"849963aa-5be7-11ee-b57a-0242ac110005","ou_name":"wr r gibraltar"},"type_id":2},"uid":"84996800-5be7-11ee-8754-0242ac110005","cmd_line":"brush bouquet alto","container":{"name":"deutschland pic newcastle","size":797071549,"uid":"84996db4-5be7-11ee-bada-0242ac110005","image":{"name":"adipex into polo","uid":"849984fc-5be7-11ee-af4c-0242ac110005"},"hash":{"value":"82B5F7770097973F2962C241C557369EC2D38E9A1BDA03176B9CA511F1CA56CF","algorithm":"SHA-256","algorithm_id":3}},"created_time":1695676041528,"lineage":["familiar privilege canvas"],"namespace_pid":23,"parent_process":{"name":"Cialis","pid":21,"file":{"attributes":83,"name":"spirit.max","owner":{"name":"Friend","type":"User","uid":"84999e10-5be7-11ee-914b-0242ac110005","type_id":1,"email_addr":"Pamelia@directed.com"},"type":"Regular File","version":"1.0.0","path":"fish largest alberta/solutions.deskthemepack/spirit.max","desc":"escape steady bow","type_id":1,"parent_folder":"fish largest alberta/solutions.deskthemepack","hashes":[{"value":"718C92FD5ECC9B483CA9A76E309BD60F7DAD6035254FAD5EA9430568F36EB16D5532657DE90C3B3B41896C8A9B601BF1E1083D5BB299127118B535C347D13549","algorithm":"CTPH","algorithm_id":5},{"value":"D13D53927A745D27511C298846343093D7E92D919905B6C22ABBF727AD18EF7E3B3850949F8CC772390749C8644B5CF6F8618FEF524E9589DB73F57FE128AA88","algorithm":"Unknown","algorithm_id":0}]},"user":{"name":"Apartments","type":"ad","uid":"8499b5da-5be7-11ee-b276-0242ac110005","type_id":99,"uid_alt":"serving turbo spy"},"uid":"8499bc88-5be7-11ee-b028-0242ac110005","session":{"uid":"8499ca0c-5be7-11ee-aae9-0242ac110005","created_time":1695676041534,"expiration_time":1695676041542,"is_remote":true},"cmd_line":"in blowing memorial","container":{"name":"france sg charger","size":1048383191,"tag":"deserve focused select","uid":"8499d164-5be7-11ee-a7e8-0242ac110005","image":{"name":"robert through mailing","tag":"struggle gerald weather","uid":"8499d704-5be7-11ee-b617-0242ac110005"},"hash":{"value":"6B2A589B76A482CD379A7FF8AF13EE0F9ABF937DE60010068FEC808F5B6B22521C2A28C7F48BC5C2EDC81EAE5E5812D95F5E0F3DF5685571E5DB36B146DB82EC","algorithm":"TLSH","algorithm_id":6},"network_driver":"catch sun general","orchestrator":"sf varieties queries"},"created_time":1695676041539,"integrity":"faculty hardcover generated","namespace_pid":79,"parent_process":{"name":"Devices","pid":90,"file":{"name":"premises.sln","owner":{"name":"Welcome","type":"User","type_id":1,"account":{"name":"discs outlets general","type":"Mac OS Account","uid":"8499eb2c-5be7-11ee-86b7-0242ac110005","type_id":7}},"type":"ships","path":"ralph tales librarian/simpsons.psd/premises.sln","type_id":99,"creator":{"name":"Booking","type":"System","domain":"coupons dropped pantyhose","uid":"8499f1ee-5be7-11ee-a02c-0242ac110005","type_id":3},"parent_folder":"ralph tales librarian/simpsons.psd","hashes":[{"value":"F01EB1DD5E5D955CF3DA810E1FAABA4136E09F5EF69DA3753223183EF836741A617AAAEB52D8B014D900A4A11B94974298F7D3C4EAE57C107CF3A3230AD34188","algorithm":"TLSH","algorithm_id":6}],"modified_time_dt":"2023-09-25T21:07:21.531893Z"},"user":{"name":"Immediate","type":"Unknown","uid":"849a06c0-5be7-11ee-acfe-0242ac110005","org":{"name":"velvet days pubs","ou_name":"brake craps campaign"},"groups":[{"uid":"849a1124-5be7-11ee-9a8e-0242ac110005","privileges":["independent vegetables assisted","refinance lee seating"]},{"name":"div violence strange","uid":"849a1674-5be7-11ee-aa3b-0242ac110005"}],"type_id":0},"uid":"849a1af2-5be7-11ee-82a9-0242ac110005","cmd_line":"text ana range","container":{"name":"own drawing acute","size":1512724327,"uid":"849a2420-5be7-11ee-94c5-0242ac110005","image":{"name":"layers branch lucas","tag":"nations chances trips","uid":"849a32bc-5be7-11ee-86bb-0242ac110005"},"hash":{"value":"79F7EED760813BF63DC0EE7F986F1CC6345DD170AB03CA1350684CB8720E3C67F9FCE3B075A22266EB0C66A1CDA2D3BD540E777D9A294433377B83DB6DE3D6DB","algorithm":"TLSH","algorithm_id":6}},"created_time":1695676041533,"lineage":["guru hosted bradley"],"namespace_pid":39,"parent_process":{"name":"Bags","file":{"attributes":22,"name":"hunt.ppt","type":"Local Socket","type_id":5,"confidentiality":"Confidential","confidentiality_id":2,"hashes":[{"value":"6FD1E1613C3918067E01585E32D4AA461C485DF01C56BD5A294FD82B353B5EC64A7EBAED614D28451E3AECB3ACA75900593A20D8AE7F7A1E2CF9DD4F0496B9C4","algorithm":"quickXorHash","algorithm_id":7},{"value":"B66E94D9133A6E41392C5AFCBF3F6EEB29E45C041350255AEE34ADD6C4E6BD15FF9060177954793B5D078A8802B4B1ADDD73BECACB7D5827D9A1CB9F96D5E153","algorithm":"quickXorHash","algorithm_id":7}],"is_system":false,"modified_time_dt":"2023-09-25T21:07:21.533963Z"},"user":{"name":"Sisters","type":"rebound","uid":"849a52ce-5be7-11ee-a468-0242ac110005","type_id":99,"full_name":"Elisa Cleora"},"uid":"849a5d78-5be7-11ee-ac24-0242ac110005","cmd_line":"merchandise initiatives accessibility","container":{"name":"apartment drunk amateur","size":3702557326,"uid":"849a646c-5be7-11ee-90ce-0242ac110005","image":{"name":"evaluating apartments disaster","uid":"849a6a66-5be7-11ee-95e4-0242ac110005"},"hash":{"value":"12FC9239ABF2C07159EBC92013171DA43175589170BD05B55220534634A9D1FEFC88B117A95FCE4FE3C5A5FEDB9DC4EB3F700C0386931C889F815E86BCD4B509","algorithm":"Unknown","algorithm_id":0}},"created_time":1695676041535,"namespace_pid":29,"parent_process":{"name":"Sen","pid":13,"file":{"attributes":35,"name":"hardware.wma","owner":{"name":"Asia","type":"meetup","uid":"849a7ac4-5be7-11ee-a06d-0242ac110005","type_id":99},"type":"Unknown","path":"interactions malta thoughts/laden.pdf/hardware.wma","signature":{"digest":{"value":"3188206324B062751CE36D4251C19C94","algorithm":"MD5","algorithm_id":1},"algorithm":"Authenticode","algorithm_id":4},"type_id":0,"parent_folder":"interactions malta thoughts/laden.pdf","hashes":[{"value":"6BD48B1E57856137037BFEE4DEC8D57F","algorithm":"MD5","algorithm_id":1}]},"user":{"name":"Round","type":"System","uid":"849a900e-5be7-11ee-9894-0242ac110005","type_id":3,"full_name":"Marisela Towanda","account":{"name":"fragrances bulk specialty","type":"LDAP Account","uid":"849a9702-5be7-11ee-9f5d-0242ac110005","type_id":1},"credential_uid":"849a9afe-5be7-11ee-b27a-0242ac110005","email_addr":"Wava@promises.info"},"uid":"849a9ed2-5be7-11ee-ae61-0242ac110005","cmd_line":"recordings countries slides","container":{"name":"distant modeling monaco","runtime":"peace up sailing","uid":"849aa490-5be7-11ee-bb98-0242ac110005","image":{"name":"evanescence plans courts","tag":"buy archives predict","uid":"849aaa9e-5be7-11ee-a47a-0242ac110005"},"hash":{"value":"383B6630E8241D34D54BFD689DECC0CAB88770D935667989A3A1DE8397F5520F","algorithm":"SHA-256","algorithm_id":3}},"created_time":1695676041539,"integrity":"bookings qc dictionaries","lineage":["lanka manufacture bra","gibson implementation pope"],"namespace_pid":6,"parent_process":{"name":"Impacts","pid":86,"file":{"name":"removal.obj","type":"Named Pipe","path":"jeff puts assignments/thing.msi/removal.obj","type_id":6,"parent_folder":"jeff puts assignments/thing.msi","accessed_time":1695676041534,"hashes":[{"value":"CE850E16E049A60B4B8F465DC00ADBFB7207CC76FD94F5EBC335F637B8052B77","algorithm":"magic","algorithm_id":99}],"security_descriptor":"bureau myspace barrel"},"user":{"name":"Alliance","type":"Admin","domain":"statistical poland gregory","uid":"849abe76-5be7-11ee-a5a1-0242ac110005","org":{"name":"nyc kidney drawings","uid":"849accae-5be7-11ee-af7b-0242ac110005"},"groups":[{"name":"accessed thanks instructions","desc":"luggage species belkin","uid":"849ad5fa-5be7-11ee-a0e9-0242ac110005","privileges":["flashing aol autumn"]},{"name":"cognitive times agent","uid":"849ada50-5be7-11ee-824e-0242ac110005","privileges":["sodium believed housing","incorporated jungle asian"]}],"type_id":2,"full_name":"Paul Julian"},"uid":"849adea6-5be7-11ee-aa53-0242ac110005","cmd_line":"amount anywhere suffered","container":{"name":"author channel disappointed","size":191473515,"uid":"849aff08-5be7-11ee-80bd-0242ac110005","image":{"name":"cross tray influenced","tag":"afternoon counseling governance","uid":"849b1f7e-5be7-11ee-bb9d-0242ac110005"},"hash":{"value":"B7F1BFFEB47BCFB30F891852F769572A9816784BF4A4073805850F9F969A5335CFC878CACC9E0F8A71B547F60832FE712A59A7DD7DBD6E94BB9D155309EB3581","algorithm":"quickXorHash","algorithm_id":7},"network_driver":"slovakia friend username"},"created_time":1695676041539630,"namespace_pid":49,"parent_process":{"name":"Sampling","pid":71,"file":{"attributes":78,"name":"human.pdb","type":"Symbolic Link","path":"let dawn representing/surrounding.dwg/human.pdb","product":{"name":"heavy payroll timothy","version":"1.0.0","uid":"849b3fd6-5be7-11ee-83d2-0242ac110005","feature":{"name":"metric th alt","version":"1.0.0","uid":"849b46a2-5be7-11ee-824d-0242ac110005"},"vendor_name":"rv brother vaccine"},"type_id":7,"accessor":{"name":"Dragon","type":"System","uid":"849b52b4-5be7-11ee-863c-0242ac110005","type_id":3,"credential_uid":"849b5b88-5be7-11ee-af7a-0242ac110005"},"parent_folder":"let dawn representing/surrounding.dwg","hashes":[{"value":"AABE45CE23939AE53AA3AF15C6123A6ED98FC106E4C7491B89A814D8EB040F3B9D5842B5A215D1D27ED1B4DC8DD3D3F0D50197DD105E37461661D98A23E0917C","algorithm":"quickXorHash","algorithm_id":7}],"modified_time":1695676041541,"modified_time_dt":"2023-09-25T21:07:21.541163Z","created_time_dt":"2023-09-25T21:07:21.541195Z"},"user":{"name":"Particles","type":"User","domain":"lexmark refers dylan","uid":"849b6916-5be7-11ee-a01e-0242ac110005","type_id":1,"email_addr":"Yelena@communities.nato"},"uid":"849b6dee-5be7-11ee-84f0-0242ac110005","cmd_line":"techno now vid","created_time":1695676041593,"lineage":["qualify insight reproduce","placing download tomato"],"namespace_pid":91,"parent_process":{"name":"Foundation","pid":41,"file":{"name":"sunday.crdownload","size":1384349588,"type":"Unknown","path":"designing designed kim/butts.crx/sunday.crdownload","signature":{"certificate":{"version":"1.0.0","subject":"annually ic quest","issuer":"cooperation worldcat southwest","fingerprints":[{"value":"A1636B226D49D354EAD09345190417B47EC13762648D8C196823FB556456DD5A2ED39FDF2ADE536CF2D0AFA33A47F9404800085FE205A49A4DA6C280AF603AA9","algorithm":"Unknown","algorithm_id":0}],"created_time":1695676041542,"expiration_time":1695676041577,"serial_number":"distributed characters bin"},"algorithm":"Unknown","algorithm_id":0,"created_time_dt":"2023-09-25T21:07:21.542032Z"},"product":{"name":"nights validity updated","version":"1.0.0","uid":"849b866c-5be7-11ee-a7ff-0242ac110005","feature":{"name":"seminar automatic gui","version":"1.0.0","uid":"849b9742-5be7-11ee-9904-0242ac110005"},"lang":"en","url_string":"however","vendor_name":"favorite album ncaa"},"type_id":0,"accessor":{"name":"Xhtml","type":"disabilities","uid":"849ba016-5be7-11ee-8738-0242ac110005","type_id":99,"email_addr":"Stormy@postcard.mobi"},"creator":{"name":"Tap","type":"User","domain":"neural fig colin","org":{"name":"timing process palestinian","uid":"849bad9a-5be7-11ee-9fa0-0242ac110005","ou_name":"step mouth drunk"},"type_id":1,"full_name":"Otelia Kori"},"mime_type":"talked/wishlist","parent_folder":"designing designed kim/butts.crx","hashes":[{"value":"A5064ED27DDBDCBA4CBCADF1DB39DA3F2EEE6B58C7A1239C64CABA643C220D3F292A1DE7E239A9314ECD04E09E02E1289265DB1375370F0E2CB9844F235B40B9","algorithm":"TLSH","algorithm_id":6}],"is_system":true,"modified_time":1695676041546},"user":{"name":"Certain","type":"Unknown","uid":"849bb81c-5be7-11ee-bbec-0242ac110005","groups":[{"name":"penn laundry woods","type":"powerpoint jump hospitality","desc":"twenty protection innovative","uid":"849bbdee-5be7-11ee-95a2-0242ac110005"},{"uid":"849bc780-5be7-11ee-9955-0242ac110005"}],"type_id":0,"email_addr":"Reba@contemporary.mobi","uid_alt":"technical critics nationally"},"tid":86,"uid":"849bcfb4-5be7-11ee-b896-0242ac110005","session":{"uid":"849bd89c-5be7-11ee-bbae-0242ac110005","issuer":"mind file superior","created_time":1695676041544,"is_remote":true},"loaded_modules":["/aims/hammer/duke/implementation/roland.jar","/illustration/reads/adaptation/ppc/footage.cab"],"cmd_line":"treatments proceeding assumed","created_time":1695676041548,"integrity":"written","integrity_id":99,"lineage":["tenant surveillance nature","securities joining bite"],"parent_process":{"name":"Restore","pid":74,"file":{"name":"moral.kmz","type":"Local Socket","path":"suit who pics/arrange.torrent/moral.kmz","type_id":5,"accessor":{"name":"Qualities","type":"Unknown","domain":"operates collectables presentations","uid":"849bf00c-5be7-11ee-a0de-0242ac110005","type_id":0,"uid_alt":"welsh constraints elimination"},"parent_folder":"suit who pics/arrange.torrent","accessed_time":1695676044937,"created_time":1695676041545,"hashes":[{"value":"BADBDA50632954800C02D40EB49D1BEF8E5A883D","algorithm":"SHA-1","algorithm_id":2},{"value":"22B65F9CC3DDECE17BC92C741314C0C01D6C398B477BCFE22CCB63F4975A066119C2A3F4E9BDC342383345BCEEA9046C0573AEA278C1EBD8E1578337B1640606","algorithm":"quickXorHash","algorithm_id":7}],"is_system":false},"cmd_line":"remain weird municipal","container":{"name":"anthony serial medline","size":2006500672,"uid":"849c059c-5be7-11ee-b620-0242ac110005","image":{"name":"titten live cvs","uid":"849c105a-5be7-11ee-8337-0242ac110005"},"hash":{"value":"53CB2A3DF41EA583C9DAD815CC228E623D600CA69DD3B138EBA03828A95C399AC2319E8C246FAF2EB345362B0931618009C8A5FF4C8E100C7B414107D51F849D","algorithm":"TLSH","algorithm_id":6}},"created_time":1695676041542,"integrity":"High","integrity_id":4,"namespace_pid":8,"parent_process":{"pid":20,"file":{"attributes":79,"name":"revolution.vcf","owner":{"name":"Sunny","type":"Unknown","uid":"849c24fa-5be7-11ee-93d2-0242ac110005","type_id":0,"email_addr":"Suzan@communicate.coop"},"type":"Folder","version":"1.0.0","path":"nintendo smilies thank/ought.vb/revolution.vcf","signature":{"certificate":{"version":"1.0.0","subject":"microwave marriott okay","issuer":"foundation review shaft","fingerprints":[{"value":"35C90137B6BD19F8D464173B9904DBFA60D62BFF8BCBCF99235987ACC2D4840DBA02F991522C533C211C54B3A1016A0A76AF0578E30D0190414926A1EA56FEB7","algorithm":"TLSH","algorithm_id":6}],"created_time":1695676041548,"expiration_time":1695676041514,"serial_number":"windsor sponsor google"},"algorithm":"ECDSA","algorithm_id":3},"product":{"name":"pci invasion producers","version":"1.0.0","uid":"849c3e4a-5be7-11ee-80be-0242ac110005","lang":"en","vendor_name":"australian payments crm"},"type_id":2,"accessor":{"name":"Class","type":"pie","type_id":99,"full_name":"Crysta Damaris","account":{"name":"cards gratis necklace","type":"Apple Account","type_id":8},"uid_alt":"linux has luis"},"company_name":"Mckenzie Ardith","creator":{"type":"selected","domain":"glass outlet lopez","uid":"849c4b2e-5be7-11ee-9c0b-0242ac110005","org":{"name":"reproductive balloon stanley","uid":"849c5060-5be7-11ee-b740-0242ac110005","ou_name":"pick rear governance","ou_uid":"849c5470-5be7-11ee-b89d-0242ac110005"},"groups":[{"name":"suspected contributor counting","type":"vacations wines biological","uid":"849c5ae2-5be7-11ee-97a7-0242ac110005"}],"type_id":99},"parent_folder":"nintendo smilies thank/ought.vb","confidentiality":"Top Secret","confidentiality_id":4,"hashes":[{"value":"1B8BF6AF4C4E0F5A64ED59860F5673F5762D1E214D4B3127BAC626D3811952EAF98972460DF098DEAB2B6D4FF02723546AEBA4108F2A03A20044552141A4447E","algorithm":"quickXorHash","algorithm_id":7},{"value":"221C1DF278F5DBE8C04CCC89DB66A355ABA13C3F27B4E23A19D0E73C64E5E9A7951D5102BA2F416429122A6110C57ED22F7216EB73939FF0E7E4BDB574A90CC4","algorithm":"TLSH","algorithm_id":6}],"is_system":false,"security_descriptor":"recommended approve environment"},"uid":"849c61f4-5be7-11ee-8006-0242ac110005","cmd_line":"arrangements makes handy","container":{"name":"yahoo plains basically","uid":"849c6776-5be7-11ee-94b5-0242ac110005","image":{"name":"capabilities huge hometown","uid":"849c6d2a-5be7-11ee-a411-0242ac110005","labels":["mumbai"]},"hash":{"value":"FC25F43E993A1FB725021E78097481FDD1FECA2EC91BF14AE34067FC31DBCD1005D4B0AFC4F050872672CC3EAB72236EADE80DFF4CCBB844F8ED0489F697D2F1","algorithm":"TLSH","algorithm_id":6}},"created_time":1695676041544,"namespace_pid":13,"parent_process":{"name":"Tell","file":{"name":"world.jpg","type":"Block Device","path":"blend roommates closed/died.docx/world.jpg","modifier":{"name":"Heritage","type":"System","domain":"ln resolved couple","uid":"849c8878-5be7-11ee-98bd-0242ac110005","type_id":3,"email_addr":"Deloise@agreed.arpa"},"type_id":4,"mime_type":"engineer/habitat","parent_folder":"blend roommates closed/died.docx","confidentiality":"Unknown","confidentiality_id":0,"hashes":[{"value":"3BC175E9CE56D1FC2D86AB6EA2EC56EB21930540B56A5B6E3840DFB64287ACAB","algorithm":"SHA-256","algorithm_id":3},{"value":"31588C71F04798D44E2202431AE7025AF3BC67EC8192E94F362A9B9121FB5AC23510026F8391A0A54234D8D0DB8D2DEBD112DEEF6AC598A11A194875191A4975","algorithm":"TLSH","algorithm_id":6}],"is_system":true},"user":{"name":"Weather","type":"Admin","domain":"our installing clinical","uid":"849ca4ca-5be7-11ee-b39c-0242ac110005","org":{"name":"top riverside asthma","uid":"849cb208-5be7-11ee-a4a6-0242ac110005","ou_name":"stats dans soviet"},"type_id":2,"credential_uid":"849cc0f4-5be7-11ee-9c36-0242ac110005"},"uid":"849cc522-5be7-11ee-aa87-0242ac110005","session":{"uid":"849ccebe-5be7-11ee-a1ca-0242ac110005","issuer":"volunteer meetings medline","created_time":1695676041550,"is_remote":false,"expiration_time_dt":"2023-09-25T21:07:21.550638Z"},"loaded_modules":["/rev/amazon/casino/june/fails.bin","/credit/potential/lawsuit/clause/nine.bmp"],"cmd_line":"well absent shoe","container":{"name":"hospitality walker vs","size":1224758347,"uid":"849cdd28-5be7-11ee-9250-0242ac110005","image":{"name":"audio miracle leader","uid":"849ce32c-5be7-11ee-b7a9-0242ac110005"},"hash":{"value":"A813ED16B0B3E58FA959C0BA26A47058","algorithm":"MD5","algorithm_id":1}},"created_time":1695676041555,"lineage":["achievement courage send","expansion instructional agreements"],"namespace_pid":62,"parent_process":{"name":"Airfare","file":{"name":"flexible.vcxproj","type":"Folder","product":{"name":"external polar galaxy","version":"1.0.0","lang":"en","vendor_name":"hack infection generator"},"type_id":2,"mime_type":"silicon/limousines","confidentiality":"venue rl epa","hashes":[{"value":"2347F66D3EE9CCBD7191F650BE1EF4F94E8B6ED61D543709A1A907FBC76BFC089577CB78BFA772DA65746573746C4AB26AF19E7A8E9DB821E3979ED04051B9BC","algorithm":"SHA-512","algorithm_id":4},{"value":"256D62122A8BA5E06B613EAD639B79BA7875995217AC6E2C854DBB610631D33C","algorithm":"magic","algorithm_id":99}],"modified_time":1695676041500,"xattributes":{},"created_time_dt":"2023-09-25T21:07:21.551631Z"},"user":{"name":"Track","type":"Unknown","uid":"849cfe70-5be7-11ee-b38b-0242ac110005","type_id":0,"account":{"name":"strict manufactured invest","type":"AWS IAM User","uid":"849d0500-5be7-11ee-97bd-0242ac110005","type_id":3},"credential_uid":"849d08ca-5be7-11ee-bfe2-0242ac110005"},"cmd_line":"challenges prompt cumulative","container":{"name":"develop affiliates required","size":2138922450,"uid":"849d0e7e-5be7-11ee-a8e4-0242ac110005","image":{"name":"charges fragrances complex","uid":"849d1342-5be7-11ee-a4ca-0242ac110005"},"hash":{"value":"6E73C76AD0B2D03EB35088BB834D7A1949E2174F0288EAC8066F5CC920923FEC2568825E7A9B3B3B871DC2AA82AD34DAC42A8E327CAD3D3E720D2ADD7C13CAB0","algorithm":"SHA-512","algorithm_id":4},"network_driver":"familiar movies legitimate","pod_uuid":"legally"},"integrity":"Unknown","integrity_id":0,"namespace_pid":2,"parent_process":{"name":"Eternal","pid":76,"file":{"attributes":44,"name":"uzbekistan.jar","type":"Block Device","uid":"849d2170-5be7-11ee-a637-0242ac110005","type_id":4,"mime_type":"will/executed","hashes":[{"value":"8A25185F3C5523EF3B08C1ECDD83016224863C95","algorithm":"SHA-1","algorithm_id":2},{"value":"6B9ED75DAE7A1E692073FC400B558EA4","algorithm":"MD5","algorithm_id":1}],"xattributes":{}},"user":{"name":"Manager","type":"legs","uid":"849d2c24-5be7-11ee-953d-0242ac110005","type_id":99,"email_addr":"Josefina@holders.museum"},"uid":"849d308e-5be7-11ee-a5ad-0242ac110005","cmd_line":"reporter techno regarded","container":{"name":"cpu mission hacker","runtime":"cables vanilla amendments","size":1820268463,"uid":"849d3caa-5be7-11ee-9fe6-0242ac110005","image":{"uid":"849d468c-5be7-11ee-85e3-0242ac110005","labels":["responsibility"]},"hash":{"value":"0895F371F264F7E3AA4A79B16A3C6EEAABE10BBF6A7DC2B7D8DD4F14B3C6F05D","algorithm":"magic","algorithm_id":99},"orchestrator":"helpful pasta matthew"},"namespace_pid":84,"parent_process":{"name":"Music","pid":28,"file":{"name":"titanium.avi","type":"Unknown","path":"slideshow configurations lens/nations.flv/titanium.avi","desc":"closed hydraulic connecting","type_id":0,"company_name":"Frederica Hertha","parent_folder":"slideshow configurations lens/nations.flv","confidentiality":"Top Secret","confidentiality_id":4,"created_time":1695676041554,"hashes":[{"value":"5C5069744142886E3127F2CCFE145C68A0B1A4DFA3BB504B858390D851E16A9F","algorithm":"magic","algorithm_id":99}],"xattributes":{},"created_time_dt":"2023-09-25T21:07:21.554150Z"},"user":{"name":"Be","type":"types","uid":"849d60a4-5be7-11ee-98cb-0242ac110005","type_id":99},"uid":"849d64dc-5be7-11ee-b02a-0242ac110005","container":{"size":1668291787,"uid":"849d7cce-5be7-11ee-80f3-0242ac110005","image":{"name":"curtis burns park","uid":"849d83f4-5be7-11ee-8f40-0242ac110005","labels":["fix"]},"hash":{"value":"308FD1FED7D34B9AFAB9224FF617D64E4CA9AC20FC59F1FB3B80AB2CBB1511245EC668E138B6C330D86E2B874BD66ED33E16E931B3D344A8365BE63CAB39562C","algorithm":"Unknown","algorithm_id":0},"network_driver":"surely assistance actively","pod_uuid":"gardening"},"created_time":1695676041553,"integrity":"System","integrity_id":5,"parent_process":{"name":"Surprise","pid":50,"file":{"name":"opening.vob","type":"Local Socket","path":"venezuela flyer seller/os.kml/opening.vob","modifier":{"name":"Infected","type":"User","uid":"849d94de-5be7-11ee-b30d-0242ac110005","type_id":1,"full_name":"Katheryn Kena"},"type_id":5,"accessor":{"name":"Mine","type":"fcc","uid":"849da17c-5be7-11ee-9d3a-0242ac110005","type_id":99,"account":{"name":"hourly toll disappointed","uid":"849dabd6-5be7-11ee-ba6a-0242ac110005"},"credential_uid":"849db838-5be7-11ee-8a18-0242ac110005"},"parent_folder":"venezuela flyer seller/os.kml","hashes":[{"value":"599DCCE2998A6B40B1E38E8C6006CB0A","algorithm":"MD5","algorithm_id":1},{"value":"E3C48119D2F351FBEB28EABE137BB8D7969A9AA7CEBF71A153DA4670481EFAAB267B6B39C0EDBDDAF4DD1B9E9B5FF0B28D72E0A5FA27336A282A0FDBA4D0C9D4","algorithm":"TLSH","algorithm_id":6}],"modified_time":1695676041557,"security_descriptor":"graham occupations become"},"user":{"name":"Simulations","type":"User","uid":"849debb4-5be7-11ee-bfac-0242ac110005","type_id":1,"account":{"type":"Windows Account","uid":"849df820-5be7-11ee-82f1-0242ac110005","type_id":2},"credential_uid":"849dfc62-5be7-11ee-a9bc-0242ac110005"},"cmd_line":"pursuant proceed discussed","container":{"name":"insight style ca","runtime":"williams ng xhtml","size":220440282,"uid":"849e031a-5be7-11ee-b55b-0242ac110005","image":{"name":"bubble architects vancouver","path":"hairy pixel time","uid":"849e0ebe-5be7-11ee-8341-0242ac110005"},"hash":{"value":"8876489CE00D6D9FDF61ED1C773F047E","algorithm":"MD5","algorithm_id":1}},"created_time":1695676041558,"lineage":["bk destinations est","whose playback congressional"],"namespace_pid":54,"parent_process":{"name":"Courage","pid":5,"file":{"name":"filled.mdb","size":2881440001,"type":"Character Device","path":"disc dividend incentives/crucial.wps/filled.mdb","signature":{"certificate":{"version":"1.0.0","subject":"infectious replication lock","issuer":"worker attended mel","fingerprints":[{"value":"372885B9675F31EF37D14F711A430940E777638ADCB2F77B36D079076E38606F","algorithm":"magic","algorithm_id":99}],"created_time":1695676041558,"expiration_time":1695676041554,"serial_number":"durham graham course"},"algorithm":"Unknown","algorithm_id":0},"modifier":{"name":"Constraints","type":"Unknown","domain":"informational advisory mg","uid":"849e2a2a-5be7-11ee-82b2-0242ac110005","type_id":0},"product":{"name":"michigan slight torture","version":"1.0.0","path":"costumes somewhat qui","uid":"849e3088-5be7-11ee-8510-0242ac110005","lang":"en","vendor_name":"franchise portland experiment"},"type_id":3,"accessor":{"name":"Intl","type":"Unknown","uid":"849e39a2-5be7-11ee-b3b8-0242ac110005","type_id":0,"full_name":"Lorna Francisco"},"parent_folder":"disc dividend incentives/crucial.wps","hashes":[{"value":"9471ED19416B8099E51855CB0EF61AE3","algorithm":"MD5","algorithm_id":1}],"modified_time":1695676041563},"user":{"name":"Motorcycle","type":"Admin","uid":"849e4a46-5be7-11ee-bc81-0242ac110005","type_id":2},"cmd_line":"peer rail specialist","container":{"name":"priority mirrors although","runtime":"rock relation block","size":2559819198,"uid":"849e509a-5be7-11ee-ad75-0242ac110005","image":{"name":"committed plastic does","uid":"849e6972-5be7-11ee-b803-0242ac110005"},"network_driver":"conduct linking lb"},"created_time":1695676041434,"lineage":["desktop lakes moscow","barrel touch increasing"],"namespace_pid":13,"parent_process":{"name":"Harley","pid":38,"file":{"name":"metabolism.gadget","owner":{"type":"System","uid":"849e86dc-5be7-11ee-9b00-0242ac110005","org":{"name":"syndication joseph realized","uid":"849e8ff6-5be7-11ee-be3f-0242ac110005","ou_name":"advertise scored usr","ou_uid":"849e9852-5be7-11ee-9c6a-0242ac110005"},"type_id":3},"type":"Character Device","path":"patch attempting mf/nashville.dxf/metabolism.gadget","signature":{"certificate":{"version":"1.0.0","subject":"signals book follow","issuer":"database verse prince","fingerprints":[{"value":"6467C5C0EA62DB25016E724973C845BA50F0BBD72AE91F11E4CB5F3884CF1852EC05AA4B971CA59B372F8DC7B8E49562276E89C888FFDE3DD41BFC2E88336E98","algorithm":"quickXorHash","algorithm_id":7},{"value":"80A346634E5CD09AAFC3C417ABCE0C6A156B40EBB910123FAC486DC6197D24EC4C575301A8CC06D58FBAEEAE6F40E42B6D84FDA6996E06EE2F68282EA73FDA93","algorithm":"Unknown","algorithm_id":0}],"created_time":1695676041504,"expiration_time":1695676041569,"serial_number":"termination vi limitation"},"algorithm":"ECDSA","algorithm_id":3},"type_id":3,"creator":{"type":"Unknown","uid":"849edfe2-5be7-11ee-97f0-0242ac110005","type_id":0,"account":{"name":"workers observer lonely","type":"GCP Account","uid":"849ef310-5be7-11ee-b8e1-0242ac110005","type_id":5},"email_addr":"Myrta@of.cat"},"parent_folder":"patch attempting mf/nashville.dxf","hashes":[{"value":"5F8105C9976CE93253600A074BD373A5286734FB9650F503EF4AD611A9422D3554C34BD6C2672159C2F485A59C83965804D6F2532A8DADF2749DF74B1B089C10","algorithm":"TLSH","algorithm_id":6},{"value":"C1E19A5C30DB36D9FEA3088EBBCF2E05B7F2E3B108DA82565EF183591D036A615456960CA1BF3DEDAEF8450140669F4E45A239D12DE570D5B2322AEADAE0EE7B","algorithm":"CTPH","algorithm_id":5}],"accessed_time_dt":"2023-09-25T21:07:21.564734Z"},"user":{"name":"Referenced","type":"Admin","type_id":2,"full_name":"Lyndsay Ricky"},"uid":"849f00ee-5be7-11ee-954b-0242ac110005","cmd_line":"institutes yes inputs","container":{"name":"missed foreign palmer","size":903476370,"uid":"849f0878-5be7-11ee-b335-0242ac110005","image":{"name":"belfast interests activation","uid":"849f1dc2-5be7-11ee-b432-0242ac110005"},"hash":{"value":"7CA5C1BF6D37F1E7389DB34F7617B7101F65DED1","algorithm":"SHA-1","algorithm_id":2}},"created_time":1695676041565,"namespace_pid":44,"terminated_time":1695676041566,"xattributes":{},"created_time_dt":"2023-09-25T21:07:21.565824Z"}},"sandbox":"final corporations performances"}},"xattributes":{}}},"sandbox":"distributor workshops maldives"}},"sandbox":"upload stages deutsch","xattributes":{},"created_time_dt":"2023-09-25T21:07:21.565886Z","terminated_time_dt":"2023-09-25T21:07:21.565891Z"},"sandbox":"facial gossip lopez","terminated_time":1695676041561,"created_time_dt":"2023-09-25T21:07:21.565904Z","terminated_time_dt":"2023-09-25T21:07:21.565908Z"},"sandbox":"compounds s time","terminated_time":1695676041567},"sandbox":"romance volunteer entrepreneurs"}},"xattributes":{}},"sandbox":"moon exercise starring","terminated_time":1695676041562}},"terminated_time":1695676041561},"xattributes":{}}},"sandbox":"keeps pour rent","terminated_time":1695676041566},"xattributes":{}},"sandbox":"species tourism system","terminated_time":1695676041564,"xattributes":{}},"terminated_time":1695676041564}},"user":{"name":"Turkish","type":"metres","domain":"jones cnet biz","uid":"849f330c-5be7-11ee-aa02-0242ac110005","org":{"name":"performed assignments undefined","uid":"849f3870-5be7-11ee-8857-0242ac110005","ou_name":"headquarters informal nigeria"},"type_id":99}},"cloud":{"provider":"diego ins ext","region":"kissing wi confidence"},"enrichments":[{"data":{"wallpaper":"feded"},"name":"hc saskatchewan quickly","type":"thu loves strong","value":"sword somebody equilibrium","provider":"outlet toolkit person"},{"data":{"drug":"drugg7899"},"name":"tree cities corner","type":"knife super bat","value":"thy qualification booth"}],"expiration_time":1695676041527,"severity_id":2,"src_endpoint":{"name":"replaced wa unlock","port":25780,"ip":"175.16.199.1","uid":"84972e82-5be7-11ee-8eac-0242ac110005","hostname":"menu.travel","instance_uid":"849732a6-5be7-11ee-bdb0-0242ac110005","interface_name":"grown reflect expressed","interface_uid":"84973670-5be7-11ee-8000-0242ac110005","svc_name":"stanford leisure analyzed"}} {"message":"distances authorization packed","status":"annually","time":1695676084572,"file":{"name":"revenge.ged","size":123,"type":"Block Device","path":"pensions lightning push/congress.icns/revenge.ged","type_id":4,"parent_folder":"pensions lightning push/congress.icns","confidentiality":"Top Secret","confidentiality_id":4,"hashes":[{"value":"55F23C756971F835627DAD00E0FEAF38D62993462CA63631FDF93D0E8130CDFF","algorithm":"magic","algorithm_id":99}],"modified_time":1695676084549,"security_descriptor":"procedure amsterdam belarus","accessed_time_dt":"2023-09-25T21:08:04.549340Z"},"device":{"name":"walter qt hitting","type":"Tablet","ip":"67.43.156.0","uid":"9e3dbfa4-5be7-11ee-8f05-0242ac110005","hostname":"rule.edu","groups":[{"name":"scanned consisting expense","type":"odds traditions trick","uid":"9e3db702-5be7-11ee-a715-0242ac110005","privileges":["photography derived log","dna ec believed"]},{"name":"tires modifications calendars","uid":"9e3dbc02-5be7-11ee-9470-0242ac110005"}],"type_id":4,"autoscale_uid":"9e3d9b1e-5be7-11ee-ab96-0242ac110005","instance_uid":"9e3d9f74-5be7-11ee-a549-0242ac110005","interface_name":"accurately shadows node","interface_uid":"9e3da38e-5be7-11ee-bda3-0242ac110005","is_personal":false,"modified_time":1695676084549,"region":"cosmetics preston msgstr","uid_alt":"technology alex metallica"},"metadata":{"version":"1.0.0","extension":{"name":"editor nerve offset","version":"1.0.0","uid":"9e3d7ff8-5be7-11ee-8454-0242ac110005"},"product":{"name":"harm dash walter","version":"1.0.0","path":"contributors rest worried","uid":"9e3d893a-5be7-11ee-9bf6-0242ac110005","lang":"en","vendor_name":"acre shut suzuki"},"profiles":["cloud","container","datetime","host","security_control"],"log_version":"flow tribunal aging","original_time":"consistently sauce duke","processed_time_dt":"2023-09-25T21:08:04.547033Z"},"severity":"Critical","disposition":"Blocked","type_name":"Email File Activity: Send","activity_id":1,"disposition_id":2,"type_uid":401101,"category_name":"Network Activity","class_uid":4011,"category_uid":4,"class_name":"Email File Activity","timezone_offset":0,"attacks":[{"version":"12.1","tactics":[{"name":"Privilege Escalation | The adversary is trying to gain higher-level permissions.","uid":"TA0004"}],"technique":{"name":"CMSTP","uid":"T1191"}}],"activity_name":"Send","cloud":{"account":{"type":"AWS Account","uid":"9e3d6a4a-5be7-11ee-9095-0242ac110005","type_id":10},"provider":"antique camp pin"},"email_uid":"9e3d9088-5be7-11ee-b651-0242ac110005","enrichments":[{"data":{"meat":"meattt"},"name":"another polyester collectors","type":"gen cap beauty","value":"recipes generating stored","provider":"companion fy mat"},{"data":{"meatd":"meattt"},"name":"brandon fraser seed","type":"grove bradley ddr","value":"written thumbnail looksmart","provider":"hearings gossip shadows"}],"severity_id":5,"status_id":99} {"count":43,"message":"carb fujitsu spots","status":"Success","time":1695676101376,"device":{"name":"experiments old guides","type":"Virtual","ip":"67.43.156.0","desc":"beta culture receiving","uid":"a845433c-5be7-11ee-8e93-0242ac110005","hostname":"australia.aero","image":{"name":"bank ftp newman","uid":"a84532d4-5be7-11ee-af3a-0242ac110005"},"groups":[{"name":"karaoke finnish coordination","desc":"blessed drive took","uid":"a8453b30-5be7-11ee-90d5-0242ac110005"},{"name":"briefs iii andy","type":"ireland arch trademark","uid":"a8453fc2-5be7-11ee-bd52-0242ac110005"}],"type_id":6,"instance_uid":"a84525fa-5be7-11ee-987a-0242ac110005","interface_name":"subsection get techno","interface_uid":"a8452b90-5be7-11ee-9db2-0242ac110005","network_interfaces":[{"name":"animals economy signals","type":"proven","ip":"175.16.199.1","hostname":"personalized.nato","mac":"30:29:E4:EE:B6:98:14:3A","type_id":99},{"name":"announces restaurants deposits","type":"Wired","ip":"224.61.168.94","hostname":"mitchell.nato","mac":"69:8D:D4:20:55:3A:43:D0","type_id":1}],"region":"propecia commonwealth equipment","last_seen_time_dt":"2023-09-25T21:08:21.374251Z"},"metadata":{"version":"1.0.0","product":{"name":"erotica ladies hero","version":"1.0.0","uid":"a844f346-5be7-11ee-a2c8-0242ac110005","feature":{"name":"mess const microwave","version":"1.0.0","uid":"a8450084-5be7-11ee-93f7-0242ac110005"},"lang":"en","url_string":"washer","vendor_name":"feelings tide perry"},"profiles":["cloud","container","datetime","host","security_control"],"log_name":"cleaners villa historic","log_provider":"immediately accused charlie","logged_time":1695676101375,"original_time":"medline prospect ict"},"severity":"electrical","url":{"port":23624,"scheme":"yoga thesaurus regardless","path":"flows affiliation global","hostname":"sage.mil","query_string":"mattress betting covers","category_ids":[49,54],"url_string":"vocal"},"duration":2,"disposition":"Delayed","type_name":"Email URL Activity: Receive","activity_id":2,"disposition_id":14,"type_uid":401202,"category_name":"Network Activity","class_uid":4012,"category_uid":4,"class_name":"Email URL Activity","timezone_offset":34,"activity_name":"Receive","cloud":{"account":{"name":"bubble prototype interstate","type":"Azure AD Account","uid":"a844c1f0-5be7-11ee-83dc-0242ac110005","type_id":6},"provider":"indicated electro washer","region":"crucial mysimon exit"},"email_uid":"a8450be2-5be7-11ee-bf7c-0242ac110005","severity_id":99,"status_detail":"released oxygen reasonable","status_id":1} +{"actor":{"process":{"pid":55,"file":{"name":"demonstrates.xlsx","size":1700247011,"type":"Character Device","path":"simpson alice serum/loud.key/demonstrates.xlsx","desc":"suits peru therapist","type_id":3,"accessor":{"name":"Dinner","type":"User","uid":"8241051e-4ff6-11ef-8c1c-0242ac110005","type_id":1,"uid_alt":"tiny democrats map"},"creator":{"name":"Clock","type":"System","uid":"824111ee-4ff6-11ef-80d5-0242ac110005","type_id":3,"email_addr":"Clelia@servers.arpa"},"parent_folder":"simpson alice serum/loud.key","confidentiality":"Not Confidential","confidentiality_id":1,"hashes":[{"value":"866B6A4496BE310906297BA18911C77BFAE1C93BC72E9928D71B99CA7DB9BBFB64011AE273A934FB07149E380121579F8F57C8B70195D5893BE983497C7401A9","algorithm":"SHA-512","algorithm_id":4},{"value":"9F8E773E3B9D47BE47FA380985087C12F510973FD173B27657A4BAB7D0932A136A0A5D5AC53B909689AE6CC0439BFC3DE52907BC8DD305994F8D5955D3319D7C","algorithm":"CTPH","algorithm_id":5}]},"uid":"82411bb2-4ff6-11ef-a29d-0242ac110005","cmd_line":"composer oriented salt","container":{"name":"essential service beverage","size":3850921168,"uid":"8241251c-4ff6-11ef-bfb4-0242ac110005","image":{"name":"ports ide john","uid":"82412df0-4ff6-11ef-bb20-0242ac110005"},"hash":{"value":"FB62C3D023C80BF37169DFFD866BD30AF45E2274F6D63654E805AA43C6D23A16","algorithm":"magic","algorithm_id":99}},"created_time":1722510563763413,"namespace_pid":26,"parent_process":{"name":"Peripheral","file":{"name":"ebook.xls","type":"Named Pipe","path":"sheffield specs folks/ab.dll/ebook.xls","uid":"824151a4-4ff6-11ef-baa0-0242ac110005","type_id":6,"accessor":{"name":"Mp","type":"Admin","uid":"82415dc0-4ff6-11ef-8589-0242ac110005","type_id":2},"creator":{"name":"Contemporary","type":"User","uid":"82416b62-4ff6-11ef-bb14-0242ac110005","groups":[{"name":"differences rachel activity","uid":"824174ea-4ff6-11ef-858b-0242ac110005"},{"name":"philips facility sure","desc":"richardson silly malpractice"}],"type_id":1,"credential_uid":"82417bf2-4ff6-11ef-9b27-0242ac110005"},"parent_folder":"sheffield specs folks/ab.dll","confidentiality":"ws rage bedford","hashes":[{"value":"8879181273A51CEAC15FF28D95FEF4690E668D3565C680638C1FEADEA3A66CCFA9845C83F22F56EA7ED164C8D919019373A1F877DA156F876D0358EB0DEF36E6","algorithm":"TLSH","algorithm_id":6},{"value":"8735D62A700225288A69C4C58805E742E91D287FC59A68C297753E5B7D1E420B","algorithm":"magic","algorithm_id":99}],"xattributes":{},"accessed_time_dt":"2024-08-01T11:09:23.765455Z"},"user":{"type":"System","uid":"82418dcc-4ff6-11ef-ad9d-0242ac110005","groups":[{"name":"minneapolis listen accounts","uid":"82419740-4ff6-11ef-8605-0242ac110005"},{"name":"convert temporal sees","type":"pointer launch particle","uid":"82419e0c-4ff6-11ef-a40e-0242ac110005"}],"type_id":3,"account":{"name":"person catalogs assembled","type":"AWS IAM Role","uid":"8241a78a-4ff6-11ef-a514-0242ac110005","type_id":4},"email_addr":"Mabel@appointment.cat"},"group":{"name":"crisis vulnerable challenge","desc":"understand charlie shorts"},"tid":31,"uid":"8241b414-4ff6-11ef-942e-0242ac110005","cmd_line":"scientist discover md","container":{"name":"basement canada const","size":3047246820,"uid":"8241bd6a-4ff6-11ef-b2aa-0242ac110005","image":{"uid":"8241c562-4ff6-11ef-8fe7-0242ac110005"},"orchestrator":"leslie contribute pixel"},"created_time":1722510563767250,"namespace_pid":1,"parent_process":{"name":"Racks","pid":74,"file":{"name":"lightning.htm","type":"valve","path":"deer oils respected/blood.ico/lightning.htm","desc":"differently maldives brand","product":{"name":"relevant adaptation midwest","version":"1.1.0","lang":"en","vendor_name":"eclipse korean ghost"},"type_id":99,"accessor":{"name":"Request","type":"Admin","uid":"8241ede4-4ff6-11ef-acc4-0242ac110005","groups":[{"name":"well characterization holocaust","uid":"82421e4a-4ff6-11ef-8980-0242ac110005"},{"name":"levitra against glen"}],"type_id":2},"parent_folder":"deer oils respected/blood.ico","confidentiality":"median twelve ha","created_time":1722510563769556,"hashes":[{"value":"06B04AF04D46617C543D3B3E00B99E504838DD15737ADA44AD4294FDDDAFF6D9585FAC5FD5DFA5754AEB22DC9103B558FAB9AF00B6CA8EB2A9D69B81032A20DD","algorithm":"Unknown","algorithm_id":0},{"value":"7076AC494351B52696279B3745D5340FC3AFD5121F4D18647E4A29796EEFD6C57363BC0ACDEC4D9552DDA8D642B25D9B81BC08AEBF9B01A05F288053FB1AEB98","algorithm":"quickXorHash","algorithm_id":7}],"created_time_dt":"2024-08-01T11:09:23.769628Z"},"user":{"name":"Prep","type":"Unknown","uid":"82422f2a-4ff6-11ef-8418-0242ac110005","type_id":0},"group":{"name":"bet dictionaries peace"},"uid":"82423a2e-4ff6-11ef-ac30-0242ac110005","cmd_line":"checking yeast mark","container":{"name":"ireland subcommittee falling","size":1936688053,"uid":"82424474-4ff6-11ef-82f8-0242ac110005","image":{"name":"write paper recognized","uid":"82424de8-4ff6-11ef-8d6b-0242ac110005"},"hash":{"value":"D74C708F707DAB0C2242DD6D42285F3C7EE4E2A184638F20C51CBA94CBA1FC8712D9EC20451FFE4C09C4E3660F8F154D048927419E81E2A55F1ABFDCCF4F767B","algorithm":"quickXorHash","algorithm_id":7},"pod_uuid":"blues"},"created_time":1722510563770786,"parent_process":{"name":"Chile","pid":51,"file":{"name":"eyed.csr","owner":{"name":"Recent","type":"User","uid":"82426be8-4ff6-11ef-807f-0242ac110005","type_id":1,"uid_alt":"affiliation locks chance"},"type":"Regular File","path":"michigan prague acting/perfume.cer/eyed.csr","product":{"name":"classics problem furnished","version":"1.1.0","uid":"82427804-4ff6-11ef-92e9-0242ac110005","vendor_name":"mathematical chat duration"},"type_id":1,"accessor":{"name":"Reducing","type":"Admin","uid":"82428894-4ff6-11ef-aa8a-0242ac110005","type_id":2},"parent_folder":"michigan prague acting/perfume.cer","confidentiality":"coach","confidentiality_id":99,"hashes":[{"value":"44C87B3E980B5D5906C47A44899C53ECEAA127EF07D4DADDC5BEEB648A5EBD979F5D54C7002601E0148D642C58F1AFF229C9C50C02365ED263295529F74A9AB2","algorithm":"SHA-512","algorithm_id":4}],"security_descriptor":"hamilton samsung subsidiary"},"user":{"name":"Fitted","type":"Admin","uid":"82429a96-4ff6-11ef-ac59-0242ac110005","type_id":2},"group":{"name":"lightbox lay brad","uid":"8242f608-4ff6-11ef-aea1-0242ac110005"},"uid":"8242ff90-4ff6-11ef-b85f-0242ac110005","cmd_line":"fixed marketing wear","container":{"name":"disagree replied romania","size":940803910,"uid":"82430aa8-4ff6-11ef-83eb-0242ac110005","image":{"name":"venice shipment thursday","tag":"worst lamb depends","uid":"8243169c-4ff6-11ef-9bd9-0242ac110005"},"orchestrator":"syndrome permissions shark"},"created_time":1722510563775908,"integrity":"tired random grown","namespace_pid":4,"parent_process":{"pid":17,"file":{"name":"freedom.bat","owner":{"name":"Lake","type":"Unknown","type_id":0,"credential_uid":"82433334-4ff6-11ef-9df3-0242ac110005"},"type":"Symbolic Link","path":"ko phantom flights/ground.dtd/freedom.bat","desc":"beatles collar exposure","product":{"name":"gave thomson circumstances","uid":"82433e6a-4ff6-11ef-8379-0242ac110005","url_string":"copyrights","vendor_name":"poetry lived fy"},"uid":"82434784-4ff6-11ef-98ca-0242ac110005","type_id":7,"mime_type":"law/apparent","parent_folder":"ko phantom flights/ground.dtd","confidentiality":"Unknown","confidentiality_id":0,"hashes":[{"value":"CD0EE6AF5EAA1C114A915FA7096E3060AE27D1892461BFA5EE7896B183FC87987940FD470777B47DC0709EED93E2EBCED33B3D3E0C4870660C470F1D1DCCDD45","algorithm":"quickXorHash","algorithm_id":7}],"is_system":false,"xattributes":{}},"user":{"name":"Ak","type":"System","domain":"km msgid creek","uid":"82436e80-4ff6-11ef-b543-0242ac110005","type_id":3,"credential_uid":"824374de-4ff6-11ef-a10e-0242ac110005"},"group":{"name":"via capabilities manufacturing","uid":"82437e84-4ff6-11ef-a820-0242ac110005","privileges":["tv glasses retrieval"]},"uid":"824384d8-4ff6-11ef-8982-0242ac110005","cmd_line":"smile builders sanyo","container":{"name":"arrange lips hoped","size":3752277430,"uid":"82438e24-4ff6-11ef-9a2b-0242ac110005","image":{"name":"surfing harvest additionally","tag":"instrumentation mi dim","uid":"82439680-4ff6-11ef-b7fa-0242ac110005"},"hash":{"value":"37F2759ED75FB07B29E4F1A5A51072ADD7EC16769903AAA33DBBA5DEA773A7E3CBA90D3152ADBA24BF6E54372233D78D69D964F32AC2E3973C91C1FAB5D51B26","algorithm":"SHA-512","algorithm_id":4}},"created_time":1722510563779192,"namespace_pid":23,"parent_process":{"name":"Miles","pid":44,"file":{"name":"naturally.dmp","type":"apparently","version":"1.1.0","path":"eligible terms landscapes/those.accdb/naturally.dmp","product":{"name":"viruses dancing dirty","version":"1.1.0","uid":"8243ae0e-4ff6-11ef-9d4a-0242ac110005","lang":"en","vendor_name":"ricky junk daniel"},"type_id":99,"accessor":{"name":"Profiles","type":"hall","uid":"8243c31c-4ff6-11ef-b7ce-0242ac110005","type_id":99,"email_addr":"Benita@instrument.com","uid_alt":"zope unsubscribe be"},"parent_folder":"eligible terms landscapes/those.accdb","hashes":[{"value":"75017A36EC07FD4C377A0D2A011400AB193E61DB","algorithm":"SHA-1","algorithm_id":2}],"created_time_dt":"2024-08-01T11:09:23.780361Z","modified_time_dt":"2024-08-01T11:09:23.780372Z"},"user":{"name":"Translated","type":"User","uid":"8243ea5e-4ff6-11ef-af0a-0242ac110005","type_id":1,"full_name":"Bronwyn Kandi"},"group":{"name":"secure escape dui","type":"vault vocational aerospace","uid":"8243f65c-4ff6-11ef-a514-0242ac110005","privileges":["doug producing distributor","discover uri conscious"]},"uid":"8243fda0-4ff6-11ef-9876-0242ac110005","cmd_line":"compiler homework usually","container":{"name":"vietnamese sixth good","runtime":"paragraph pizza ing","size":3917616377,"uid":"82440a5c-4ff6-11ef-ad41-0242ac110005","image":{"name":"pr request boy","uid":"824413e4-4ff6-11ef-bb4f-0242ac110005"},"hash":{"value":"818853F7CD4B4D46AD3612755274DC4BE0689988A1BDBC0D8A5F54BA585D7FA5","algorithm":"SHA-256","algorithm_id":3},"orchestrator":"maintain cargo awarded"},"terminated_time":1722510563782421}},"terminated_time":1722510563782432,"euid":44,"egid":29,"created_time_dt":"2024-08-01T11:09:23.782438Z","terminated_time_dt":"2024-08-01T11:09:23.782445Z"},"terminated_time":1722510563782452,"auid":78,"terminated_time_dt":"2024-08-01T11:09:23.782458Z"},"euid":21,"created_time_dt":"2024-08-01T11:09:23.782465Z","terminated_time_dt":"2024-08-01T11:09:23.782471Z"},"euid":20},"user":{"name":"Villa","type":"seek","uid":"824425be-4ff6-11ef-8b9f-0242ac110005","org":{"name":"replied reservation circles","uid":"82442fdc-4ff6-11ef-b680-0242ac110005","ou_name":"dale halloween convenience"},"type_id":99,"uid_alt":"trout americans substance"}},"activity_name":"Client Synchronization","action":"Denied","proxy_endpoint":{"name":"resources contracts treasury","port":32431,"type":"Hub","ip":"175.16.199.0","hostname":"fashion.aero","uid":"8240c996-4ff6-11ef-a9b6-0242ac110005","mac":"AA:9E:EF:FA:F6:8C:22:78","type_id":11,"container":{"name":"actions bullet populations","size":1551677878,"uid":"8240d5bc-4ff6-11ef-8e32-0242ac110005","image":{"name":"jewish rating housewives","uid":"8240de40-4ff6-11ef-8dac-0242ac110005"},"hash":{"value":"428AC4813390324C88145AE1CB67084A8DA3386B","algorithm":"SHA-1","algorithm_id":2},"network_driver":"midi florists tired","orchestrator":"contract girl traditional"},"instance_uid":"8240e746-4ff6-11ef-a2e6-0242ac110005","interface_name":"bring ana ex","namespace_pid":71,"svc_name":"democratic benefits supplier"},"stratum_id":16,"severity":"indirect","category_name":"Network Activity","message":"c attended regulated","class_uid":4013,"severity_id":99,"version":"1.1.0","proxy_connection_info":{"uid":"8240bb40-4ff6-11ef-9482-0242ac110005","direction":"commodity","direction_id":99,"protocol_num":62,"protocol_ver":"Internet Protocol version 4 (IPv4)","protocol_ver_id":4},"time":1722510563760083,"precision":47,"device":{"name":"keyboards sudan tp","type":"Unknown","ip":"216.160.83.56","location":{"desc":"Guadeloupe","city":"Vic screenshot","country":"GP","coordinates":[22.1588,28.2006],"continent":"North America"},"hostname":"teeth.nato","image":{"uid":"8240911a-4ff6-11ef-a984-0242ac110005","labels":["microsoft"]},"type_id":0,"subnet":"38.80.125.0/24","container":{"name":"hormone investigated performances","size":793369097,"uid":"82409b10-4ff6-11ef-b701-0242ac110005","image":{"name":"distance beautifully maximum","tag":"passed contribution studied","uid":"8240a3d0-4ff6-11ef-be39-0242ac110005"},"hash":{"value":"CB553813B87B309D428B27D4E5A9457DCAD28C846E4C0EFAB7A1A8FA2345B199","algorithm":"magic","algorithm_id":99},"orchestrator":"genes thick degree"},"created_time":1722510563758738,"instance_uid":"8240879c-4ff6-11ef-af64-0242ac110005","interface_name":"abstracts cj highs","interface_uid":"8240ade4-4ff6-11ef-b741-0242ac110005","is_managed":false,"namespace_pid":56,"region":"painful lifetime significant","vlan_uid":"824080b2-4ff6-11ef-a395-0242ac110005"},"observables":[{"name":"logged nasdaq hosts","type":"Hash","type_id":8},{"name":"trading friends request","type":"gentle","type_id":99}],"type_name":"NTP Activity: Client Synchronization","type_uid":401303,"src_endpoint":{"name":"brandon attacked blonde","port":23430,"type":"Virtual","ip":"89.160.20.128","location":{"desc":"Macao, Special Administrative Region of China","city":"Death stars","country":"MO","coordinates":[-54.8511,61.8154],"continent":"Asia"},"hostname":"sacrifice.jobs","uid":"82403698-4ff6-11ef-bb82-0242ac110005","type_id":6,"container":{"name":"variety summary focused","size":1038161419,"uid":"824041c4-4ff6-11ef-916a-0242ac110005","image":{"name":"toddler yahoo dressing","uid":"82405042-4ff6-11ef-9809-0242ac110005"},"hash":{"value":"FEA9B0C8FDA936ECB33171CEBCAB7B574A0BD1A0A1D6B08474F8E20388709CAA28CB19DD8A53F0238CDD07712528D0AC7DE36988DE03147B1524257D6C190823","algorithm":"SHA-512","algorithm_id":4}},"instance_uid":"8240592a-4ff6-11ef-a917-0242ac110005","interface_name":"bobby machines drink","interface_uid":"82405fb0-4ff6-11ef-8580-0242ac110005","namespace_pid":19,"vpc_uid":"824065c8-4ff6-11ef-83f7-0242ac110005","zone":"admitted freebsd lazy"},"metadata":{"version":"1.1.0","product":{"name":"raising sodium preliminary","version":"1.1.0","uid":"82400ab0-4ff6-11ef-abab-0242ac110005","cpe_name":"skilled ru contributions","url_string":"mad","vendor_name":"answer probe affiliation"},"labels":["martin","lil"],"log_level":"recovered device retail","sequence":44,"profiles":["cloud","container","datetime","host","linux/linux_users","load_balancer","network_proxy","security_control"],"log_name":"planets van wine","log_provider":"execute lite utah","original_time":"fairy affecting agricultural","tenant_uid":"8240179e-4ff6-11ef-b399-0242ac110005","processed_time_dt":"2024-08-01T11:09:23.756232Z"},"activity_id":3,"proxy_tls":{"version":"1.1.0","key_length":36,"cipher":"cent memories rochester","sni":"identification vincent breakfast","certificate_chain":["pack menu plot"],"ja3_hash":{"value":"AC725768466500046904D27B548D75C5","algorithm":"MD5","algorithm_id":1},"ja3s_hash":{"value":"FF1E2DBC60149EBF225BBC13B2E100CEC2DF9FE5A8024345B354723618C4A4B74622930D7ED086F5B727F66E3E617E0DA4E39B3BFB4B67378F600594D2C05396","algorithm":"Unknown","algorithm_id":0},"tls_extension_list":[{"data":"recruitment","type":"server_name","type_id":0}]},"stratum":"Unsynchronized","count":97,"status":"Success","connection_info":{"direction":"Lateral","direction_id":3,"protocol_num":24,"protocol_ver":"1"},"proxy_traffic":{"packets":3436547282},"timezone_offset":59,"category_uid":4,"proxy_http_response":{"code":84,"status":"accident around gamespot","http_headers":[{"name":"valid involving problem","value":"swiss navigator focused"}]},"cloud":{"account":{"name":"diet services amazon","type":"Linux Account","uid":"823f3676-4ff6-11ef-87ce-0242ac110005","type_id":9},"provider":"son fits additions","region":"stick aurora admission"},"dst_endpoint":{"name":"foul coming meetings","port":26803,"type":"Virtual","ip":"67.43.156.0","hostname":"sporting.edu","uid":"823eaf30-4ff6-11ef-9671-0242ac110005","type_id":6,"container":{"name":"fisher invite serial","size":480391375,"uid":"823eb962-4ff6-11ef-b477-0242ac110005","image":{"name":"scientific isa thrown","path":"isbn phones proof","uid":"823ec95c-4ff6-11ef-9378-0242ac110005","labels":["oc","inside"]},"hash":{"value":"0A2D96EB4F44895D58B6441A0129F11199AB967C178305172B83A039B4E6D41287DD945B3BCB4937343A8E4ECB95E4A9C84B495FF73B7F404EC88A0A0FA286F3","algorithm":"Unknown","algorithm_id":0}},"interface_name":"active rc saying","interface_uid":"823ed398-4ff6-11ef-9896-0242ac110005","intermediate_ips":["81.2.69.142","81.2.69.144"],"namespace_pid":38,"svc_name":"cyber influence simon","vpc_uid":"823edb22-4ff6-11ef-bd25-0242ac110005"},"action_id":2,"authorizations":[{},{}],"load_balancer":{"code":47,"name":"threats invoice popularity","uid":"823df61c-4ff6-11ef-a0b1-0242ac110005","dst_endpoint":{"name":"aspect attempted credit","port":42720,"type":"Laptop","ip":"31.13.253.50","hostname":"brake.jobs","uid":"823e06ac-4ff6-11ef-949d-0242ac110005","type_id":3,"container":{"name":"allowed entered philippines","size":4007710700,"tag":"items preservation orleans","uid":"823e1200-4ff6-11ef-833f-0242ac110005","image":{"name":"repairs opposed condos","tag":"melissa post courage","path":"circulation franklin everybody","uid":"823e1c46-4ff6-11ef-a5a8-0242ac110005"},"hash":{"value":"5733974066CC8F9646E6E1E170DB95F2B5D0E7DCDADF8A62A35EB47B61FCE172316B9A40AFD4FC58EC1B104C1DB4D1E2F0858866EDF563DE649A755940BCD18C","algorithm":"CTPH","algorithm_id":5}},"instance_uid":"823e25ec-4ff6-11ef-8a0b-0242ac110005","interface_name":"adelaide hewlett housewives","interface_uid":"823e2c9a-4ff6-11ef-9dc6-0242ac110005","namespace_pid":0,"svc_name":"layout radius connectors","vpc_uid":"823e3352-4ff6-11ef-8cdc-0242ac110005"},"endpoint_connections":[{"code":7,"network_endpoint":{"port":9631,"type":"Mobile","ip":"155.162.119.5","hostname":"principle.nato","uid":"823e6124-4ff6-11ef-83b0-0242ac110005","type_id":5,"hw_info":{"keyboard_info":{"ime":"mark least sean"},"ram_size":94,"serial_number":"invest spring distributors"},"instance_uid":"823e6bd8-4ff6-11ef-9050-0242ac110005","interface_name":"bouquet shorter node","interface_uid":"823e7290-4ff6-11ef-b82d-0242ac110005","svc_name":"surfing lynn leonard"}},{"code":95,"network_endpoint":{"name":"ambien thermal advance","port":58409,"type":"Browser","ip":"102.249.60.133","hostname":"ranging.pro","type_id":8,"container":{"name":"cad xanax businesses","size":2100136552,"uid":"823e83fc-4ff6-11ef-9497-0242ac110005","image":{"name":"usda ian manitoba","uid":"823e8d8e-4ff6-11ef-ae19-0242ac110005"},"orchestrator":"control flame phrases"},"instance_uid":"823e94a0-4ff6-11ef-bdd0-0242ac110005","interface_name":"platform boat nav","interface_uid":"823e9f2c-4ff6-11ef-8022-0242ac110005","namespace_pid":32,"svc_name":"intention currency persons","zone":"beverly fm stage"}}]},"class_name":"NTP Activity","status_id":1} +{"message":"andale freely producers","status":"Success","time":1723455177274626,"metadata":{"version":"1.1.0","product":{"name":"sunshine lopez dimension","version":"1.1.0","path":"correctly was books","uid":"dbc81042-588d-11ef-aff0-0242ac110005","vendor_name":"common posting displayed"},"uid":"dbc818a8-588d-11ef-aa74-0242ac110005","profiles":[],"event_code":"cats","log_name":"queen lexmark honolulu","log_provider":"technique wc mountains","modified_time":1723455177273194,"original_time":"china compact prototype","tenant_uid":"dbc8214a-588d-11ef-8173-0242ac110005"},"severity":"Medium","email":{"size":3113926462,"uid":"dbc8706e-588d-11ef-af1b-0242ac110005","from":"Francoise@audi.museum","cc":["Loren@receivers.info","Madeline@sue.net"],"to":["Lizzie@keyword.net"],"message_uid":"dbc878de-588d-11ef-9c86-0242ac110005","reply_to":"Twana@optimization.aero","smtp_from":"Shenita@endangered.jobs","smtp_to":["Lydia@or.gov","Malena@writing.firm"]},"direction":"Inbound","type_uid":1046489335,"category_name":"Network Activity","class_uid":4009,"category_uid":4,"class_name":"Email Activity","timezone_offset":29,"activity_name":"sense cheat builder","direction_id":1,"email_auth":{"dkim":"asbestos equal pass","dkim_domain":"gibraltar res hip","dkim_signature":"phys coordinate pointing","dmarc":"bulk stud occasion","dmarc_override":"specification adobe dam","dmarc_policy":"oem over educated"},"enrichments":[{"data":{"healthcare":"hddhj"},"name":"dip follow theta","type":"eastern eleven ratio","value":"yards playstation passwords","provider":"belkin humanity vid"},{"data":"ja","name":"lang advertise sharp","type":"croatia housewives wan","value":"thumb routing firms","provider":"determining delay team"}],"severity_id":3,"smtp_hello":"isbn purposes yea","src_endpoint":{"name":"vietnam chamber rational","port":59948,"ip":"67.43.156.0","hostname":"while.mobi","uid":"dbc831da-588d-11ef-8bc6-0242ac110005","hw_info":{"bios_manufacturer":"restricted while suspension","cpu_count":98,"keyboard_info":null,"ram_size":54,"serial_number":"ps lol launched"},"instance_uid":"dbc83cde-588d-11ef-8ecb-0242ac110005","interface_name":"buses variation russia","interface_uid":"dbc843f0-588d-11ef-8f5a-0242ac110005","svc_name":"drunk m week","vlan_uid":"dbc84ae4-588d-11ef-89b1-0242ac110005","vpc_uid":"dbc85138-588d-11ef-bcda-0242ac110005"},"status_detail":"croatia ks compile","status_id":1} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log-expected.json index 8d486e226a4a..6f294362b81f 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-network-activity.log-expected.json @@ -2374,7 +2374,7 @@ "/ourselves/lynn/gpl/helped/narrow.tga" ], "namespace_pid": 97, - "parent_process_keyword": "{container={uid=849829cc-5be7-11ee-bb7a-0242ac110005, size=2387392206, name=kg sources houses, pod_uuid=kiss, runtime=kate through furniture, hash={value=6A9A10210588981DD8FAA6BE10E39F2C65E816FEFE4768884F7B0BB0A10CD9D6, algorithm_id=3, algorithm=SHA-256}}, lineage=[attraction cord adjustment, announcements summer introduce], created_time=1695676041517, namespace_pid=49, sandbox=species tourism system, pid=26, parent_process={container={uid=84985df2-5be7-11ee-be06-0242ac110005, size=3179758248, name=hunt indicating radiation, tag=reader prevention as, hash={value=666334EB7A1E55E189435FFF3F0CA7266F484FB44970AAFF3E72546D8B04B02ABB1A66B209CAFD44267701CA1392DF35B8EC3EECE0DC492D093880F2E4FF352C, algorithm_id=6, algorithm=TLSH}}, uid=8498530c-5be7-11ee-86f3-0242ac110005, created_time=1695676041527, file={path=conflicts disability citysearch/ieee.dtd/seq.wpd, created_time=1695676041520845, parent_folder=conflicts disability citysearch/ieee.dtd, confidentiality_id=0, type_id=3, modifier={uid=84984362-5be7-11ee-af2c-0242ac110005, type_id=2, name=Officer, type=Admin}, confidentiality=Unknown, name=seq.wpd, hashes=[{value=7D875B5EB312ADEF7D530DD6E43468170B094A5F54CA1AC26E7788A81A01238428E62D581423E70B05DA11F15513291EB10776B4E14DE1844072ACDF11BBDFD1, algorithm_id=5, algorithm=CTPH}, {value=1100511F3469E3CDE7D081EC6E78154C8476D546F615EEEB37C4CDFBD41740440FC77660EE3A4B9C67DE81C63172A49F835656F85ED5E36A65A2A25E2A733358, algorithm_id=6, algorithm=TLSH}], type=Character Device}, cmd_line=creation defense carolina, namespace_pid=46, name=Jamie, pid=28, parent_process={container={uid=84989948-5be7-11ee-b4fb-0242ac110005, image={path=empirical precipitation builder, uid=84989f42-5be7-11ee-8820-0242ac110005, name=extending construction inkjet, labels=[golf, nov]}, size=2099983603, name=thongs routine an, hash={value=E7EFDA40B1C94805070CD9BF9638AE27, algorithm_id=1, algorithm=MD5}}, uid=84989376-5be7-11ee-9216-0242ac110005, created_time=1695676041523226, integrity=conspiracy unions allocated, file={uid=84987ae4-5be7-11ee-b247-0242ac110005, created_time=1695676042262, size=3504413585, signature={certificate={created_time=1695676041522, subject=shades bad tradition, expiration_time=1695676041526, created_time_dt=2023-09-25T21:07:21.521904Z, serial_number=files the parish, issuer=previous price thing, fingerprints=[{value=8E4DE5CC0D59311697B0D4061FDBFB4CB99E38121EA17CF740789A0CBC85B56703E1341C940E7A2220C02211CC84447A19061569BE42AC4A2C03010FB6CB1A75, algorithm_id=4, algorithm=SHA-512}, {value=205D64FF9B580AADBF4829EC41DD4EF0, algorithm_id=1, algorithm=MD5}]}, algorithm_id=2, algorithm=RSA}, type_id=6, name=startup.3dm, hashes=[{value=60F202A3BE4EF214E24EA9D3555D194C, algorithm_id=1, algorithm=MD5}, {value=B0B2D200728B0DACE6CB6829F90EE31A9AD123FF1982012B003249D4F2C5351924E6DBBD1242EE722D4C5A0B80C983DC7B94DDD594FCFCEF4E63552956E2B26A, algorithm_id=6, algorithm=TLSH}], modified_time_dt=2023-09-25T21:07:21.522441Z, type=Named Pipe, version=1.0.0}, cmd_line=plan agents converter, name=Arbor, sandbox=keeps pour rent, pid=20, parent_process={container={uid=8498da2a-5be7-11ee-9d00-0242ac110005, image={uid=8498df20-5be7-11ee-8257-0242ac110005, name=version treating tall}, size=2697694450, name=warrior document workflow, pod_uuid=sas, hash={value=F4001D4FD76B73412DB0EFD2C66F0AB3C27D9FE9BD375B1659A1DDDA68C17DC1C0F5402A6AE571DC073E94F1B720821E4208595D5BB4B13D917A12CE3DA53C1E, algorithm_id=6, algorithm=TLSH}}, uid=8498d430-5be7-11ee-b1bf-0242ac110005, created_time=1695676041523, integrity=aviation blame tion, file={path=roger economy macro/mesh.gadget/considerations.jar, created_time=1695676041524, parent_folder=roger economy macro/mesh.gadget, mime_type=star/flyer, type_id=5, name=considerations.jar, accessor={uid=8498c030-5be7-11ee-80d9-0242ac110005, full_name=Twyla Cherise, email_addr=Shin@cause.mobi, type_id=2, name=Wildlife, uid_alt=excellent far varied, type=Admin}, hashes=[{value=707CF5E50A11D69874235DED9A045B6AB42439F7495DED03049CB7E997949E8B014295A25059CD1A9F06BFE9E4101ED176615E69D43FE199E849DEC0BC4AEB4D, algorithm_id=5, algorithm=CTPH}, {value=6F487B974BDB9DBDF014F50502D9F70BC2630E6C974E4C6E6AA2EB3BEC95A3BDCA7AE609DA34179E0677F042734A767ADA4F6CA04788916644262CDC60BC2FB2, algorithm_id=5, algorithm=CTPH}], type=Local Socket}, cmd_line=sixth pc peoples, namespace_pid=76, name=Processes, pid=49, parent_process={container={uid=84993ce0-5be7-11ee-8a18-0242ac110005, image={uid=849944f6-5be7-11ee-bc62-0242ac110005, tag=vocal trim jon}, size=2257875576, name=acquired minority slip}, uid=8499377c-5be7-11ee-9164-0242ac110005, file={owner={uid=849901e4-5be7-11ee-bfe1-0242ac110005, full_name=Blythe Jamie, type_id=99, name=Enquiry, type=minneapolis}, is_system=false, signature={certificate={created_time=1695676041526, subject=strap liz boulder, expiration_time=1695676045872, serial_number=approaches symbol assembly, version=1.0.0, issuer=everybody brunei disciplinary, fingerprints=[{value=9E41EB47ABD226D92CFE27DBDA0C924C190A1B0C0136B09923B419089B013DF14CB58C38F651F710540E348BF800DFE364197904B11FFFAD98BB2B10006B28E2, algorithm_id=5, algorithm=CTPH}, {value=3DE877DDFB06DB510E63893D98DDAC9524696C14, algorithm_id=2, algorithm=SHA-1}]}, created_time_dt=2023-09-25T21:07:21.526203Z, developer_uid=84991526-5be7-11ee-a2ca-0242ac110005, algorithm_id=3, algorithm=ECDSA}, type_id=99, confidentiality=suburban ati mostly, modified_time_dt=2023-09-25T21:07:21.526727Z, type=charged, path=const foreign pressed/among.ged/pic.vcd, uid=84992264-5be7-11ee-8071-0242ac110005, parent_folder=const foreign pressed/among.ged, name=pic.vcd, hashes=[{value=00EF9DADDE482AF5432B0BFC5F69023736D4A0ECD59F74884C4B8AD83D21429B78023351C5DBD07407EAB2BFA527A0586016DE3C92F37913920E221F7D452802, algorithm_id=0, algorithm=Unknown}], created_time_dt=2023-09-25T21:07:21.526737Z, accessed_time=1695676041556}, namespace_pid=29, name=Job, pid=86, parent_process={container={uid=84996db4-5be7-11ee-bada-0242ac110005, image={uid=849984fc-5be7-11ee-af4c-0242ac110005, name=adipex into polo}, size=797071549, name=deutschland pic newcastle, hash={value=82B5F7770097973F2962C241C557369EC2D38E9A1BDA03176B9CA511F1CA56CF, algorithm_id=3, algorithm=SHA-256}}, lineage=[familiar privilege canvas], uid=84996800-5be7-11ee-8754-0242ac110005, created_time=1695676041528, file={path=architectural pink phil/overview.dtd/tuner.pdb, parent_folder=architectural pink phil/overview.dtd, type_id=6, name=tuner.pdb, hashes=[{value=44CA9EA761C2131C73960AD47472741B13D305EE2D07FE91E8F1B47F4F062B8A16DD3611E4439E4C163A7CF42F1AE5989CF9683117DB801FD1BC222A16618E19, algorithm_id=7, algorithm=quickXorHash}, {value=C25DDA249CDECE9D908CC33ADCD16AA05E20290F, algorithm_id=2, algorithm=SHA-1}], type=Named Pipe, version=1.0.0, xattributes={}}, cmd_line=brush bouquet alto, namespace_pid=23, pid=67, parent_process={container={uid=8499d164-5be7-11ee-a7e8-0242ac110005, image={uid=8499d704-5be7-11ee-b617-0242ac110005, name=robert through mailing, tag=struggle gerald weather}, network_driver=catch sun general, orchestrator=sf varieties queries, size=1048383191, name=france sg charger, tag=deserve focused select, hash={value=6B2A589B76A482CD379A7FF8AF13EE0F9ABF937DE60010068FEC808F5B6B22521C2A28C7F48BC5C2EDC81EAE5E5812D95F5E0F3DF5685571E5DB36B146DB82EC, algorithm_id=6, algorithm=TLSH}}, uid=8499bc88-5be7-11ee-b028-0242ac110005, created_time=1695676041539, integrity=faculty hardcover generated, file={owner={uid=84999e10-5be7-11ee-914b-0242ac110005, email_addr=Pamelia@directed.com, type_id=1, name=Friend, type=User}, path=fish largest alberta/solutions.deskthemepack/spirit.max, parent_folder=fish largest alberta/solutions.deskthemepack, type_id=1, name=spirit.max, hashes=[{value=718C92FD5ECC9B483CA9A76E309BD60F7DAD6035254FAD5EA9430568F36EB16D5532657DE90C3B3B41896C8A9B601BF1E1083D5BB299127118B535C347D13549, algorithm_id=5, algorithm=CTPH}, {value=D13D53927A745D27511C298846343093D7E92D919905B6C22ABBF727AD18EF7E3B3850949F8CC772390749C8644B5CF6F8618FEF524E9589DB73F57FE128AA88, algorithm_id=0, algorithm=Unknown}], attributes=83, type=Regular File, version=1.0.0, desc=escape steady bow}, cmd_line=in blowing memorial, session={uid=8499ca0c-5be7-11ee-aae9-0242ac110005, created_time=1695676041534, expiration_time=1695676041542, is_remote=true}, namespace_pid=79, name=Cialis, pid=21, parent_process={container={uid=849a2420-5be7-11ee-94c5-0242ac110005, image={uid=849a32bc-5be7-11ee-86bb-0242ac110005, name=layers branch lucas, tag=nations chances trips}, size=1512724327, name=own drawing acute, hash={value=79F7EED760813BF63DC0EE7F986F1CC6345DD170AB03CA1350684CB8720E3C67F9FCE3B075A22266EB0C66A1CDA2D3BD540E777D9A294433377B83DB6DE3D6DB, algorithm_id=6, algorithm=TLSH}}, lineage=[guru hosted bradley], created_time=1695676041533, namespace_pid=39, sandbox=moon exercise starring, pid=90, parent_process={container={uid=849a646c-5be7-11ee-90ce-0242ac110005, image={uid=849a6a66-5be7-11ee-95e4-0242ac110005, name=evaluating apartments disaster}, size=3702557326, name=apartment drunk amateur, hash={value=12FC9239ABF2C07159EBC92013171DA43175589170BD05B55220534634A9D1FEFC88B117A95FCE4FE3C5A5FEDB9DC4EB3F700C0386931C889F815E86BCD4B509, algorithm_id=0, algorithm=Unknown}}, uid=849a5d78-5be7-11ee-ac24-0242ac110005, created_time=1695676041535, file={is_system=false, confidentiality_id=2, type_id=5, confidentiality=Confidential, name=hunt.ppt, hashes=[{value=6FD1E1613C3918067E01585E32D4AA461C485DF01C56BD5A294FD82B353B5EC64A7EBAED614D28451E3AECB3ACA75900593A20D8AE7F7A1E2CF9DD4F0496B9C4, algorithm_id=7, algorithm=quickXorHash}, {value=B66E94D9133A6E41392C5AFCBF3F6EEB29E45C041350255AEE34ADD6C4E6BD15FF9060177954793B5D078A8802B4B1ADDD73BECACB7D5827D9A1CB9F96D5E153, algorithm_id=7, algorithm=quickXorHash}], attributes=22, modified_time_dt=2023-09-25T21:07:21.533963Z, type=Local Socket}, cmd_line=merchandise initiatives accessibility, namespace_pid=29, name=Bags, parent_process={container={uid=849aa490-5be7-11ee-bb98-0242ac110005, image={uid=849aaa9e-5be7-11ee-a47a-0242ac110005, name=evanescence plans courts, tag=buy archives predict}, name=distant modeling monaco, runtime=peace up sailing, hash={value=383B6630E8241D34D54BFD689DECC0CAB88770D935667989A3A1DE8397F5520F, algorithm_id=3, algorithm=SHA-256}}, lineage=[lanka manufacture bra, gibson implementation pope], uid=849a9ed2-5be7-11ee-ae61-0242ac110005, created_time=1695676041539, integrity=bookings qc dictionaries, file={owner={uid=849a7ac4-5be7-11ee-a06d-0242ac110005, type_id=99, name=Asia, type=meetup}, path=interactions malta thoughts/laden.pdf/hardware.wma, parent_folder=interactions malta thoughts/laden.pdf, signature={digest={value=3188206324B062751CE36D4251C19C94, algorithm_id=1, algorithm=MD5}, algorithm_id=4, algorithm=Authenticode}, type_id=0, name=hardware.wma, hashes=[{value=6BD48B1E57856137037BFEE4DEC8D57F, algorithm_id=1, algorithm=MD5}], attributes=35, type=Unknown}, cmd_line=recordings countries slides, namespace_pid=6, name=Sen, pid=13, parent_process={container={uid=849aff08-5be7-11ee-80bd-0242ac110005, image={uid=849b1f7e-5be7-11ee-bb9d-0242ac110005, name=cross tray influenced, tag=afternoon counseling governance}, network_driver=slovakia friend username, size=191473515, name=author channel disappointed, hash={value=B7F1BFFEB47BCFB30F891852F769572A9816784BF4A4073805850F9F969A5335CFC878CACC9E0F8A71B547F60832FE712A59A7DD7DBD6E94BB9D155309EB3581, algorithm_id=7, algorithm=quickXorHash}}, uid=849adea6-5be7-11ee-aa53-0242ac110005, created_time=1695676041539630, file={path=jeff puts assignments/thing.msi/removal.obj, parent_folder=jeff puts assignments/thing.msi, type_id=6, security_descriptor=bureau myspace barrel, name=removal.obj, hashes=[{value=CE850E16E049A60B4B8F465DC00ADBFB7207CC76FD94F5EBC335F637B8052B77, algorithm_id=99, algorithm=magic}], accessed_time=1695676041534, type=Named Pipe}, cmd_line=amount anywhere suffered, namespace_pid=49, name=Impacts, sandbox=romance volunteer entrepreneurs, pid=86, parent_process={lineage=[qualify insight reproduce, placing download tomato], uid=849b6dee-5be7-11ee-84f0-0242ac110005, created_time=1695676041593, file={path=let dawn representing/surrounding.dwg/human.pdb, product={uid=849b3fd6-5be7-11ee-83d2-0242ac110005, feature={uid=849b46a2-5be7-11ee-824d-0242ac110005, name=metric th alt, version=1.0.0}, name=heavy payroll timothy, vendor_name=rv brother vaccine, version=1.0.0}, parent_folder=let dawn representing/surrounding.dwg, modified_time=1695676041541, type_id=7, name=human.pdb, accessor={uid=849b52b4-5be7-11ee-863c-0242ac110005, type_id=3, name=Dragon, type=System, credential_uid=849b5b88-5be7-11ee-af7a-0242ac110005}, hashes=[{value=AABE45CE23939AE53AA3AF15C6123A6ED98FC106E4C7491B89A814D8EB040F3B9D5842B5A215D1D27ED1B4DC8DD3D3F0D50197DD105E37461661D98A23E0917C, algorithm_id=7, algorithm=quickXorHash}], created_time_dt=2023-09-25T21:07:21.541195Z, attributes=78, modified_time_dt=2023-09-25T21:07:21.541163Z, type=Symbolic Link}, cmd_line=techno now vid, namespace_pid=91, name=Sampling, sandbox=compounds s time, pid=71, parent_process={lineage=[tenant surveillance nature, securities joining bite], created_time=1695676041548, session={uid=849bd89c-5be7-11ee-bbae-0242ac110005, created_time=1695676041544, is_remote=true, issuer=mind file superior}, sandbox=facial gossip lopez, pid=41, parent_process={container={uid=849c059c-5be7-11ee-b620-0242ac110005, image={uid=849c105a-5be7-11ee-8337-0242ac110005, name=titten live cvs}, size=2006500672, name=anthony serial medline, hash={value=53CB2A3DF41EA583C9DAD815CC228E623D600CA69DD3B138EBA03828A95C399AC2319E8C246FAF2EB345362B0931618009C8A5FF4C8E100C7B414107D51F849D, algorithm_id=6, algorithm=TLSH}}, created_time=1695676041542, namespace_pid=8, sandbox=upload stages deutsch, pid=74, parent_process={container={uid=849c6776-5be7-11ee-94b5-0242ac110005, image={uid=849c6d2a-5be7-11ee-a411-0242ac110005, name=capabilities huge hometown, labels=[mumbai]}, name=yahoo plains basically, hash={value=FC25F43E993A1FB725021E78097481FDD1FECA2EC91BF14AE34067FC31DBCD1005D4B0AFC4F050872672CC3EAB72236EADE80DFF4CCBB844F8ED0489F697D2F1, algorithm_id=6, algorithm=TLSH}}, uid=849c61f4-5be7-11ee-8006-0242ac110005, created_time=1695676041544, file={owner={uid=849c24fa-5be7-11ee-93d2-0242ac110005, email_addr=Suzan@communicate.coop, type_id=0, name=Sunny, type=Unknown}, is_system=false, product={uid=849c3e4a-5be7-11ee-80be-0242ac110005, name=pci invasion producers, vendor_name=australian payments crm, lang=en, version=1.0.0}, creator={uid=849c4b2e-5be7-11ee-9c0b-0242ac110005, org={ou_uid=849c5470-5be7-11ee-b89d-0242ac110005, uid=849c5060-5be7-11ee-b740-0242ac110005, name=reproductive balloon stanley, ou_name=pick rear governance}, type_id=99, domain=glass outlet lopez, groups=[{uid=849c5ae2-5be7-11ee-97a7-0242ac110005, name=suspected contributor counting, type=vacations wines biological}], type=selected}, signature={certificate={created_time=1695676041548, subject=microwave marriott okay, expiration_time=1695676041514, serial_number=windsor sponsor google, version=1.0.0, issuer=foundation review shaft, fingerprints=[{value=35C90137B6BD19F8D464173B9904DBFA60D62BFF8BCBCF99235987ACC2D4840DBA02F991522C533C211C54B3A1016A0A76AF0578E30D0190414926A1EA56FEB7, algorithm_id=6, algorithm=TLSH}]}, algorithm_id=3, algorithm=ECDSA}, type_id=2, confidentiality=Top Secret, accessor={full_name=Crysta Damaris, type_id=99, name=Class, uid_alt=linux has luis, type=pie, account={type_id=8, name=cards gratis necklace, type=Apple Account}}, type=Folder, version=1.0.0, path=nintendo smilies thank/ought.vb/revolution.vcf, parent_folder=nintendo smilies thank/ought.vb, confidentiality_id=4, company_name=Mckenzie Ardith, security_descriptor=recommended approve environment, name=revolution.vcf, hashes=[{value=1B8BF6AF4C4E0F5A64ED59860F5673F5762D1E214D4B3127BAC626D3811952EAF98972460DF098DEAB2B6D4FF02723546AEBA4108F2A03A20044552141A4447E, algorithm_id=7, algorithm=quickXorHash}, {value=221C1DF278F5DBE8C04CCC89DB66A355ABA13C3F27B4E23A19D0E73C64E5E9A7951D5102BA2F416429122A6110C57ED22F7216EB73939FF0E7E4BDB574A90CC4, algorithm_id=6, algorithm=TLSH}], attributes=79}, cmd_line=arrangements makes handy, namespace_pid=13, pid=20, parent_process={container={uid=849cdd28-5be7-11ee-9250-0242ac110005, image={uid=849ce32c-5be7-11ee-b7a9-0242ac110005, name=audio miracle leader}, size=1224758347, name=hospitality walker vs, hash={value=A813ED16B0B3E58FA959C0BA26A47058, algorithm_id=1, algorithm=MD5}}, lineage=[achievement courage send, expansion instructional agreements], created_time=1695676041555, session={uid=849ccebe-5be7-11ee-a1ca-0242ac110005, created_time=1695676041550, expiration_time_dt=2023-09-25T21:07:21.550638Z, is_remote=false, issuer=volunteer meetings medline}, namespace_pid=62, sandbox=distributor workshops maldives, parent_process={container={uid=849d0e7e-5be7-11ee-a8e4-0242ac110005, image={uid=849d1342-5be7-11ee-a4ca-0242ac110005, name=charges fragrances complex}, network_driver=familiar movies legitimate, size=2138922450, name=develop affiliates required, pod_uuid=legally, hash={value=6E73C76AD0B2D03EB35088BB834D7A1949E2174F0288EAC8066F5CC920923FEC2568825E7A9B3B3B871DC2AA82AD34DAC42A8E327CAD3D3E720D2ADD7C13CAB0, algorithm_id=4, algorithm=SHA-512}}, integrity=Unknown, file={product={name=external polar galaxy, vendor_name=hack infection generator, lang=en, version=1.0.0}, modified_time=1695676041500, mime_type=silicon/limousines, type_id=2, confidentiality=venue rl epa, name=flexible.vcxproj, hashes=[{value=2347F66D3EE9CCBD7191F650BE1EF4F94E8B6ED61D543709A1A907FBC76BFC089577CB78BFA772DA65746573746C4AB26AF19E7A8E9DB821E3979ED04051B9BC, algorithm_id=4, algorithm=SHA-512}, {value=256D62122A8BA5E06B613EAD639B79BA7875995217AC6E2C854DBB610631D33C, algorithm_id=99, algorithm=magic}], created_time_dt=2023-09-25T21:07:21.551631Z, type=Folder, xattributes={}}, cmd_line=challenges prompt cumulative, namespace_pid=2, name=Airfare, parent_process={container={uid=849d3caa-5be7-11ee-9fe6-0242ac110005, image={uid=849d468c-5be7-11ee-85e3-0242ac110005, labels=[responsibility]}, orchestrator=helpful pasta matthew, size=1820268463, name=cpu mission hacker, runtime=cables vanilla amendments, hash={value=0895F371F264F7E3AA4A79B16A3C6EEAABE10BBF6A7DC2B7D8DD4F14B3C6F05D, algorithm_id=99, algorithm=magic}}, uid=849d308e-5be7-11ee-a5ad-0242ac110005, file={uid=849d2170-5be7-11ee-a637-0242ac110005, mime_type=will/executed, type_id=4, name=uzbekistan.jar, hashes=[{value=8A25185F3C5523EF3B08C1ECDD83016224863C95, algorithm_id=2, algorithm=SHA-1}, {value=6B9ED75DAE7A1E692073FC400B558EA4, algorithm_id=1, algorithm=MD5}], attributes=44, type=Block Device, xattributes={}}, cmd_line=reporter techno regarded, namespace_pid=84, name=Eternal, pid=76, parent_process={container={uid=849d7cce-5be7-11ee-80f3-0242ac110005, image={uid=849d83f4-5be7-11ee-8f40-0242ac110005, name=curtis burns park, labels=[fix]}, network_driver=surely assistance actively, size=1668291787, pod_uuid=gardening, hash={value=308FD1FED7D34B9AFAB9224FF617D64E4CA9AC20FC59F1FB3B80AB2CBB1511245EC668E138B6C330D86E2B874BD66ED33E16E931B3D344A8365BE63CAB39562C, algorithm_id=0, algorithm=Unknown}}, uid=849d64dc-5be7-11ee-b02a-0242ac110005, created_time=1695676041553, integrity=System, file={created_time=1695676041554, type_id=0, confidentiality=Top Secret, type=Unknown, xattributes={}, path=slideshow configurations lens/nations.flv/titanium.avi, parent_folder=slideshow configurations lens/nations.flv, confidentiality_id=4, company_name=Frederica Hertha, name=titanium.avi, hashes=[{value=5C5069744142886E3127F2CCFE145C68A0B1A4DFA3BB504B858390D851E16A9F, algorithm_id=99, algorithm=magic}], created_time_dt=2023-09-25T21:07:21.554150Z, desc=closed hydraulic connecting}, name=Music, pid=28, parent_process={container={uid=849e031a-5be7-11ee-b55b-0242ac110005, image={path=hairy pixel time, uid=849e0ebe-5be7-11ee-8341-0242ac110005, name=bubble architects vancouver}, size=220440282, name=insight style ca, runtime=williams ng xhtml, hash={value=8876489CE00D6D9FDF61ED1C773F047E, algorithm_id=1, algorithm=MD5}}, lineage=[bk destinations est, whose playback congressional], created_time=1695676041558, file={path=venezuela flyer seller/os.kml/opening.vob, parent_folder=venezuela flyer seller/os.kml, modified_time=1695676041557, type_id=5, modifier={uid=849d94de-5be7-11ee-b30d-0242ac110005, full_name=Katheryn Kena, type_id=1, name=Infected, type=User}, security_descriptor=graham occupations become, name=opening.vob, accessor={uid=849da17c-5be7-11ee-9d3a-0242ac110005, type_id=99, name=Mine, type=fcc, account={uid=849dabd6-5be7-11ee-ba6a-0242ac110005, name=hourly toll disappointed}, credential_uid=849db838-5be7-11ee-8a18-0242ac110005}, hashes=[{value=599DCCE2998A6B40B1E38E8C6006CB0A, algorithm_id=1, algorithm=MD5}, {value=E3C48119D2F351FBEB28EABE137BB8D7969A9AA7CEBF71A153DA4670481EFAAB267B6B39C0EDBDDAF4DD1B9E9B5FF0B28D72E0A5FA27336A282A0FDBA4D0C9D4, algorithm_id=6, algorithm=TLSH}], type=Local Socket}, cmd_line=pursuant proceed discussed, namespace_pid=54, name=Surprise, sandbox=final corporations performances, pid=50, parent_process={container={uid=849e509a-5be7-11ee-ad75-0242ac110005, image={uid=849e6972-5be7-11ee-b803-0242ac110005, name=committed plastic does}, network_driver=conduct linking lb, size=2559819198, name=priority mirrors although, runtime=rock relation block}, lineage=[desktop lakes moscow, barrel touch increasing], created_time=1695676041434, file={path=disc dividend incentives/crucial.wps/filled.mdb, product={path=costumes somewhat qui, uid=849e3088-5be7-11ee-8510-0242ac110005, name=michigan slight torture, vendor_name=franchise portland experiment, lang=en, version=1.0.0}, parent_folder=disc dividend incentives/crucial.wps, modified_time=1695676041563, size=2881440001, signature={certificate={created_time=1695676041558, subject=infectious replication lock, expiration_time=1695676041554, serial_number=durham graham course, version=1.0.0, issuer=worker attended mel, fingerprints=[{value=372885B9675F31EF37D14F711A430940E777638ADCB2F77B36D079076E38606F, algorithm_id=99, algorithm=magic}]}, algorithm_id=0, algorithm=Unknown}, type_id=3, modifier={uid=849e2a2a-5be7-11ee-82b2-0242ac110005, type_id=0, domain=informational advisory mg, name=Constraints, type=Unknown}, name=filled.mdb, accessor={uid=849e39a2-5be7-11ee-b3b8-0242ac110005, full_name=Lorna Francisco, type_id=0, name=Intl, type=Unknown}, hashes=[{value=9471ED19416B8099E51855CB0EF61AE3, algorithm_id=1, algorithm=MD5}], type=Character Device}, cmd_line=peer rail specialist, namespace_pid=13, name=Courage, pid=5, parent_process={container={uid=849f0878-5be7-11ee-b335-0242ac110005, image={uid=849f1dc2-5be7-11ee-b432-0242ac110005, name=belfast interests activation}, size=903476370, name=missed foreign palmer, hash={value=7CA5C1BF6D37F1E7389DB34F7617B7101F65DED1, algorithm_id=2, algorithm=SHA-1}}, uid=849f00ee-5be7-11ee-954b-0242ac110005, created_time=1695676041565, file={owner={uid=849e86dc-5be7-11ee-9b00-0242ac110005, org={ou_uid=849e9852-5be7-11ee-9c6a-0242ac110005, uid=849e8ff6-5be7-11ee-be3f-0242ac110005, name=syndication joseph realized, ou_name=advertise scored usr}, type_id=3, type=System}, path=patch attempting mf/nashville.dxf/metabolism.gadget, creator={uid=849edfe2-5be7-11ee-97f0-0242ac110005, email_addr=Myrta@of.cat, type_id=0, type=Unknown, account={uid=849ef310-5be7-11ee-b8e1-0242ac110005, type_id=5, name=workers observer lonely, type=GCP Account}}, parent_folder=patch attempting mf/nashville.dxf, accessed_time_dt=2023-09-25T21:07:21.564734Z, signature={certificate={created_time=1695676041504, subject=signals book follow, expiration_time=1695676041569, serial_number=termination vi limitation, version=1.0.0, issuer=database verse prince, fingerprints=[{value=6467C5C0EA62DB25016E724973C845BA50F0BBD72AE91F11E4CB5F3884CF1852EC05AA4B971CA59B372F8DC7B8E49562276E89C888FFDE3DD41BFC2E88336E98, algorithm_id=7, algorithm=quickXorHash}, {value=80A346634E5CD09AAFC3C417ABCE0C6A156B40EBB910123FAC486DC6197D24EC4C575301A8CC06D58FBAEEAE6F40E42B6D84FDA6996E06EE2F68282EA73FDA93, algorithm_id=0, algorithm=Unknown}]}, algorithm_id=3, algorithm=ECDSA}, type_id=3, name=metabolism.gadget, hashes=[{value=5F8105C9976CE93253600A074BD373A5286734FB9650F503EF4AD611A9422D3554C34BD6C2672159C2F485A59C83965804D6F2532A8DADF2749DF74B1B089C10, algorithm_id=6, algorithm=TLSH}, {value=C1E19A5C30DB36D9FEA3088EBBCF2E05B7F2E3B108DA82565EF183591D036A615456960CA1BF3DEDAEF8450140669F4E45A239D12DE570D5B2322AEADAE0EE7B, algorithm_id=5, algorithm=CTPH}], type=Character Device}, cmd_line=institutes yes inputs, namespace_pid=44, name=Harley, created_time_dt=2023-09-25T21:07:21.565824Z, pid=38, user={full_name=Lyndsay Ricky, type_id=2, name=Referenced, type=Admin}, xattributes={}, terminated_time=1695676041566}, user={uid=849e4a46-5be7-11ee-bc81-0242ac110005, type_id=2, name=Motorcycle, type=Admin}}, user={uid=849debb4-5be7-11ee-bfac-0242ac110005, type_id=1, name=Simulations, type=User, account={uid=849df820-5be7-11ee-82f1-0242ac110005, type_id=2, type=Windows Account}, credential_uid=849dfc62-5be7-11ee-a9bc-0242ac110005}}, user={uid=849d60a4-5be7-11ee-98cb-0242ac110005, type_id=99, name=Be, type=types}, integrity_id=5}, user={uid=849d2c24-5be7-11ee-953d-0242ac110005, email_addr=Josefina@holders.museum, type_id=99, name=Manager, type=legs}, xattributes={}}, user={uid=849cfe70-5be7-11ee-b38b-0242ac110005, type_id=0, name=Track, type=Unknown, account={uid=849d0500-5be7-11ee-97bd-0242ac110005, type_id=3, name=strict manufactured invest, type=AWS IAM User}, credential_uid=849d08ca-5be7-11ee-bfe2-0242ac110005}, integrity_id=0}, uid=849cc522-5be7-11ee-aa87-0242ac110005, file={path=blend roommates closed/died.docx/world.jpg, is_system=true, parent_folder=blend roommates closed/died.docx, confidentiality_id=0, mime_type=engineer/habitat, type_id=4, modifier={uid=849c8878-5be7-11ee-98bd-0242ac110005, email_addr=Deloise@agreed.arpa, type_id=3, domain=ln resolved couple, name=Heritage, type=System}, confidentiality=Unknown, name=world.jpg, hashes=[{value=3BC175E9CE56D1FC2D86AB6EA2EC56EB21930540B56A5B6E3840DFB64287ACAB, algorithm_id=3, algorithm=SHA-256}, {value=31588C71F04798D44E2202431AE7025AF3BC67EC8192E94F362A9B9121FB5AC23510026F8391A0A54234D8D0DB8D2DEBD112DEEF6AC598A11A194875191A4975, algorithm_id=6, algorithm=TLSH}], type=Block Device}, cmd_line=well absent shoe, name=Tell, loaded_modules=[/rev/amazon/casino/june/fails.bin, /credit/potential/lawsuit/clause/nine.bmp], user={uid=849ca4ca-5be7-11ee-b39c-0242ac110005, org={uid=849cb208-5be7-11ee-a4a6-0242ac110005, name=top riverside asthma, ou_name=stats dans soviet}, type_id=2, domain=our installing clinical, name=Weather, type=Admin, credential_uid=849cc0f4-5be7-11ee-9c36-0242ac110005}}}, xattributes={}, terminated_time_dt=2023-09-25T21:07:21.565891Z, integrity=High, file={path=suit who pics/arrange.torrent/moral.kmz, created_time=1695676041545, is_system=false, parent_folder=suit who pics/arrange.torrent, type_id=5, name=moral.kmz, accessor={uid=849bf00c-5be7-11ee-a0de-0242ac110005, type_id=0, domain=operates collectables presentations, name=Qualities, uid_alt=welsh constraints elimination, type=Unknown}, hashes=[{value=BADBDA50632954800C02D40EB49D1BEF8E5A883D, algorithm_id=2, algorithm=SHA-1}, {value=22B65F9CC3DDECE17BC92C741314C0C01D6C398B477BCFE22CCB63F4975A066119C2A3F4E9BDC342383345BCEEA9046C0573AEA278C1EBD8E1578337B1640606, algorithm_id=7, algorithm=quickXorHash}], accessed_time=1695676044937, type=Local Socket}, cmd_line=remain weird municipal, name=Restore, created_time_dt=2023-09-25T21:07:21.565886Z, integrity_id=4}, tid=86, terminated_time_dt=2023-09-25T21:07:21.565908Z, terminated_time=1695676041561, uid=849bcfb4-5be7-11ee-b896-0242ac110005, integrity=written, file={is_system=true, product={uid=849b866c-5be7-11ee-a7ff-0242ac110005, feature={uid=849b9742-5be7-11ee-9904-0242ac110005, name=seminar automatic gui, version=1.0.0}, name=nights validity updated, vendor_name=favorite album ncaa, lang=en, version=1.0.0, url_string=however}, creator={full_name=Otelia Kori, org={uid=849bad9a-5be7-11ee-9fa0-0242ac110005, name=timing process palestinian, ou_name=step mouth drunk}, type_id=1, domain=neural fig colin, name=Tap, type=User}, signature={certificate={created_time=1695676041542, subject=annually ic quest, expiration_time=1695676041577, serial_number=distributed characters bin, version=1.0.0, issuer=cooperation worldcat southwest, fingerprints=[{value=A1636B226D49D354EAD09345190417B47EC13762648D8C196823FB556456DD5A2ED39FDF2ADE536CF2D0AFA33A47F9404800085FE205A49A4DA6C280AF603AA9, algorithm_id=0, algorithm=Unknown}]}, created_time_dt=2023-09-25T21:07:21.542032Z, algorithm_id=0, algorithm=Unknown}, type_id=0, accessor={uid=849ba016-5be7-11ee-8738-0242ac110005, email_addr=Stormy@postcard.mobi, type_id=99, name=Xhtml, type=disabilities}, type=Unknown, path=designing designed kim/butts.crx/sunday.crdownload, parent_folder=designing designed kim/butts.crx, modified_time=1695676041546, size=1384349588, mime_type=talked/wishlist, name=sunday.crdownload, hashes=[{value=A5064ED27DDBDCBA4CBCADF1DB39DA3F2EEE6B58C7A1239C64CABA643C220D3F292A1DE7E239A9314ECD04E09E02E1289265DB1375370F0E2CB9844F235B40B9, algorithm_id=6, algorithm=TLSH}]}, cmd_line=treatments proceeding assumed, name=Foundation, created_time_dt=2023-09-25T21:07:21.565904Z, loaded_modules=[/aims/hammer/duke/implementation/roland.jar, /illustration/reads/adaptation/ppc/footage.cab], user={uid=849bb81c-5be7-11ee-bbec-0242ac110005, email_addr=Reba@contemporary.mobi, type_id=0, name=Certain, groups=[{uid=849bbdee-5be7-11ee-95a2-0242ac110005, name=penn laundry woods, type=powerpoint jump hospitality, desc=twenty protection innovative}, {uid=849bc780-5be7-11ee-9955-0242ac110005}], uid_alt=technical critics nationally, type=Unknown}, integrity_id=99}, user={uid=849b6916-5be7-11ee-a01e-0242ac110005, email_addr=Yelena@communities.nato, type_id=1, domain=lexmark refers dylan, name=Particles, type=User}, terminated_time=1695676041567}, user={uid=849abe76-5be7-11ee-a5a1-0242ac110005, full_name=Paul Julian, org={uid=849accae-5be7-11ee-af7b-0242ac110005, name=nyc kidney drawings}, type_id=2, domain=statistical poland gregory, name=Alliance, groups=[{uid=849ad5fa-5be7-11ee-a0e9-0242ac110005, privileges=[flashing aol autumn], name=accessed thanks instructions, desc=luggage species belkin}, {uid=849ada50-5be7-11ee-824e-0242ac110005, privileges=[sodium believed housing, incorporated jungle asian], name=cognitive times agent}], type=Admin}}, user={uid=849a900e-5be7-11ee-9894-0242ac110005, full_name=Marisela Towanda, email_addr=Wava@promises.info, type_id=3, name=Round, type=System, account={uid=849a9702-5be7-11ee-9f5d-0242ac110005, type_id=1, name=fragrances bulk specialty, type=LDAP Account}, credential_uid=849a9afe-5be7-11ee-b27a-0242ac110005}}, user={uid=849a52ce-5be7-11ee-a468-0242ac110005, full_name=Elisa Cleora, type_id=99, name=Sisters, type=rebound}, xattributes={}}, terminated_time=1695676041562, uid=849a1af2-5be7-11ee-82a9-0242ac110005, file={owner={type_id=1, name=Welcome, type=User, account={uid=8499eb2c-5be7-11ee-86b7-0242ac110005, type_id=7, name=discs outlets general, type=Mac OS Account}}, path=ralph tales librarian/simpsons.psd/premises.sln, creator={uid=8499f1ee-5be7-11ee-a02c-0242ac110005, type_id=3, domain=coupons dropped pantyhose, name=Booking, type=System}, parent_folder=ralph tales librarian/simpsons.psd, type_id=99, name=premises.sln, hashes=[{value=F01EB1DD5E5D955CF3DA810E1FAABA4136E09F5EF69DA3753223183EF836741A617AAAEB52D8B014D900A4A11B94974298F7D3C4EAE57C107CF3A3230AD34188, algorithm_id=6, algorithm=TLSH}], modified_time_dt=2023-09-25T21:07:21.531893Z, type=ships}, cmd_line=text ana range, name=Devices, user={uid=849a06c0-5be7-11ee-acfe-0242ac110005, org={name=velvet days pubs, ou_name=brake craps campaign}, type_id=0, name=Immediate, groups=[{uid=849a1124-5be7-11ee-9a8e-0242ac110005, privileges=[independent vegetables assisted, refinance lee seating]}, {uid=849a1674-5be7-11ee-aa3b-0242ac110005, name=div violence strange}], type=Unknown}}, user={uid=8499b5da-5be7-11ee-b276-0242ac110005, type_id=99, name=Apartments, uid_alt=serving turbo spy, type=ad}}, user={uid=84995d06-5be7-11ee-8223-0242ac110005, org={uid=849963aa-5be7-11ee-b57a-0242ac110005, name=dryer asn trying, ou_name=wr r gibraltar}, type_id=2, name=Fantastic, type=Admin}, terminated_time=1695676041561}, user={uid=84993312-5be7-11ee-b956-0242ac110005, email_addr=Renita@pete.cat, type_id=0, name=Rice, type=Unknown}, xattributes={}}, user={uid=8498cd14-5be7-11ee-94d7-0242ac110005, type_id=99, name=Hour, uid_alt=organizations guild beds, type=insert}}, user={uid=84988e80-5be7-11ee-bf3c-0242ac110005, full_name=Karoline Meggan, email_addr=Elza@girls.mil, type_id=2, name=Provided, type=Admin}, terminated_time=1695676041566}, user={uid=84984db2-5be7-11ee-ba4e-0242ac110005, type_id=1, domain=sao uri flesh, name=Knows, type=User}, xattributes={}}, xattributes={}, terminated_time=1695676041564, uid=849823d2-5be7-11ee-92d1-0242ac110005, integrity=they thermal eau, file={path=wives pamela karl/articles.c/dame.svg, parent_folder=wives pamela karl/articles.c, type_id=1, modifier={uid=8497f38a-5be7-11ee-97c6-0242ac110005, type_id=0, name=Complete, groups=[{uid=8497fde4-5be7-11ee-9733-0242ac110005, name=winds seeking reply}, {uid=8498099c-5be7-11ee-ac6f-0242ac110005, name=hamburg roommate environment}], type=Unknown}, security_descriptor=robinson queens graduate, name=dame.svg, hashes=[{value=E7B2EBCA4F63795EBE380FFBEAB194BCF3E2EB5C74F10C6B8AAB95F4C0B8D7AC, algorithm_id=99, algorithm=magic}, {value=AFD9AD7A88CFF487A60962E99C6219806726EB352DD1591D375AD3BB143C0DABBFBC6DBFFA5D99B3662AE82C9B7EED847E30B7EA516D2AD9DFF07D8775F8AE36, algorithm_id=7, algorithm=quickXorHash}], created_time_dt=2023-09-25T21:07:21.519646Z, type=Regular File}, cmd_line=harder interventions pb, name=Bid, user={uid=84981f68-5be7-11ee-b652-0242ac110005, type_id=0, name=Shipment, uid_alt=singh dim static, type=Unknown}}", + "parent_process_keyword": "{container={uid=849829cc-5be7-11ee-bb7a-0242ac110005, size=2387392206, name=kg sources houses, pod_uuid=kiss, runtime=kate through furniture, hash={value=6A9A10210588981DD8FAA6BE10E39F2C65E816FEFE4768884F7B0BB0A10CD9D6, algorithm_id=3, algorithm=SHA-256}}, lineage=[attraction cord adjustment, announcements summer introduce], created_time=1695676041517, namespace_pid=49, sandbox=species tourism system, pid=26, parent_process={container={uid=84985df2-5be7-11ee-be06-0242ac110005, size=3179758248, name=hunt indicating radiation, tag=reader prevention as, hash={value=666334EB7A1E55E189435FFF3F0CA7266F484FB44970AAFF3E72546D8B04B02ABB1A66B209CAFD44267701CA1392DF35B8EC3EECE0DC492D093880F2E4FF352C, algorithm_id=6, algorithm=TLSH}}, uid=8498530c-5be7-11ee-86f3-0242ac110005, created_time=1695676041527, file={path=conflicts disability citysearch/ieee.dtd/seq.wpd, created_time=1695676041520, parent_folder=conflicts disability citysearch/ieee.dtd, confidentiality_id=0, type_id=3, modifier={uid=84984362-5be7-11ee-af2c-0242ac110005, type_id=2, name=Officer, type=Admin}, confidentiality=Unknown, name=seq.wpd, hashes=[{value=7D875B5EB312ADEF7D530DD6E43468170B094A5F54CA1AC26E7788A81A01238428E62D581423E70B05DA11F15513291EB10776B4E14DE1844072ACDF11BBDFD1, algorithm_id=5, algorithm=CTPH}, {value=1100511F3469E3CDE7D081EC6E78154C8476D546F615EEEB37C4CDFBD41740440FC77660EE3A4B9C67DE81C63172A49F835656F85ED5E36A65A2A25E2A733358, algorithm_id=6, algorithm=TLSH}], type=Character Device}, cmd_line=creation defense carolina, namespace_pid=46, name=Jamie, pid=28, parent_process={container={uid=84989948-5be7-11ee-b4fb-0242ac110005, image={path=empirical precipitation builder, uid=84989f42-5be7-11ee-8820-0242ac110005, name=extending construction inkjet, labels=[golf, nov]}, size=2099983603, name=thongs routine an, hash={value=E7EFDA40B1C94805070CD9BF9638AE27, algorithm_id=1, algorithm=MD5}}, uid=84989376-5be7-11ee-9216-0242ac110005, created_time=1695676041523, integrity=conspiracy unions allocated, file={uid=84987ae4-5be7-11ee-b247-0242ac110005, created_time=1695676042262, size=3504413585, signature={certificate={created_time=1695676041522, subject=shades bad tradition, expiration_time=1695676041526, created_time_dt=2023-09-25T21:07:21.521904Z, serial_number=files the parish, issuer=previous price thing, fingerprints=[{value=8E4DE5CC0D59311697B0D4061FDBFB4CB99E38121EA17CF740789A0CBC85B56703E1341C940E7A2220C02211CC84447A19061569BE42AC4A2C03010FB6CB1A75, algorithm_id=4, algorithm=SHA-512}, {value=205D64FF9B580AADBF4829EC41DD4EF0, algorithm_id=1, algorithm=MD5}]}, algorithm_id=2, algorithm=RSA}, type_id=6, name=startup.3dm, hashes=[{value=60F202A3BE4EF214E24EA9D3555D194C, algorithm_id=1, algorithm=MD5}, {value=B0B2D200728B0DACE6CB6829F90EE31A9AD123FF1982012B003249D4F2C5351924E6DBBD1242EE722D4C5A0B80C983DC7B94DDD594FCFCEF4E63552956E2B26A, algorithm_id=6, algorithm=TLSH}], modified_time_dt=2023-09-25T21:07:21.522441Z, type=Named Pipe, version=1.0.0}, cmd_line=plan agents converter, name=Arbor, sandbox=keeps pour rent, pid=20, parent_process={container={uid=8498da2a-5be7-11ee-9d00-0242ac110005, image={uid=8498df20-5be7-11ee-8257-0242ac110005, name=version treating tall}, size=2697694450, name=warrior document workflow, pod_uuid=sas, hash={value=F4001D4FD76B73412DB0EFD2C66F0AB3C27D9FE9BD375B1659A1DDDA68C17DC1C0F5402A6AE571DC073E94F1B720821E4208595D5BB4B13D917A12CE3DA53C1E, algorithm_id=6, algorithm=TLSH}}, uid=8498d430-5be7-11ee-b1bf-0242ac110005, created_time=1695676041523, integrity=aviation blame tion, file={path=roger economy macro/mesh.gadget/considerations.jar, created_time=1695676041524, parent_folder=roger economy macro/mesh.gadget, mime_type=star/flyer, type_id=5, name=considerations.jar, accessor={uid=8498c030-5be7-11ee-80d9-0242ac110005, full_name=Twyla Cherise, email_addr=Shin@cause.mobi, type_id=2, name=Wildlife, uid_alt=excellent far varied, type=Admin}, hashes=[{value=707CF5E50A11D69874235DED9A045B6AB42439F7495DED03049CB7E997949E8B014295A25059CD1A9F06BFE9E4101ED176615E69D43FE199E849DEC0BC4AEB4D, algorithm_id=5, algorithm=CTPH}, {value=6F487B974BDB9DBDF014F50502D9F70BC2630E6C974E4C6E6AA2EB3BEC95A3BDCA7AE609DA34179E0677F042734A767ADA4F6CA04788916644262CDC60BC2FB2, algorithm_id=5, algorithm=CTPH}], type=Local Socket}, cmd_line=sixth pc peoples, namespace_pid=76, name=Processes, pid=49, parent_process={container={uid=84993ce0-5be7-11ee-8a18-0242ac110005, image={uid=849944f6-5be7-11ee-bc62-0242ac110005, tag=vocal trim jon}, size=2257875576, name=acquired minority slip}, uid=8499377c-5be7-11ee-9164-0242ac110005, file={owner={uid=849901e4-5be7-11ee-bfe1-0242ac110005, full_name=Blythe Jamie, type_id=99, name=Enquiry, type=minneapolis}, is_system=false, signature={certificate={created_time=1695676041526, subject=strap liz boulder, expiration_time=1695676045872, serial_number=approaches symbol assembly, version=1.0.0, issuer=everybody brunei disciplinary, fingerprints=[{value=9E41EB47ABD226D92CFE27DBDA0C924C190A1B0C0136B09923B419089B013DF14CB58C38F651F710540E348BF800DFE364197904B11FFFAD98BB2B10006B28E2, algorithm_id=5, algorithm=CTPH}, {value=3DE877DDFB06DB510E63893D98DDAC9524696C14, algorithm_id=2, algorithm=SHA-1}]}, created_time_dt=2023-09-25T21:07:21.526203Z, developer_uid=84991526-5be7-11ee-a2ca-0242ac110005, algorithm_id=3, algorithm=ECDSA}, type_id=99, confidentiality=suburban ati mostly, modified_time_dt=2023-09-25T21:07:21.526727Z, type=charged, path=const foreign pressed/among.ged/pic.vcd, uid=84992264-5be7-11ee-8071-0242ac110005, parent_folder=const foreign pressed/among.ged, name=pic.vcd, hashes=[{value=00EF9DADDE482AF5432B0BFC5F69023736D4A0ECD59F74884C4B8AD83D21429B78023351C5DBD07407EAB2BFA527A0586016DE3C92F37913920E221F7D452802, algorithm_id=0, algorithm=Unknown}], created_time_dt=2023-09-25T21:07:21.526737Z, accessed_time=1695676041556}, namespace_pid=29, name=Job, pid=86, parent_process={container={uid=84996db4-5be7-11ee-bada-0242ac110005, image={uid=849984fc-5be7-11ee-af4c-0242ac110005, name=adipex into polo}, size=797071549, name=deutschland pic newcastle, hash={value=82B5F7770097973F2962C241C557369EC2D38E9A1BDA03176B9CA511F1CA56CF, algorithm_id=3, algorithm=SHA-256}}, lineage=[familiar privilege canvas], uid=84996800-5be7-11ee-8754-0242ac110005, created_time=1695676041528, file={path=architectural pink phil/overview.dtd/tuner.pdb, parent_folder=architectural pink phil/overview.dtd, type_id=6, name=tuner.pdb, hashes=[{value=44CA9EA761C2131C73960AD47472741B13D305EE2D07FE91E8F1B47F4F062B8A16DD3611E4439E4C163A7CF42F1AE5989CF9683117DB801FD1BC222A16618E19, algorithm_id=7, algorithm=quickXorHash}, {value=C25DDA249CDECE9D908CC33ADCD16AA05E20290F, algorithm_id=2, algorithm=SHA-1}], type=Named Pipe, version=1.0.0, xattributes={}}, cmd_line=brush bouquet alto, namespace_pid=23, pid=67, parent_process={container={uid=8499d164-5be7-11ee-a7e8-0242ac110005, image={uid=8499d704-5be7-11ee-b617-0242ac110005, name=robert through mailing, tag=struggle gerald weather}, network_driver=catch sun general, orchestrator=sf varieties queries, size=1048383191, name=france sg charger, tag=deserve focused select, hash={value=6B2A589B76A482CD379A7FF8AF13EE0F9ABF937DE60010068FEC808F5B6B22521C2A28C7F48BC5C2EDC81EAE5E5812D95F5E0F3DF5685571E5DB36B146DB82EC, algorithm_id=6, algorithm=TLSH}}, uid=8499bc88-5be7-11ee-b028-0242ac110005, created_time=1695676041539, integrity=faculty hardcover generated, file={owner={uid=84999e10-5be7-11ee-914b-0242ac110005, email_addr=Pamelia@directed.com, type_id=1, name=Friend, type=User}, path=fish largest alberta/solutions.deskthemepack/spirit.max, parent_folder=fish largest alberta/solutions.deskthemepack, type_id=1, name=spirit.max, hashes=[{value=718C92FD5ECC9B483CA9A76E309BD60F7DAD6035254FAD5EA9430568F36EB16D5532657DE90C3B3B41896C8A9B601BF1E1083D5BB299127118B535C347D13549, algorithm_id=5, algorithm=CTPH}, {value=D13D53927A745D27511C298846343093D7E92D919905B6C22ABBF727AD18EF7E3B3850949F8CC772390749C8644B5CF6F8618FEF524E9589DB73F57FE128AA88, algorithm_id=0, algorithm=Unknown}], attributes=83, type=Regular File, version=1.0.0, desc=escape steady bow}, cmd_line=in blowing memorial, session={uid=8499ca0c-5be7-11ee-aae9-0242ac110005, created_time=1695676041534, expiration_time=1695676041542, is_remote=true}, namespace_pid=79, name=Cialis, pid=21, parent_process={container={uid=849a2420-5be7-11ee-94c5-0242ac110005, image={uid=849a32bc-5be7-11ee-86bb-0242ac110005, name=layers branch lucas, tag=nations chances trips}, size=1512724327, name=own drawing acute, hash={value=79F7EED760813BF63DC0EE7F986F1CC6345DD170AB03CA1350684CB8720E3C67F9FCE3B075A22266EB0C66A1CDA2D3BD540E777D9A294433377B83DB6DE3D6DB, algorithm_id=6, algorithm=TLSH}}, lineage=[guru hosted bradley], created_time=1695676041533, namespace_pid=39, sandbox=moon exercise starring, pid=90, parent_process={container={uid=849a646c-5be7-11ee-90ce-0242ac110005, image={uid=849a6a66-5be7-11ee-95e4-0242ac110005, name=evaluating apartments disaster}, size=3702557326, name=apartment drunk amateur, hash={value=12FC9239ABF2C07159EBC92013171DA43175589170BD05B55220534634A9D1FEFC88B117A95FCE4FE3C5A5FEDB9DC4EB3F700C0386931C889F815E86BCD4B509, algorithm_id=0, algorithm=Unknown}}, uid=849a5d78-5be7-11ee-ac24-0242ac110005, created_time=1695676041535, file={is_system=false, confidentiality_id=2, type_id=5, confidentiality=Confidential, name=hunt.ppt, hashes=[{value=6FD1E1613C3918067E01585E32D4AA461C485DF01C56BD5A294FD82B353B5EC64A7EBAED614D28451E3AECB3ACA75900593A20D8AE7F7A1E2CF9DD4F0496B9C4, algorithm_id=7, algorithm=quickXorHash}, {value=B66E94D9133A6E41392C5AFCBF3F6EEB29E45C041350255AEE34ADD6C4E6BD15FF9060177954793B5D078A8802B4B1ADDD73BECACB7D5827D9A1CB9F96D5E153, algorithm_id=7, algorithm=quickXorHash}], attributes=22, modified_time_dt=2023-09-25T21:07:21.533963Z, type=Local Socket}, cmd_line=merchandise initiatives accessibility, namespace_pid=29, name=Bags, parent_process={container={uid=849aa490-5be7-11ee-bb98-0242ac110005, image={uid=849aaa9e-5be7-11ee-a47a-0242ac110005, name=evanescence plans courts, tag=buy archives predict}, name=distant modeling monaco, runtime=peace up sailing, hash={value=383B6630E8241D34D54BFD689DECC0CAB88770D935667989A3A1DE8397F5520F, algorithm_id=3, algorithm=SHA-256}}, lineage=[lanka manufacture bra, gibson implementation pope], uid=849a9ed2-5be7-11ee-ae61-0242ac110005, created_time=1695676041539, integrity=bookings qc dictionaries, file={owner={uid=849a7ac4-5be7-11ee-a06d-0242ac110005, type_id=99, name=Asia, type=meetup}, path=interactions malta thoughts/laden.pdf/hardware.wma, parent_folder=interactions malta thoughts/laden.pdf, signature={digest={value=3188206324B062751CE36D4251C19C94, algorithm_id=1, algorithm=MD5}, algorithm_id=4, algorithm=Authenticode}, type_id=0, name=hardware.wma, hashes=[{value=6BD48B1E57856137037BFEE4DEC8D57F, algorithm_id=1, algorithm=MD5}], attributes=35, type=Unknown}, cmd_line=recordings countries slides, namespace_pid=6, name=Sen, pid=13, parent_process={container={uid=849aff08-5be7-11ee-80bd-0242ac110005, image={uid=849b1f7e-5be7-11ee-bb9d-0242ac110005, name=cross tray influenced, tag=afternoon counseling governance}, network_driver=slovakia friend username, size=191473515, name=author channel disappointed, hash={value=B7F1BFFEB47BCFB30F891852F769572A9816784BF4A4073805850F9F969A5335CFC878CACC9E0F8A71B547F60832FE712A59A7DD7DBD6E94BB9D155309EB3581, algorithm_id=7, algorithm=quickXorHash}}, uid=849adea6-5be7-11ee-aa53-0242ac110005, created_time=1695676041539, file={path=jeff puts assignments/thing.msi/removal.obj, parent_folder=jeff puts assignments/thing.msi, type_id=6, security_descriptor=bureau myspace barrel, name=removal.obj, hashes=[{value=CE850E16E049A60B4B8F465DC00ADBFB7207CC76FD94F5EBC335F637B8052B77, algorithm_id=99, algorithm=magic}], accessed_time=1695676041534, type=Named Pipe}, cmd_line=amount anywhere suffered, namespace_pid=49, name=Impacts, sandbox=romance volunteer entrepreneurs, pid=86, parent_process={lineage=[qualify insight reproduce, placing download tomato], uid=849b6dee-5be7-11ee-84f0-0242ac110005, created_time=1695676041593, file={path=let dawn representing/surrounding.dwg/human.pdb, product={uid=849b3fd6-5be7-11ee-83d2-0242ac110005, feature={uid=849b46a2-5be7-11ee-824d-0242ac110005, name=metric th alt, version=1.0.0}, name=heavy payroll timothy, vendor_name=rv brother vaccine, version=1.0.0}, parent_folder=let dawn representing/surrounding.dwg, modified_time=1695676041541, type_id=7, name=human.pdb, accessor={uid=849b52b4-5be7-11ee-863c-0242ac110005, type_id=3, name=Dragon, type=System, credential_uid=849b5b88-5be7-11ee-af7a-0242ac110005}, hashes=[{value=AABE45CE23939AE53AA3AF15C6123A6ED98FC106E4C7491B89A814D8EB040F3B9D5842B5A215D1D27ED1B4DC8DD3D3F0D50197DD105E37461661D98A23E0917C, algorithm_id=7, algorithm=quickXorHash}], created_time_dt=2023-09-25T21:07:21.541195Z, attributes=78, modified_time_dt=2023-09-25T21:07:21.541163Z, type=Symbolic Link}, cmd_line=techno now vid, namespace_pid=91, name=Sampling, sandbox=compounds s time, pid=71, parent_process={lineage=[tenant surveillance nature, securities joining bite], created_time=1695676041548, session={uid=849bd89c-5be7-11ee-bbae-0242ac110005, created_time=1695676041544, is_remote=true, issuer=mind file superior}, sandbox=facial gossip lopez, pid=41, parent_process={container={uid=849c059c-5be7-11ee-b620-0242ac110005, image={uid=849c105a-5be7-11ee-8337-0242ac110005, name=titten live cvs}, size=2006500672, name=anthony serial medline, hash={value=53CB2A3DF41EA583C9DAD815CC228E623D600CA69DD3B138EBA03828A95C399AC2319E8C246FAF2EB345362B0931618009C8A5FF4C8E100C7B414107D51F849D, algorithm_id=6, algorithm=TLSH}}, created_time=1695676041542, namespace_pid=8, sandbox=upload stages deutsch, pid=74, parent_process={container={uid=849c6776-5be7-11ee-94b5-0242ac110005, image={uid=849c6d2a-5be7-11ee-a411-0242ac110005, name=capabilities huge hometown, labels=[mumbai]}, name=yahoo plains basically, hash={value=FC25F43E993A1FB725021E78097481FDD1FECA2EC91BF14AE34067FC31DBCD1005D4B0AFC4F050872672CC3EAB72236EADE80DFF4CCBB844F8ED0489F697D2F1, algorithm_id=6, algorithm=TLSH}}, uid=849c61f4-5be7-11ee-8006-0242ac110005, created_time=1695676041544, file={owner={uid=849c24fa-5be7-11ee-93d2-0242ac110005, email_addr=Suzan@communicate.coop, type_id=0, name=Sunny, type=Unknown}, is_system=false, product={uid=849c3e4a-5be7-11ee-80be-0242ac110005, name=pci invasion producers, vendor_name=australian payments crm, lang=en, version=1.0.0}, creator={uid=849c4b2e-5be7-11ee-9c0b-0242ac110005, org={ou_uid=849c5470-5be7-11ee-b89d-0242ac110005, uid=849c5060-5be7-11ee-b740-0242ac110005, name=reproductive balloon stanley, ou_name=pick rear governance}, type_id=99, domain=glass outlet lopez, groups=[{uid=849c5ae2-5be7-11ee-97a7-0242ac110005, name=suspected contributor counting, type=vacations wines biological}], type=selected}, signature={certificate={created_time=1695676041548, subject=microwave marriott okay, expiration_time=1695676041514, serial_number=windsor sponsor google, version=1.0.0, issuer=foundation review shaft, fingerprints=[{value=35C90137B6BD19F8D464173B9904DBFA60D62BFF8BCBCF99235987ACC2D4840DBA02F991522C533C211C54B3A1016A0A76AF0578E30D0190414926A1EA56FEB7, algorithm_id=6, algorithm=TLSH}]}, algorithm_id=3, algorithm=ECDSA}, type_id=2, confidentiality=Top Secret, accessor={full_name=Crysta Damaris, type_id=99, name=Class, uid_alt=linux has luis, type=pie, account={type_id=8, name=cards gratis necklace, type=Apple Account}}, type=Folder, version=1.0.0, path=nintendo smilies thank/ought.vb/revolution.vcf, parent_folder=nintendo smilies thank/ought.vb, confidentiality_id=4, company_name=Mckenzie Ardith, security_descriptor=recommended approve environment, name=revolution.vcf, hashes=[{value=1B8BF6AF4C4E0F5A64ED59860F5673F5762D1E214D4B3127BAC626D3811952EAF98972460DF098DEAB2B6D4FF02723546AEBA4108F2A03A20044552141A4447E, algorithm_id=7, algorithm=quickXorHash}, {value=221C1DF278F5DBE8C04CCC89DB66A355ABA13C3F27B4E23A19D0E73C64E5E9A7951D5102BA2F416429122A6110C57ED22F7216EB73939FF0E7E4BDB574A90CC4, algorithm_id=6, algorithm=TLSH}], attributes=79}, cmd_line=arrangements makes handy, namespace_pid=13, pid=20, parent_process={container={uid=849cdd28-5be7-11ee-9250-0242ac110005, image={uid=849ce32c-5be7-11ee-b7a9-0242ac110005, name=audio miracle leader}, size=1224758347, name=hospitality walker vs, hash={value=A813ED16B0B3E58FA959C0BA26A47058, algorithm_id=1, algorithm=MD5}}, lineage=[achievement courage send, expansion instructional agreements], created_time=1695676041555, session={uid=849ccebe-5be7-11ee-a1ca-0242ac110005, created_time=1695676041550, expiration_time_dt=2023-09-25T21:07:21.550638Z, is_remote=false, issuer=volunteer meetings medline}, namespace_pid=62, sandbox=distributor workshops maldives, parent_process={container={uid=849d0e7e-5be7-11ee-a8e4-0242ac110005, image={uid=849d1342-5be7-11ee-a4ca-0242ac110005, name=charges fragrances complex}, network_driver=familiar movies legitimate, size=2138922450, name=develop affiliates required, pod_uuid=legally, hash={value=6E73C76AD0B2D03EB35088BB834D7A1949E2174F0288EAC8066F5CC920923FEC2568825E7A9B3B3B871DC2AA82AD34DAC42A8E327CAD3D3E720D2ADD7C13CAB0, algorithm_id=4, algorithm=SHA-512}}, integrity=Unknown, file={product={name=external polar galaxy, vendor_name=hack infection generator, lang=en, version=1.0.0}, modified_time=1695676041500, mime_type=silicon/limousines, type_id=2, confidentiality=venue rl epa, name=flexible.vcxproj, hashes=[{value=2347F66D3EE9CCBD7191F650BE1EF4F94E8B6ED61D543709A1A907FBC76BFC089577CB78BFA772DA65746573746C4AB26AF19E7A8E9DB821E3979ED04051B9BC, algorithm_id=4, algorithm=SHA-512}, {value=256D62122A8BA5E06B613EAD639B79BA7875995217AC6E2C854DBB610631D33C, algorithm_id=99, algorithm=magic}], created_time_dt=2023-09-25T21:07:21.551631Z, type=Folder, xattributes={}}, cmd_line=challenges prompt cumulative, namespace_pid=2, name=Airfare, parent_process={container={uid=849d3caa-5be7-11ee-9fe6-0242ac110005, image={uid=849d468c-5be7-11ee-85e3-0242ac110005, labels=[responsibility]}, orchestrator=helpful pasta matthew, size=1820268463, name=cpu mission hacker, runtime=cables vanilla amendments, hash={value=0895F371F264F7E3AA4A79B16A3C6EEAABE10BBF6A7DC2B7D8DD4F14B3C6F05D, algorithm_id=99, algorithm=magic}}, uid=849d308e-5be7-11ee-a5ad-0242ac110005, file={uid=849d2170-5be7-11ee-a637-0242ac110005, mime_type=will/executed, type_id=4, name=uzbekistan.jar, hashes=[{value=8A25185F3C5523EF3B08C1ECDD83016224863C95, algorithm_id=2, algorithm=SHA-1}, {value=6B9ED75DAE7A1E692073FC400B558EA4, algorithm_id=1, algorithm=MD5}], attributes=44, type=Block Device, xattributes={}}, cmd_line=reporter techno regarded, namespace_pid=84, name=Eternal, pid=76, parent_process={container={uid=849d7cce-5be7-11ee-80f3-0242ac110005, image={uid=849d83f4-5be7-11ee-8f40-0242ac110005, name=curtis burns park, labels=[fix]}, network_driver=surely assistance actively, size=1668291787, pod_uuid=gardening, hash={value=308FD1FED7D34B9AFAB9224FF617D64E4CA9AC20FC59F1FB3B80AB2CBB1511245EC668E138B6C330D86E2B874BD66ED33E16E931B3D344A8365BE63CAB39562C, algorithm_id=0, algorithm=Unknown}}, uid=849d64dc-5be7-11ee-b02a-0242ac110005, created_time=1695676041553, integrity=System, file={created_time=1695676041554, type_id=0, confidentiality=Top Secret, type=Unknown, xattributes={}, path=slideshow configurations lens/nations.flv/titanium.avi, parent_folder=slideshow configurations lens/nations.flv, confidentiality_id=4, company_name=Frederica Hertha, name=titanium.avi, hashes=[{value=5C5069744142886E3127F2CCFE145C68A0B1A4DFA3BB504B858390D851E16A9F, algorithm_id=99, algorithm=magic}], created_time_dt=2023-09-25T21:07:21.554150Z, desc=closed hydraulic connecting}, name=Music, pid=28, parent_process={container={uid=849e031a-5be7-11ee-b55b-0242ac110005, image={path=hairy pixel time, uid=849e0ebe-5be7-11ee-8341-0242ac110005, name=bubble architects vancouver}, size=220440282, name=insight style ca, runtime=williams ng xhtml, hash={value=8876489CE00D6D9FDF61ED1C773F047E, algorithm_id=1, algorithm=MD5}}, lineage=[bk destinations est, whose playback congressional], created_time=1695676041558, file={path=venezuela flyer seller/os.kml/opening.vob, parent_folder=venezuela flyer seller/os.kml, modified_time=1695676041557, type_id=5, modifier={uid=849d94de-5be7-11ee-b30d-0242ac110005, full_name=Katheryn Kena, type_id=1, name=Infected, type=User}, security_descriptor=graham occupations become, name=opening.vob, accessor={uid=849da17c-5be7-11ee-9d3a-0242ac110005, type_id=99, name=Mine, type=fcc, account={uid=849dabd6-5be7-11ee-ba6a-0242ac110005, name=hourly toll disappointed}, credential_uid=849db838-5be7-11ee-8a18-0242ac110005}, hashes=[{value=599DCCE2998A6B40B1E38E8C6006CB0A, algorithm_id=1, algorithm=MD5}, {value=E3C48119D2F351FBEB28EABE137BB8D7969A9AA7CEBF71A153DA4670481EFAAB267B6B39C0EDBDDAF4DD1B9E9B5FF0B28D72E0A5FA27336A282A0FDBA4D0C9D4, algorithm_id=6, algorithm=TLSH}], type=Local Socket}, cmd_line=pursuant proceed discussed, namespace_pid=54, name=Surprise, sandbox=final corporations performances, pid=50, parent_process={container={uid=849e509a-5be7-11ee-ad75-0242ac110005, image={uid=849e6972-5be7-11ee-b803-0242ac110005, name=committed plastic does}, network_driver=conduct linking lb, size=2559819198, name=priority mirrors although, runtime=rock relation block}, lineage=[desktop lakes moscow, barrel touch increasing], created_time=1695676041434, file={path=disc dividend incentives/crucial.wps/filled.mdb, product={path=costumes somewhat qui, uid=849e3088-5be7-11ee-8510-0242ac110005, name=michigan slight torture, vendor_name=franchise portland experiment, lang=en, version=1.0.0}, parent_folder=disc dividend incentives/crucial.wps, modified_time=1695676041563, size=2881440001, signature={certificate={created_time=1695676041558, subject=infectious replication lock, expiration_time=1695676041554, serial_number=durham graham course, version=1.0.0, issuer=worker attended mel, fingerprints=[{value=372885B9675F31EF37D14F711A430940E777638ADCB2F77B36D079076E38606F, algorithm_id=99, algorithm=magic}]}, algorithm_id=0, algorithm=Unknown}, type_id=3, modifier={uid=849e2a2a-5be7-11ee-82b2-0242ac110005, type_id=0, domain=informational advisory mg, name=Constraints, type=Unknown}, name=filled.mdb, accessor={uid=849e39a2-5be7-11ee-b3b8-0242ac110005, full_name=Lorna Francisco, type_id=0, name=Intl, type=Unknown}, hashes=[{value=9471ED19416B8099E51855CB0EF61AE3, algorithm_id=1, algorithm=MD5}], type=Character Device}, cmd_line=peer rail specialist, namespace_pid=13, name=Courage, pid=5, parent_process={container={uid=849f0878-5be7-11ee-b335-0242ac110005, image={uid=849f1dc2-5be7-11ee-b432-0242ac110005, name=belfast interests activation}, size=903476370, name=missed foreign palmer, hash={value=7CA5C1BF6D37F1E7389DB34F7617B7101F65DED1, algorithm_id=2, algorithm=SHA-1}}, uid=849f00ee-5be7-11ee-954b-0242ac110005, created_time=1695676041565, file={owner={uid=849e86dc-5be7-11ee-9b00-0242ac110005, org={ou_uid=849e9852-5be7-11ee-9c6a-0242ac110005, uid=849e8ff6-5be7-11ee-be3f-0242ac110005, name=syndication joseph realized, ou_name=advertise scored usr}, type_id=3, type=System}, path=patch attempting mf/nashville.dxf/metabolism.gadget, creator={uid=849edfe2-5be7-11ee-97f0-0242ac110005, email_addr=Myrta@of.cat, type_id=0, type=Unknown, account={uid=849ef310-5be7-11ee-b8e1-0242ac110005, type_id=5, name=workers observer lonely, type=GCP Account}}, parent_folder=patch attempting mf/nashville.dxf, accessed_time_dt=2023-09-25T21:07:21.564734Z, signature={certificate={created_time=1695676041504, subject=signals book follow, expiration_time=1695676041569, serial_number=termination vi limitation, version=1.0.0, issuer=database verse prince, fingerprints=[{value=6467C5C0EA62DB25016E724973C845BA50F0BBD72AE91F11E4CB5F3884CF1852EC05AA4B971CA59B372F8DC7B8E49562276E89C888FFDE3DD41BFC2E88336E98, algorithm_id=7, algorithm=quickXorHash}, {value=80A346634E5CD09AAFC3C417ABCE0C6A156B40EBB910123FAC486DC6197D24EC4C575301A8CC06D58FBAEEAE6F40E42B6D84FDA6996E06EE2F68282EA73FDA93, algorithm_id=0, algorithm=Unknown}]}, algorithm_id=3, algorithm=ECDSA}, type_id=3, name=metabolism.gadget, hashes=[{value=5F8105C9976CE93253600A074BD373A5286734FB9650F503EF4AD611A9422D3554C34BD6C2672159C2F485A59C83965804D6F2532A8DADF2749DF74B1B089C10, algorithm_id=6, algorithm=TLSH}, {value=C1E19A5C30DB36D9FEA3088EBBCF2E05B7F2E3B108DA82565EF183591D036A615456960CA1BF3DEDAEF8450140669F4E45A239D12DE570D5B2322AEADAE0EE7B, algorithm_id=5, algorithm=CTPH}], type=Character Device}, cmd_line=institutes yes inputs, namespace_pid=44, name=Harley, created_time_dt=2023-09-25T21:07:21.565824Z, pid=38, user={full_name=Lyndsay Ricky, type_id=2, name=Referenced, type=Admin}, xattributes={}, terminated_time=1695676041566}, user={uid=849e4a46-5be7-11ee-bc81-0242ac110005, type_id=2, name=Motorcycle, type=Admin}}, user={uid=849debb4-5be7-11ee-bfac-0242ac110005, type_id=1, name=Simulations, type=User, account={uid=849df820-5be7-11ee-82f1-0242ac110005, type_id=2, type=Windows Account}, credential_uid=849dfc62-5be7-11ee-a9bc-0242ac110005}}, user={uid=849d60a4-5be7-11ee-98cb-0242ac110005, type_id=99, name=Be, type=types}, integrity_id=5}, user={uid=849d2c24-5be7-11ee-953d-0242ac110005, email_addr=Josefina@holders.museum, type_id=99, name=Manager, type=legs}, xattributes={}}, user={uid=849cfe70-5be7-11ee-b38b-0242ac110005, type_id=0, name=Track, type=Unknown, account={uid=849d0500-5be7-11ee-97bd-0242ac110005, type_id=3, name=strict manufactured invest, type=AWS IAM User}, credential_uid=849d08ca-5be7-11ee-bfe2-0242ac110005}, integrity_id=0}, uid=849cc522-5be7-11ee-aa87-0242ac110005, file={path=blend roommates closed/died.docx/world.jpg, is_system=true, parent_folder=blend roommates closed/died.docx, confidentiality_id=0, mime_type=engineer/habitat, type_id=4, modifier={uid=849c8878-5be7-11ee-98bd-0242ac110005, email_addr=Deloise@agreed.arpa, type_id=3, domain=ln resolved couple, name=Heritage, type=System}, confidentiality=Unknown, name=world.jpg, hashes=[{value=3BC175E9CE56D1FC2D86AB6EA2EC56EB21930540B56A5B6E3840DFB64287ACAB, algorithm_id=3, algorithm=SHA-256}, {value=31588C71F04798D44E2202431AE7025AF3BC67EC8192E94F362A9B9121FB5AC23510026F8391A0A54234D8D0DB8D2DEBD112DEEF6AC598A11A194875191A4975, algorithm_id=6, algorithm=TLSH}], type=Block Device}, cmd_line=well absent shoe, name=Tell, loaded_modules=[/rev/amazon/casino/june/fails.bin, /credit/potential/lawsuit/clause/nine.bmp], user={uid=849ca4ca-5be7-11ee-b39c-0242ac110005, org={uid=849cb208-5be7-11ee-a4a6-0242ac110005, name=top riverside asthma, ou_name=stats dans soviet}, type_id=2, domain=our installing clinical, name=Weather, type=Admin, credential_uid=849cc0f4-5be7-11ee-9c36-0242ac110005}}}, xattributes={}, terminated_time_dt=2023-09-25T21:07:21.565891Z, integrity=High, file={path=suit who pics/arrange.torrent/moral.kmz, created_time=1695676041545, is_system=false, parent_folder=suit who pics/arrange.torrent, type_id=5, name=moral.kmz, accessor={uid=849bf00c-5be7-11ee-a0de-0242ac110005, type_id=0, domain=operates collectables presentations, name=Qualities, uid_alt=welsh constraints elimination, type=Unknown}, hashes=[{value=BADBDA50632954800C02D40EB49D1BEF8E5A883D, algorithm_id=2, algorithm=SHA-1}, {value=22B65F9CC3DDECE17BC92C741314C0C01D6C398B477BCFE22CCB63F4975A066119C2A3F4E9BDC342383345BCEEA9046C0573AEA278C1EBD8E1578337B1640606, algorithm_id=7, algorithm=quickXorHash}], accessed_time=1695676044937, type=Local Socket}, cmd_line=remain weird municipal, name=Restore, created_time_dt=2023-09-25T21:07:21.565886Z, integrity_id=4}, tid=86, terminated_time_dt=2023-09-25T21:07:21.565908Z, terminated_time=1695676041561, uid=849bcfb4-5be7-11ee-b896-0242ac110005, integrity=written, file={is_system=true, product={uid=849b866c-5be7-11ee-a7ff-0242ac110005, feature={uid=849b9742-5be7-11ee-9904-0242ac110005, name=seminar automatic gui, version=1.0.0}, name=nights validity updated, vendor_name=favorite album ncaa, lang=en, version=1.0.0, url_string=however}, creator={full_name=Otelia Kori, org={uid=849bad9a-5be7-11ee-9fa0-0242ac110005, name=timing process palestinian, ou_name=step mouth drunk}, type_id=1, domain=neural fig colin, name=Tap, type=User}, signature={certificate={created_time=1695676041542, subject=annually ic quest, expiration_time=1695676041577, serial_number=distributed characters bin, version=1.0.0, issuer=cooperation worldcat southwest, fingerprints=[{value=A1636B226D49D354EAD09345190417B47EC13762648D8C196823FB556456DD5A2ED39FDF2ADE536CF2D0AFA33A47F9404800085FE205A49A4DA6C280AF603AA9, algorithm_id=0, algorithm=Unknown}]}, created_time_dt=2023-09-25T21:07:21.542032Z, algorithm_id=0, algorithm=Unknown}, type_id=0, accessor={uid=849ba016-5be7-11ee-8738-0242ac110005, email_addr=Stormy@postcard.mobi, type_id=99, name=Xhtml, type=disabilities}, type=Unknown, path=designing designed kim/butts.crx/sunday.crdownload, parent_folder=designing designed kim/butts.crx, modified_time=1695676041546, size=1384349588, mime_type=talked/wishlist, name=sunday.crdownload, hashes=[{value=A5064ED27DDBDCBA4CBCADF1DB39DA3F2EEE6B58C7A1239C64CABA643C220D3F292A1DE7E239A9314ECD04E09E02E1289265DB1375370F0E2CB9844F235B40B9, algorithm_id=6, algorithm=TLSH}]}, cmd_line=treatments proceeding assumed, name=Foundation, created_time_dt=2023-09-25T21:07:21.565904Z, loaded_modules=[/aims/hammer/duke/implementation/roland.jar, /illustration/reads/adaptation/ppc/footage.cab], user={uid=849bb81c-5be7-11ee-bbec-0242ac110005, email_addr=Reba@contemporary.mobi, type_id=0, name=Certain, groups=[{uid=849bbdee-5be7-11ee-95a2-0242ac110005, name=penn laundry woods, type=powerpoint jump hospitality, desc=twenty protection innovative}, {uid=849bc780-5be7-11ee-9955-0242ac110005}], uid_alt=technical critics nationally, type=Unknown}, integrity_id=99}, user={uid=849b6916-5be7-11ee-a01e-0242ac110005, email_addr=Yelena@communities.nato, type_id=1, domain=lexmark refers dylan, name=Particles, type=User}, terminated_time=1695676041567}, user={uid=849abe76-5be7-11ee-a5a1-0242ac110005, full_name=Paul Julian, org={uid=849accae-5be7-11ee-af7b-0242ac110005, name=nyc kidney drawings}, type_id=2, domain=statistical poland gregory, name=Alliance, groups=[{uid=849ad5fa-5be7-11ee-a0e9-0242ac110005, privileges=[flashing aol autumn], name=accessed thanks instructions, desc=luggage species belkin}, {uid=849ada50-5be7-11ee-824e-0242ac110005, privileges=[sodium believed housing, incorporated jungle asian], name=cognitive times agent}], type=Admin}}, user={uid=849a900e-5be7-11ee-9894-0242ac110005, full_name=Marisela Towanda, email_addr=Wava@promises.info, type_id=3, name=Round, type=System, account={uid=849a9702-5be7-11ee-9f5d-0242ac110005, type_id=1, name=fragrances bulk specialty, type=LDAP Account}, credential_uid=849a9afe-5be7-11ee-b27a-0242ac110005}}, user={uid=849a52ce-5be7-11ee-a468-0242ac110005, full_name=Elisa Cleora, type_id=99, name=Sisters, type=rebound}, xattributes={}}, terminated_time=1695676041562, uid=849a1af2-5be7-11ee-82a9-0242ac110005, file={owner={type_id=1, name=Welcome, type=User, account={uid=8499eb2c-5be7-11ee-86b7-0242ac110005, type_id=7, name=discs outlets general, type=Mac OS Account}}, path=ralph tales librarian/simpsons.psd/premises.sln, creator={uid=8499f1ee-5be7-11ee-a02c-0242ac110005, type_id=3, domain=coupons dropped pantyhose, name=Booking, type=System}, parent_folder=ralph tales librarian/simpsons.psd, type_id=99, name=premises.sln, hashes=[{value=F01EB1DD5E5D955CF3DA810E1FAABA4136E09F5EF69DA3753223183EF836741A617AAAEB52D8B014D900A4A11B94974298F7D3C4EAE57C107CF3A3230AD34188, algorithm_id=6, algorithm=TLSH}], modified_time_dt=2023-09-25T21:07:21.531893Z, type=ships}, cmd_line=text ana range, name=Devices, user={uid=849a06c0-5be7-11ee-acfe-0242ac110005, org={name=velvet days pubs, ou_name=brake craps campaign}, type_id=0, name=Immediate, groups=[{uid=849a1124-5be7-11ee-9a8e-0242ac110005, privileges=[independent vegetables assisted, refinance lee seating]}, {uid=849a1674-5be7-11ee-aa3b-0242ac110005, name=div violence strange}], type=Unknown}}, user={uid=8499b5da-5be7-11ee-b276-0242ac110005, type_id=99, name=Apartments, uid_alt=serving turbo spy, type=ad}}, user={uid=84995d06-5be7-11ee-8223-0242ac110005, org={uid=849963aa-5be7-11ee-b57a-0242ac110005, name=dryer asn trying, ou_name=wr r gibraltar}, type_id=2, name=Fantastic, type=Admin}, terminated_time=1695676041561}, user={uid=84993312-5be7-11ee-b956-0242ac110005, email_addr=Renita@pete.cat, type_id=0, name=Rice, type=Unknown}, xattributes={}}, user={uid=8498cd14-5be7-11ee-94d7-0242ac110005, type_id=99, name=Hour, uid_alt=organizations guild beds, type=insert}}, user={uid=84988e80-5be7-11ee-bf3c-0242ac110005, full_name=Karoline Meggan, email_addr=Elza@girls.mil, type_id=2, name=Provided, type=Admin}, terminated_time=1695676041566}, user={uid=84984db2-5be7-11ee-ba4e-0242ac110005, type_id=1, domain=sao uri flesh, name=Knows, type=User}, xattributes={}}, xattributes={}, terminated_time=1695676041564, uid=849823d2-5be7-11ee-92d1-0242ac110005, integrity=they thermal eau, file={path=wives pamela karl/articles.c/dame.svg, parent_folder=wives pamela karl/articles.c, type_id=1, modifier={uid=8497f38a-5be7-11ee-97c6-0242ac110005, type_id=0, name=Complete, groups=[{uid=8497fde4-5be7-11ee-9733-0242ac110005, name=winds seeking reply}, {uid=8498099c-5be7-11ee-ac6f-0242ac110005, name=hamburg roommate environment}], type=Unknown}, security_descriptor=robinson queens graduate, name=dame.svg, hashes=[{value=E7B2EBCA4F63795EBE380FFBEAB194BCF3E2EB5C74F10C6B8AAB95F4C0B8D7AC, algorithm_id=99, algorithm=magic}, {value=AFD9AD7A88CFF487A60962E99C6219806726EB352DD1591D375AD3BB143C0DABBFBC6DBFFA5D99B3662AE82C9B7EED847E30B7EA516D2AD9DFF07D8775F8AE36, algorithm_id=7, algorithm=quickXorHash}], created_time_dt=2023-09-25T21:07:21.519646Z, type=Regular File}, cmd_line=harder interventions pb, name=Bid, user={uid=84981f68-5be7-11ee-b652-0242ac110005, type_id=0, name=Shipment, uid_alt=singh dim static, type=Unknown}}", "session": { "created_time": "2023-09-25T21:07:21.516Z", "credential_uid": "8497c716-5be7-11ee-bd7a-0242ac110005", @@ -3016,6 +3016,1222 @@ "query": "mattress betting covers", "scheme": "yoga thesaurus regardless" } + }, + { + "@timestamp": "2024-08-01T11:09:23.760Z", + "cloud": { + "account": { + "id": "823f3676-4ff6-11ef-87ce-0242ac110005", + "name": "diet services amazon" + }, + "provider": "son fits additions", + "region": "stick aurora admission" + }, + "container": { + "id": "8241251c-4ff6-11ef-bfb4-0242ac110005", + "image": { + "name": "ports ide john" + }, + "name": "essential service beverage" + }, + "data_stream": { + "dataset": "amazon_security_lake.network_activity", + "namespace": "default", + "type": "logs" + }, + "destination": { + "domain": [ + "sporting.edu" + ], + "ip": "67.43.156.0", + "port": 26803 + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "action": "client-synchronization", + "category": [ + "network" + ], + "kind": "event", + "original": "{\"actor\":{\"process\":{\"pid\":55,\"file\":{\"name\":\"demonstrates.xlsx\",\"size\":1700247011,\"type\":\"Character Device\",\"path\":\"simpson alice serum/loud.key/demonstrates.xlsx\",\"desc\":\"suits peru therapist\",\"type_id\":3,\"accessor\":{\"name\":\"Dinner\",\"type\":\"User\",\"uid\":\"8241051e-4ff6-11ef-8c1c-0242ac110005\",\"type_id\":1,\"uid_alt\":\"tiny democrats map\"},\"creator\":{\"name\":\"Clock\",\"type\":\"System\",\"uid\":\"824111ee-4ff6-11ef-80d5-0242ac110005\",\"type_id\":3,\"email_addr\":\"Clelia@servers.arpa\"},\"parent_folder\":\"simpson alice serum/loud.key\",\"confidentiality\":\"Not Confidential\",\"confidentiality_id\":1,\"hashes\":[{\"value\":\"866B6A4496BE310906297BA18911C77BFAE1C93BC72E9928D71B99CA7DB9BBFB64011AE273A934FB07149E380121579F8F57C8B70195D5893BE983497C7401A9\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4},{\"value\":\"9F8E773E3B9D47BE47FA380985087C12F510973FD173B27657A4BAB7D0932A136A0A5D5AC53B909689AE6CC0439BFC3DE52907BC8DD305994F8D5955D3319D7C\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}]},\"uid\":\"82411bb2-4ff6-11ef-a29d-0242ac110005\",\"cmd_line\":\"composer oriented salt\",\"container\":{\"name\":\"essential service beverage\",\"size\":3850921168,\"uid\":\"8241251c-4ff6-11ef-bfb4-0242ac110005\",\"image\":{\"name\":\"ports ide john\",\"uid\":\"82412df0-4ff6-11ef-bb20-0242ac110005\"},\"hash\":{\"value\":\"FB62C3D023C80BF37169DFFD866BD30AF45E2274F6D63654E805AA43C6D23A16\",\"algorithm\":\"magic\",\"algorithm_id\":99}},\"created_time\":1722510563763413,\"namespace_pid\":26,\"parent_process\":{\"name\":\"Peripheral\",\"file\":{\"name\":\"ebook.xls\",\"type\":\"Named Pipe\",\"path\":\"sheffield specs folks/ab.dll/ebook.xls\",\"uid\":\"824151a4-4ff6-11ef-baa0-0242ac110005\",\"type_id\":6,\"accessor\":{\"name\":\"Mp\",\"type\":\"Admin\",\"uid\":\"82415dc0-4ff6-11ef-8589-0242ac110005\",\"type_id\":2},\"creator\":{\"name\":\"Contemporary\",\"type\":\"User\",\"uid\":\"82416b62-4ff6-11ef-bb14-0242ac110005\",\"groups\":[{\"name\":\"differences rachel activity\",\"uid\":\"824174ea-4ff6-11ef-858b-0242ac110005\"},{\"name\":\"philips facility sure\",\"desc\":\"richardson silly malpractice\"}],\"type_id\":1,\"credential_uid\":\"82417bf2-4ff6-11ef-9b27-0242ac110005\"},\"parent_folder\":\"sheffield specs folks/ab.dll\",\"confidentiality\":\"ws rage bedford\",\"hashes\":[{\"value\":\"8879181273A51CEAC15FF28D95FEF4690E668D3565C680638C1FEADEA3A66CCFA9845C83F22F56EA7ED164C8D919019373A1F877DA156F876D0358EB0DEF36E6\",\"algorithm\":\"TLSH\",\"algorithm_id\":6},{\"value\":\"8735D62A700225288A69C4C58805E742E91D287FC59A68C297753E5B7D1E420B\",\"algorithm\":\"magic\",\"algorithm_id\":99}],\"xattributes\":{},\"accessed_time_dt\":\"2024-08-01T11:09:23.765455Z\"},\"user\":{\"type\":\"System\",\"uid\":\"82418dcc-4ff6-11ef-ad9d-0242ac110005\",\"groups\":[{\"name\":\"minneapolis listen accounts\",\"uid\":\"82419740-4ff6-11ef-8605-0242ac110005\"},{\"name\":\"convert temporal sees\",\"type\":\"pointer launch particle\",\"uid\":\"82419e0c-4ff6-11ef-a40e-0242ac110005\"}],\"type_id\":3,\"account\":{\"name\":\"person catalogs assembled\",\"type\":\"AWS IAM Role\",\"uid\":\"8241a78a-4ff6-11ef-a514-0242ac110005\",\"type_id\":4},\"email_addr\":\"Mabel@appointment.cat\"},\"group\":{\"name\":\"crisis vulnerable challenge\",\"desc\":\"understand charlie shorts\"},\"tid\":31,\"uid\":\"8241b414-4ff6-11ef-942e-0242ac110005\",\"cmd_line\":\"scientist discover md\",\"container\":{\"name\":\"basement canada const\",\"size\":3047246820,\"uid\":\"8241bd6a-4ff6-11ef-b2aa-0242ac110005\",\"image\":{\"uid\":\"8241c562-4ff6-11ef-8fe7-0242ac110005\"},\"orchestrator\":\"leslie contribute pixel\"},\"created_time\":1722510563767250,\"namespace_pid\":1,\"parent_process\":{\"name\":\"Racks\",\"pid\":74,\"file\":{\"name\":\"lightning.htm\",\"type\":\"valve\",\"path\":\"deer oils respected/blood.ico/lightning.htm\",\"desc\":\"differently maldives brand\",\"product\":{\"name\":\"relevant adaptation midwest\",\"version\":\"1.1.0\",\"lang\":\"en\",\"vendor_name\":\"eclipse korean ghost\"},\"type_id\":99,\"accessor\":{\"name\":\"Request\",\"type\":\"Admin\",\"uid\":\"8241ede4-4ff6-11ef-acc4-0242ac110005\",\"groups\":[{\"name\":\"well characterization holocaust\",\"uid\":\"82421e4a-4ff6-11ef-8980-0242ac110005\"},{\"name\":\"levitra against glen\"}],\"type_id\":2},\"parent_folder\":\"deer oils respected/blood.ico\",\"confidentiality\":\"median twelve ha\",\"created_time\":1722510563769556,\"hashes\":[{\"value\":\"06B04AF04D46617C543D3B3E00B99E504838DD15737ADA44AD4294FDDDAFF6D9585FAC5FD5DFA5754AEB22DC9103B558FAB9AF00B6CA8EB2A9D69B81032A20DD\",\"algorithm\":\"Unknown\",\"algorithm_id\":0},{\"value\":\"7076AC494351B52696279B3745D5340FC3AFD5121F4D18647E4A29796EEFD6C57363BC0ACDEC4D9552DDA8D642B25D9B81BC08AEBF9B01A05F288053FB1AEB98\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}],\"created_time_dt\":\"2024-08-01T11:09:23.769628Z\"},\"user\":{\"name\":\"Prep\",\"type\":\"Unknown\",\"uid\":\"82422f2a-4ff6-11ef-8418-0242ac110005\",\"type_id\":0},\"group\":{\"name\":\"bet dictionaries peace\"},\"uid\":\"82423a2e-4ff6-11ef-ac30-0242ac110005\",\"cmd_line\":\"checking yeast mark\",\"container\":{\"name\":\"ireland subcommittee falling\",\"size\":1936688053,\"uid\":\"82424474-4ff6-11ef-82f8-0242ac110005\",\"image\":{\"name\":\"write paper recognized\",\"uid\":\"82424de8-4ff6-11ef-8d6b-0242ac110005\"},\"hash\":{\"value\":\"D74C708F707DAB0C2242DD6D42285F3C7EE4E2A184638F20C51CBA94CBA1FC8712D9EC20451FFE4C09C4E3660F8F154D048927419E81E2A55F1ABFDCCF4F767B\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7},\"pod_uuid\":\"blues\"},\"created_time\":1722510563770786,\"parent_process\":{\"name\":\"Chile\",\"pid\":51,\"file\":{\"name\":\"eyed.csr\",\"owner\":{\"name\":\"Recent\",\"type\":\"User\",\"uid\":\"82426be8-4ff6-11ef-807f-0242ac110005\",\"type_id\":1,\"uid_alt\":\"affiliation locks chance\"},\"type\":\"Regular File\",\"path\":\"michigan prague acting/perfume.cer/eyed.csr\",\"product\":{\"name\":\"classics problem furnished\",\"version\":\"1.1.0\",\"uid\":\"82427804-4ff6-11ef-92e9-0242ac110005\",\"vendor_name\":\"mathematical chat duration\"},\"type_id\":1,\"accessor\":{\"name\":\"Reducing\",\"type\":\"Admin\",\"uid\":\"82428894-4ff6-11ef-aa8a-0242ac110005\",\"type_id\":2},\"parent_folder\":\"michigan prague acting/perfume.cer\",\"confidentiality\":\"coach\",\"confidentiality_id\":99,\"hashes\":[{\"value\":\"44C87B3E980B5D5906C47A44899C53ECEAA127EF07D4DADDC5BEEB648A5EBD979F5D54C7002601E0148D642C58F1AFF229C9C50C02365ED263295529F74A9AB2\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}],\"security_descriptor\":\"hamilton samsung subsidiary\"},\"user\":{\"name\":\"Fitted\",\"type\":\"Admin\",\"uid\":\"82429a96-4ff6-11ef-ac59-0242ac110005\",\"type_id\":2},\"group\":{\"name\":\"lightbox lay brad\",\"uid\":\"8242f608-4ff6-11ef-aea1-0242ac110005\"},\"uid\":\"8242ff90-4ff6-11ef-b85f-0242ac110005\",\"cmd_line\":\"fixed marketing wear\",\"container\":{\"name\":\"disagree replied romania\",\"size\":940803910,\"uid\":\"82430aa8-4ff6-11ef-83eb-0242ac110005\",\"image\":{\"name\":\"venice shipment thursday\",\"tag\":\"worst lamb depends\",\"uid\":\"8243169c-4ff6-11ef-9bd9-0242ac110005\"},\"orchestrator\":\"syndrome permissions shark\"},\"created_time\":1722510563775908,\"integrity\":\"tired random grown\",\"namespace_pid\":4,\"parent_process\":{\"pid\":17,\"file\":{\"name\":\"freedom.bat\",\"owner\":{\"name\":\"Lake\",\"type\":\"Unknown\",\"type_id\":0,\"credential_uid\":\"82433334-4ff6-11ef-9df3-0242ac110005\"},\"type\":\"Symbolic Link\",\"path\":\"ko phantom flights/ground.dtd/freedom.bat\",\"desc\":\"beatles collar exposure\",\"product\":{\"name\":\"gave thomson circumstances\",\"uid\":\"82433e6a-4ff6-11ef-8379-0242ac110005\",\"url_string\":\"copyrights\",\"vendor_name\":\"poetry lived fy\"},\"uid\":\"82434784-4ff6-11ef-98ca-0242ac110005\",\"type_id\":7,\"mime_type\":\"law/apparent\",\"parent_folder\":\"ko phantom flights/ground.dtd\",\"confidentiality\":\"Unknown\",\"confidentiality_id\":0,\"hashes\":[{\"value\":\"CD0EE6AF5EAA1C114A915FA7096E3060AE27D1892461BFA5EE7896B183FC87987940FD470777B47DC0709EED93E2EBCED33B3D3E0C4870660C470F1D1DCCDD45\",\"algorithm\":\"quickXorHash\",\"algorithm_id\":7}],\"is_system\":false,\"xattributes\":{}},\"user\":{\"name\":\"Ak\",\"type\":\"System\",\"domain\":\"km msgid creek\",\"uid\":\"82436e80-4ff6-11ef-b543-0242ac110005\",\"type_id\":3,\"credential_uid\":\"824374de-4ff6-11ef-a10e-0242ac110005\"},\"group\":{\"name\":\"via capabilities manufacturing\",\"uid\":\"82437e84-4ff6-11ef-a820-0242ac110005\",\"privileges\":[\"tv glasses retrieval\"]},\"uid\":\"824384d8-4ff6-11ef-8982-0242ac110005\",\"cmd_line\":\"smile builders sanyo\",\"container\":{\"name\":\"arrange lips hoped\",\"size\":3752277430,\"uid\":\"82438e24-4ff6-11ef-9a2b-0242ac110005\",\"image\":{\"name\":\"surfing harvest additionally\",\"tag\":\"instrumentation mi dim\",\"uid\":\"82439680-4ff6-11ef-b7fa-0242ac110005\"},\"hash\":{\"value\":\"37F2759ED75FB07B29E4F1A5A51072ADD7EC16769903AAA33DBBA5DEA773A7E3CBA90D3152ADBA24BF6E54372233D78D69D964F32AC2E3973C91C1FAB5D51B26\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}},\"created_time\":1722510563779192,\"namespace_pid\":23,\"parent_process\":{\"name\":\"Miles\",\"pid\":44,\"file\":{\"name\":\"naturally.dmp\",\"type\":\"apparently\",\"version\":\"1.1.0\",\"path\":\"eligible terms landscapes/those.accdb/naturally.dmp\",\"product\":{\"name\":\"viruses dancing dirty\",\"version\":\"1.1.0\",\"uid\":\"8243ae0e-4ff6-11ef-9d4a-0242ac110005\",\"lang\":\"en\",\"vendor_name\":\"ricky junk daniel\"},\"type_id\":99,\"accessor\":{\"name\":\"Profiles\",\"type\":\"hall\",\"uid\":\"8243c31c-4ff6-11ef-b7ce-0242ac110005\",\"type_id\":99,\"email_addr\":\"Benita@instrument.com\",\"uid_alt\":\"zope unsubscribe be\"},\"parent_folder\":\"eligible terms landscapes/those.accdb\",\"hashes\":[{\"value\":\"75017A36EC07FD4C377A0D2A011400AB193E61DB\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2}],\"created_time_dt\":\"2024-08-01T11:09:23.780361Z\",\"modified_time_dt\":\"2024-08-01T11:09:23.780372Z\"},\"user\":{\"name\":\"Translated\",\"type\":\"User\",\"uid\":\"8243ea5e-4ff6-11ef-af0a-0242ac110005\",\"type_id\":1,\"full_name\":\"Bronwyn Kandi\"},\"group\":{\"name\":\"secure escape dui\",\"type\":\"vault vocational aerospace\",\"uid\":\"8243f65c-4ff6-11ef-a514-0242ac110005\",\"privileges\":[\"doug producing distributor\",\"discover uri conscious\"]},\"uid\":\"8243fda0-4ff6-11ef-9876-0242ac110005\",\"cmd_line\":\"compiler homework usually\",\"container\":{\"name\":\"vietnamese sixth good\",\"runtime\":\"paragraph pizza ing\",\"size\":3917616377,\"uid\":\"82440a5c-4ff6-11ef-ad41-0242ac110005\",\"image\":{\"name\":\"pr request boy\",\"uid\":\"824413e4-4ff6-11ef-bb4f-0242ac110005\"},\"hash\":{\"value\":\"818853F7CD4B4D46AD3612755274DC4BE0689988A1BDBC0D8A5F54BA585D7FA5\",\"algorithm\":\"SHA-256\",\"algorithm_id\":3},\"orchestrator\":\"maintain cargo awarded\"},\"terminated_time\":1722510563782421}},\"terminated_time\":1722510563782432,\"euid\":44,\"egid\":29,\"created_time_dt\":\"2024-08-01T11:09:23.782438Z\",\"terminated_time_dt\":\"2024-08-01T11:09:23.782445Z\"},\"terminated_time\":1722510563782452,\"auid\":78,\"terminated_time_dt\":\"2024-08-01T11:09:23.782458Z\"},\"euid\":21,\"created_time_dt\":\"2024-08-01T11:09:23.782465Z\",\"terminated_time_dt\":\"2024-08-01T11:09:23.782471Z\"},\"euid\":20},\"user\":{\"name\":\"Villa\",\"type\":\"seek\",\"uid\":\"824425be-4ff6-11ef-8b9f-0242ac110005\",\"org\":{\"name\":\"replied reservation circles\",\"uid\":\"82442fdc-4ff6-11ef-b680-0242ac110005\",\"ou_name\":\"dale halloween convenience\"},\"type_id\":99,\"uid_alt\":\"trout americans substance\"}},\"activity_name\":\"Client Synchronization\",\"action\":\"Denied\",\"proxy_endpoint\":{\"name\":\"resources contracts treasury\",\"port\":32431,\"type\":\"Hub\",\"ip\":\"175.16.199.0\",\"hostname\":\"fashion.aero\",\"uid\":\"8240c996-4ff6-11ef-a9b6-0242ac110005\",\"mac\":\"AA:9E:EF:FA:F6:8C:22:78\",\"type_id\":11,\"container\":{\"name\":\"actions bullet populations\",\"size\":1551677878,\"uid\":\"8240d5bc-4ff6-11ef-8e32-0242ac110005\",\"image\":{\"name\":\"jewish rating housewives\",\"uid\":\"8240de40-4ff6-11ef-8dac-0242ac110005\"},\"hash\":{\"value\":\"428AC4813390324C88145AE1CB67084A8DA3386B\",\"algorithm\":\"SHA-1\",\"algorithm_id\":2},\"network_driver\":\"midi florists tired\",\"orchestrator\":\"contract girl traditional\"},\"instance_uid\":\"8240e746-4ff6-11ef-a2e6-0242ac110005\",\"interface_name\":\"bring ana ex\",\"namespace_pid\":71,\"svc_name\":\"democratic benefits supplier\"},\"stratum_id\":16,\"severity\":\"indirect\",\"category_name\":\"Network Activity\",\"message\":\"c attended regulated\",\"class_uid\":4013,\"severity_id\":99,\"version\":\"1.1.0\",\"proxy_connection_info\":{\"uid\":\"8240bb40-4ff6-11ef-9482-0242ac110005\",\"direction\":\"commodity\",\"direction_id\":99,\"protocol_num\":62,\"protocol_ver\":\"Internet Protocol version 4 (IPv4)\",\"protocol_ver_id\":4},\"time\":1722510563760083,\"precision\":47,\"device\":{\"name\":\"keyboards sudan tp\",\"type\":\"Unknown\",\"ip\":\"216.160.83.56\",\"location\":{\"desc\":\"Guadeloupe\",\"city\":\"Vic screenshot\",\"country\":\"GP\",\"coordinates\":[22.1588,28.2006],\"continent\":\"North America\"},\"hostname\":\"teeth.nato\",\"image\":{\"uid\":\"8240911a-4ff6-11ef-a984-0242ac110005\",\"labels\":[\"microsoft\"]},\"type_id\":0,\"subnet\":\"38.80.125.0/24\",\"container\":{\"name\":\"hormone investigated performances\",\"size\":793369097,\"uid\":\"82409b10-4ff6-11ef-b701-0242ac110005\",\"image\":{\"name\":\"distance beautifully maximum\",\"tag\":\"passed contribution studied\",\"uid\":\"8240a3d0-4ff6-11ef-be39-0242ac110005\"},\"hash\":{\"value\":\"CB553813B87B309D428B27D4E5A9457DCAD28C846E4C0EFAB7A1A8FA2345B199\",\"algorithm\":\"magic\",\"algorithm_id\":99},\"orchestrator\":\"genes thick degree\"},\"created_time\":1722510563758738,\"instance_uid\":\"8240879c-4ff6-11ef-af64-0242ac110005\",\"interface_name\":\"abstracts cj highs\",\"interface_uid\":\"8240ade4-4ff6-11ef-b741-0242ac110005\",\"is_managed\":false,\"namespace_pid\":56,\"region\":\"painful lifetime significant\",\"vlan_uid\":\"824080b2-4ff6-11ef-a395-0242ac110005\"},\"observables\":[{\"name\":\"logged nasdaq hosts\",\"type\":\"Hash\",\"type_id\":8},{\"name\":\"trading friends request\",\"type\":\"gentle\",\"type_id\":99}],\"type_name\":\"NTP Activity: Client Synchronization\",\"type_uid\":401303,\"src_endpoint\":{\"name\":\"brandon attacked blonde\",\"port\":23430,\"type\":\"Virtual\",\"ip\":\"89.160.20.128\",\"location\":{\"desc\":\"Macao, Special Administrative Region of China\",\"city\":\"Death stars\",\"country\":\"MO\",\"coordinates\":[-54.8511,61.8154],\"continent\":\"Asia\"},\"hostname\":\"sacrifice.jobs\",\"uid\":\"82403698-4ff6-11ef-bb82-0242ac110005\",\"type_id\":6,\"container\":{\"name\":\"variety summary focused\",\"size\":1038161419,\"uid\":\"824041c4-4ff6-11ef-916a-0242ac110005\",\"image\":{\"name\":\"toddler yahoo dressing\",\"uid\":\"82405042-4ff6-11ef-9809-0242ac110005\"},\"hash\":{\"value\":\"FEA9B0C8FDA936ECB33171CEBCAB7B574A0BD1A0A1D6B08474F8E20388709CAA28CB19DD8A53F0238CDD07712528D0AC7DE36988DE03147B1524257D6C190823\",\"algorithm\":\"SHA-512\",\"algorithm_id\":4}},\"instance_uid\":\"8240592a-4ff6-11ef-a917-0242ac110005\",\"interface_name\":\"bobby machines drink\",\"interface_uid\":\"82405fb0-4ff6-11ef-8580-0242ac110005\",\"namespace_pid\":19,\"vpc_uid\":\"824065c8-4ff6-11ef-83f7-0242ac110005\",\"zone\":\"admitted freebsd lazy\"},\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"raising sodium preliminary\",\"version\":\"1.1.0\",\"uid\":\"82400ab0-4ff6-11ef-abab-0242ac110005\",\"cpe_name\":\"skilled ru contributions\",\"url_string\":\"mad\",\"vendor_name\":\"answer probe affiliation\"},\"labels\":[\"martin\",\"lil\"],\"log_level\":\"recovered device retail\",\"sequence\":44,\"profiles\":[\"cloud\",\"container\",\"datetime\",\"host\",\"linux/linux_users\",\"load_balancer\",\"network_proxy\",\"security_control\"],\"log_name\":\"planets van wine\",\"log_provider\":\"execute lite utah\",\"original_time\":\"fairy affecting agricultural\",\"tenant_uid\":\"8240179e-4ff6-11ef-b399-0242ac110005\",\"processed_time_dt\":\"2024-08-01T11:09:23.756232Z\"},\"activity_id\":3,\"proxy_tls\":{\"version\":\"1.1.0\",\"key_length\":36,\"cipher\":\"cent memories rochester\",\"sni\":\"identification vincent breakfast\",\"certificate_chain\":[\"pack menu plot\"],\"ja3_hash\":{\"value\":\"AC725768466500046904D27B548D75C5\",\"algorithm\":\"MD5\",\"algorithm_id\":1},\"ja3s_hash\":{\"value\":\"FF1E2DBC60149EBF225BBC13B2E100CEC2DF9FE5A8024345B354723618C4A4B74622930D7ED086F5B727F66E3E617E0DA4E39B3BFB4B67378F600594D2C05396\",\"algorithm\":\"Unknown\",\"algorithm_id\":0},\"tls_extension_list\":[{\"data\":\"recruitment\",\"type\":\"server_name\",\"type_id\":0}]},\"stratum\":\"Unsynchronized\",\"count\":97,\"status\":\"Success\",\"connection_info\":{\"direction\":\"Lateral\",\"direction_id\":3,\"protocol_num\":24,\"protocol_ver\":\"1\"},\"proxy_traffic\":{\"packets\":3436547282},\"timezone_offset\":59,\"category_uid\":4,\"proxy_http_response\":{\"code\":84,\"status\":\"accident around gamespot\",\"http_headers\":[{\"name\":\"valid involving problem\",\"value\":\"swiss navigator focused\"}]},\"cloud\":{\"account\":{\"name\":\"diet services amazon\",\"type\":\"Linux Account\",\"uid\":\"823f3676-4ff6-11ef-87ce-0242ac110005\",\"type_id\":9},\"provider\":\"son fits additions\",\"region\":\"stick aurora admission\"},\"dst_endpoint\":{\"name\":\"foul coming meetings\",\"port\":26803,\"type\":\"Virtual\",\"ip\":\"67.43.156.0\",\"hostname\":\"sporting.edu\",\"uid\":\"823eaf30-4ff6-11ef-9671-0242ac110005\",\"type_id\":6,\"container\":{\"name\":\"fisher invite serial\",\"size\":480391375,\"uid\":\"823eb962-4ff6-11ef-b477-0242ac110005\",\"image\":{\"name\":\"scientific isa thrown\",\"path\":\"isbn phones proof\",\"uid\":\"823ec95c-4ff6-11ef-9378-0242ac110005\",\"labels\":[\"oc\",\"inside\"]},\"hash\":{\"value\":\"0A2D96EB4F44895D58B6441A0129F11199AB967C178305172B83A039B4E6D41287DD945B3BCB4937343A8E4ECB95E4A9C84B495FF73B7F404EC88A0A0FA286F3\",\"algorithm\":\"Unknown\",\"algorithm_id\":0}},\"interface_name\":\"active rc saying\",\"interface_uid\":\"823ed398-4ff6-11ef-9896-0242ac110005\",\"intermediate_ips\":[\"81.2.69.142\",\"81.2.69.144\"],\"namespace_pid\":38,\"svc_name\":\"cyber influence simon\",\"vpc_uid\":\"823edb22-4ff6-11ef-bd25-0242ac110005\"},\"action_id\":2,\"authorizations\":[{},{}],\"load_balancer\":{\"code\":47,\"name\":\"threats invoice popularity\",\"uid\":\"823df61c-4ff6-11ef-a0b1-0242ac110005\",\"dst_endpoint\":{\"name\":\"aspect attempted credit\",\"port\":42720,\"type\":\"Laptop\",\"ip\":\"31.13.253.50\",\"hostname\":\"brake.jobs\",\"uid\":\"823e06ac-4ff6-11ef-949d-0242ac110005\",\"type_id\":3,\"container\":{\"name\":\"allowed entered philippines\",\"size\":4007710700,\"tag\":\"items preservation orleans\",\"uid\":\"823e1200-4ff6-11ef-833f-0242ac110005\",\"image\":{\"name\":\"repairs opposed condos\",\"tag\":\"melissa post courage\",\"path\":\"circulation franklin everybody\",\"uid\":\"823e1c46-4ff6-11ef-a5a8-0242ac110005\"},\"hash\":{\"value\":\"5733974066CC8F9646E6E1E170DB95F2B5D0E7DCDADF8A62A35EB47B61FCE172316B9A40AFD4FC58EC1B104C1DB4D1E2F0858866EDF563DE649A755940BCD18C\",\"algorithm\":\"CTPH\",\"algorithm_id\":5}},\"instance_uid\":\"823e25ec-4ff6-11ef-8a0b-0242ac110005\",\"interface_name\":\"adelaide hewlett housewives\",\"interface_uid\":\"823e2c9a-4ff6-11ef-9dc6-0242ac110005\",\"namespace_pid\":0,\"svc_name\":\"layout radius connectors\",\"vpc_uid\":\"823e3352-4ff6-11ef-8cdc-0242ac110005\"},\"endpoint_connections\":[{\"code\":7,\"network_endpoint\":{\"port\":9631,\"type\":\"Mobile\",\"ip\":\"155.162.119.5\",\"hostname\":\"principle.nato\",\"uid\":\"823e6124-4ff6-11ef-83b0-0242ac110005\",\"type_id\":5,\"hw_info\":{\"keyboard_info\":{\"ime\":\"mark least sean\"},\"ram_size\":94,\"serial_number\":\"invest spring distributors\"},\"instance_uid\":\"823e6bd8-4ff6-11ef-9050-0242ac110005\",\"interface_name\":\"bouquet shorter node\",\"interface_uid\":\"823e7290-4ff6-11ef-b82d-0242ac110005\",\"svc_name\":\"surfing lynn leonard\"}},{\"code\":95,\"network_endpoint\":{\"name\":\"ambien thermal advance\",\"port\":58409,\"type\":\"Browser\",\"ip\":\"102.249.60.133\",\"hostname\":\"ranging.pro\",\"type_id\":8,\"container\":{\"name\":\"cad xanax businesses\",\"size\":2100136552,\"uid\":\"823e83fc-4ff6-11ef-9497-0242ac110005\",\"image\":{\"name\":\"usda ian manitoba\",\"uid\":\"823e8d8e-4ff6-11ef-ae19-0242ac110005\"},\"orchestrator\":\"control flame phrases\"},\"instance_uid\":\"823e94a0-4ff6-11ef-bdd0-0242ac110005\",\"interface_name\":\"platform boat nav\",\"interface_uid\":\"823e9f2c-4ff6-11ef-8022-0242ac110005\",\"namespace_pid\":32,\"svc_name\":\"intention currency persons\",\"zone\":\"beverly fm stage\"}}]},\"class_name\":\"NTP Activity\",\"status_id\":1}", + "outcome": "success", + "provider": "execute lite utah", + "sequence": 44, + "severity": 99, + "type": [ + "info", + "start" + ] + }, + "file": { + "directory": "simpson alice serum/loud.key", + "hash": { + "sha512": [ + "866B6A4496BE310906297BA18911C77BFAE1C93BC72E9928D71B99CA7DB9BBFB64011AE273A934FB07149E380121579F8F57C8B70195D5893BE983497C7401A9" + ], + "ssdeep": [ + "9F8E773E3B9D47BE47FA380985087C12F510973FD173B27657A4BAB7D0932A136A0A5D5AC53B909689AE6CC0439BFC3DE52907BC8DD305994F8D5955D3319D7C" + ] + }, + "name": "demonstrates.xlsx", + "path": "simpson alice serum/loud.key/demonstrates.xlsx", + "size": 1700247011, + "type": "Character Device" + }, + "host": { + "geo": { + "city_name": "Vic screenshot", + "continent_name": "North America", + "country_iso_code": "GP", + "location": [ + 22.1588, + 28.2006 + ], + "name": "Guadeloupe" + }, + "hostname": "teeth.nato", + "ip": [ + "216.160.83.56" + ], + "name": "keyboards sudan tp", + "type": "Unknown" + }, + "message": "c attended regulated", + "network": { + "application": [ + "cyber influence simon" + ], + "iana_number": "24", + "type": "1", + "vlan": { + "id": "824080b2-4ff6-11ef-a395-0242ac110005" + } + }, + "ocsf": { + "action": "Denied", + "action_id": 2, + "activity_id": "3", + "activity_name": "Client Synchronization", + "actor": { + "process": { + "cmd_line": "composer oriented salt", + "container": { + "hash": { + "algorithm": "magic", + "algorithm_id": "99", + "value": "FB62C3D023C80BF37169DFFD866BD30AF45E2274F6D63654E805AA43C6D23A16" + }, + "image": { + "name": "ports ide john", + "uid": "82412df0-4ff6-11ef-bb20-0242ac110005" + }, + "name": "essential service beverage", + "size": 3850921168, + "uid": "8241251c-4ff6-11ef-bfb4-0242ac110005" + }, + "created_time": "2024-08-01T11:09:23.763Z", + "euid": "20", + "file": { + "accessor": { + "name": "Dinner", + "type": "User", + "type_id": "1", + "uid": "8241051e-4ff6-11ef-8c1c-0242ac110005", + "uid_alt": "tiny democrats map" + }, + "confidentiality": "Not Confidential", + "confidentiality_id": "1", + "creator": { + "email_addr": "Clelia@servers.arpa", + "name": "Clock", + "type": "System", + "type_id": "3", + "uid": "824111ee-4ff6-11ef-80d5-0242ac110005" + }, + "desc": "suits peru therapist", + "hashes": [ + { + "algorithm": "SHA-512", + "algorithm_id": "4", + "value": "866B6A4496BE310906297BA18911C77BFAE1C93BC72E9928D71B99CA7DB9BBFB64011AE273A934FB07149E380121579F8F57C8B70195D5893BE983497C7401A9" + }, + { + "algorithm": "CTPH", + "algorithm_id": "5", + "value": "9F8E773E3B9D47BE47FA380985087C12F510973FD173B27657A4BAB7D0932A136A0A5D5AC53B909689AE6CC0439BFC3DE52907BC8DD305994F8D5955D3319D7C" + } + ], + "name": "demonstrates.xlsx", + "parent_folder": "simpson alice serum/loud.key", + "path": "simpson alice serum/loud.key/demonstrates.xlsx", + "size": 1700247011, + "type": "Character Device", + "type_id": "3" + }, + "namespace_pid": 26, + "parent_process": { + "cmd_line": "scientist discover md", + "container": { + "image": { + "uid": "8241c562-4ff6-11ef-8fe7-0242ac110005" + }, + "name": "basement canada const", + "orchestrator": "leslie contribute pixel", + "size": 3047246820, + "uid": "8241bd6a-4ff6-11ef-b2aa-0242ac110005" + }, + "created_time": "2024-08-01T11:09:23.767Z", + "created_time_dt": "2024-08-01T11:09:23.782Z", + "euid": "21", + "file": { + "accessed_time_dt": "2024-08-01T11:09:23.765Z", + "accessor": { + "name": "Mp", + "type": "Admin", + "type_id": "2", + "uid": "82415dc0-4ff6-11ef-8589-0242ac110005" + }, + "confidentiality": "ws rage bedford", + "creator": { + "credential_uid": "82417bf2-4ff6-11ef-9b27-0242ac110005", + "groups": [ + { + "name": "differences rachel activity", + "uid": "824174ea-4ff6-11ef-858b-0242ac110005" + }, + { + "desc": "richardson silly malpractice", + "name": "philips facility sure" + } + ], + "name": "Contemporary", + "type": "User", + "type_id": "1", + "uid": "82416b62-4ff6-11ef-bb14-0242ac110005" + }, + "hashes": [ + { + "algorithm": "TLSH", + "algorithm_id": "6", + "value": "8879181273A51CEAC15FF28D95FEF4690E668D3565C680638C1FEADEA3A66CCFA9845C83F22F56EA7ED164C8D919019373A1F877DA156F876D0358EB0DEF36E6" + }, + { + "algorithm": "magic", + "algorithm_id": "99", + "value": "8735D62A700225288A69C4C58805E742E91D287FC59A68C297753E5B7D1E420B" + } + ], + "name": "ebook.xls", + "parent_folder": "sheffield specs folks/ab.dll", + "path": "sheffield specs folks/ab.dll/ebook.xls", + "type": "Named Pipe", + "type_id": "6", + "uid": "824151a4-4ff6-11ef-baa0-0242ac110005" + }, + "group": { + "desc": "understand charlie shorts", + "name": "crisis vulnerable challenge" + }, + "name": "Peripheral", + "namespace_pid": 1, + "parent_process": { + "auid": 78, + "cmd_line": "checking yeast mark", + "container": { + "hash": { + "algorithm": "quickXorHash", + "algorithm_id": 7, + "value": "D74C708F707DAB0C2242DD6D42285F3C7EE4E2A184638F20C51CBA94CBA1FC8712D9EC20451FFE4C09C4E3660F8F154D048927419E81E2A55F1ABFDCCF4F767B" + }, + "image": { + "name": "write paper recognized", + "uid": "82424de8-4ff6-11ef-8d6b-0242ac110005" + }, + "name": "ireland subcommittee falling", + "pod_uuid": "blues", + "size": 1936688053, + "uid": "82424474-4ff6-11ef-82f8-0242ac110005" + }, + "created_time": 1722510563770, + "file": { + "accessor": { + "groups": [ + { + "name": "well characterization holocaust", + "uid": "82421e4a-4ff6-11ef-8980-0242ac110005" + }, + { + "name": "levitra against glen" + } + ], + "name": "Request", + "type": "Admin", + "type_id": 2, + "uid": "8241ede4-4ff6-11ef-acc4-0242ac110005" + }, + "confidentiality": "median twelve ha", + "created_time": 1722510563769, + "created_time_dt": "2024-08-01T11:09:23.769628Z", + "desc": "differently maldives brand", + "hashes": [ + { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "06B04AF04D46617C543D3B3E00B99E504838DD15737ADA44AD4294FDDDAFF6D9585FAC5FD5DFA5754AEB22DC9103B558FAB9AF00B6CA8EB2A9D69B81032A20DD" + }, + { + "algorithm": "quickXorHash", + "algorithm_id": 7, + "value": "7076AC494351B52696279B3745D5340FC3AFD5121F4D18647E4A29796EEFD6C57363BC0ACDEC4D9552DDA8D642B25D9B81BC08AEBF9B01A05F288053FB1AEB98" + } + ], + "name": "lightning.htm", + "parent_folder": "deer oils respected/blood.ico", + "path": "deer oils respected/blood.ico/lightning.htm", + "product": { + "lang": "en", + "name": "relevant adaptation midwest", + "vendor_name": "eclipse korean ghost", + "version": "1.1.0" + }, + "type": "valve", + "type_id": 99 + }, + "group": { + "name": "bet dictionaries peace" + }, + "name": "Racks", + "parent_process": { + "cmd_line": "fixed marketing wear", + "container": { + "image": { + "name": "venice shipment thursday", + "tag": "worst lamb depends", + "uid": "8243169c-4ff6-11ef-9bd9-0242ac110005" + }, + "name": "disagree replied romania", + "orchestrator": "syndrome permissions shark", + "size": 940803910, + "uid": "82430aa8-4ff6-11ef-83eb-0242ac110005" + }, + "created_time": 1722510563775, + "created_time_dt": "2024-08-01T11:09:23.782438Z", + "egid": 29, + "euid": 44, + "file": { + "accessor": { + "name": "Reducing", + "type": "Admin", + "type_id": 2, + "uid": "82428894-4ff6-11ef-aa8a-0242ac110005" + }, + "confidentiality": "coach", + "confidentiality_id": 99, + "hashes": [ + { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "44C87B3E980B5D5906C47A44899C53ECEAA127EF07D4DADDC5BEEB648A5EBD979F5D54C7002601E0148D642C58F1AFF229C9C50C02365ED263295529F74A9AB2" + } + ], + "name": "eyed.csr", + "owner": { + "name": "Recent", + "type": "User", + "type_id": 1, + "uid": "82426be8-4ff6-11ef-807f-0242ac110005", + "uid_alt": "affiliation locks chance" + }, + "parent_folder": "michigan prague acting/perfume.cer", + "path": "michigan prague acting/perfume.cer/eyed.csr", + "product": { + "name": "classics problem furnished", + "uid": "82427804-4ff6-11ef-92e9-0242ac110005", + "vendor_name": "mathematical chat duration", + "version": "1.1.0" + }, + "security_descriptor": "hamilton samsung subsidiary", + "type": "Regular File", + "type_id": 1 + }, + "group": { + "name": "lightbox lay brad", + "uid": "8242f608-4ff6-11ef-aea1-0242ac110005" + }, + "integrity": "tired random grown", + "name": "Chile", + "namespace_pid": 4, + "parent_process": { + "cmd_line": "smile builders sanyo", + "container": { + "hash": { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "37F2759ED75FB07B29E4F1A5A51072ADD7EC16769903AAA33DBBA5DEA773A7E3CBA90D3152ADBA24BF6E54372233D78D69D964F32AC2E3973C91C1FAB5D51B26" + }, + "image": { + "name": "surfing harvest additionally", + "tag": "instrumentation mi dim", + "uid": "82439680-4ff6-11ef-b7fa-0242ac110005" + }, + "name": "arrange lips hoped", + "size": 3752277430, + "uid": "82438e24-4ff6-11ef-9a2b-0242ac110005" + }, + "created_time": 1722510563779, + "file": { + "confidentiality": "Unknown", + "confidentiality_id": 0, + "desc": "beatles collar exposure", + "hashes": [ + { + "algorithm": "quickXorHash", + "algorithm_id": 7, + "value": "CD0EE6AF5EAA1C114A915FA7096E3060AE27D1892461BFA5EE7896B183FC87987940FD470777B47DC0709EED93E2EBCED33B3D3E0C4870660C470F1D1DCCDD45" + } + ], + "is_system": false, + "mime_type": "law/apparent", + "name": "freedom.bat", + "owner": { + "credential_uid": "82433334-4ff6-11ef-9df3-0242ac110005", + "name": "Lake", + "type": "Unknown", + "type_id": 0 + }, + "parent_folder": "ko phantom flights/ground.dtd", + "path": "ko phantom flights/ground.dtd/freedom.bat", + "product": { + "name": "gave thomson circumstances", + "uid": "82433e6a-4ff6-11ef-8379-0242ac110005", + "url_string": "copyrights", + "vendor_name": "poetry lived fy" + }, + "type": "Symbolic Link", + "type_id": 7, + "uid": "82434784-4ff6-11ef-98ca-0242ac110005" + }, + "group": { + "name": "via capabilities manufacturing", + "privileges": [ + "tv glasses retrieval" + ], + "uid": "82437e84-4ff6-11ef-a820-0242ac110005" + }, + "namespace_pid": 23, + "parent_process": { + "cmd_line": "compiler homework usually", + "container": { + "hash": { + "algorithm": "SHA-256", + "algorithm_id": 3, + "value": "818853F7CD4B4D46AD3612755274DC4BE0689988A1BDBC0D8A5F54BA585D7FA5" + }, + "image": { + "name": "pr request boy", + "uid": "824413e4-4ff6-11ef-bb4f-0242ac110005" + }, + "name": "vietnamese sixth good", + "orchestrator": "maintain cargo awarded", + "runtime": "paragraph pizza ing", + "size": 3917616377, + "uid": "82440a5c-4ff6-11ef-ad41-0242ac110005" + }, + "file": { + "accessor": { + "email_addr": "Benita@instrument.com", + "name": "Profiles", + "type": "hall", + "type_id": 99, + "uid": "8243c31c-4ff6-11ef-b7ce-0242ac110005", + "uid_alt": "zope unsubscribe be" + }, + "created_time_dt": "2024-08-01T11:09:23.780361Z", + "hashes": [ + { + "algorithm": "SHA-1", + "algorithm_id": 2, + "value": "75017A36EC07FD4C377A0D2A011400AB193E61DB" + } + ], + "modified_time_dt": "2024-08-01T11:09:23.780372Z", + "name": "naturally.dmp", + "parent_folder": "eligible terms landscapes/those.accdb", + "path": "eligible terms landscapes/those.accdb/naturally.dmp", + "product": { + "lang": "en", + "name": "viruses dancing dirty", + "uid": "8243ae0e-4ff6-11ef-9d4a-0242ac110005", + "vendor_name": "ricky junk daniel", + "version": "1.1.0" + }, + "type": "apparently", + "type_id": 99, + "version": "1.1.0" + }, + "group": { + "name": "secure escape dui", + "privileges": [ + "doug producing distributor", + "discover uri conscious" + ], + "type": "vault vocational aerospace", + "uid": "8243f65c-4ff6-11ef-a514-0242ac110005" + }, + "name": "Miles", + "pid": 44, + "terminated_time": 1722510563782, + "uid": "8243fda0-4ff6-11ef-9876-0242ac110005", + "user": { + "full_name": "Bronwyn Kandi", + "name": "Translated", + "type": "User", + "type_id": 1, + "uid": "8243ea5e-4ff6-11ef-af0a-0242ac110005" + } + }, + "pid": 17, + "uid": "824384d8-4ff6-11ef-8982-0242ac110005", + "user": { + "credential_uid": "824374de-4ff6-11ef-a10e-0242ac110005", + "domain": "km msgid creek", + "name": "Ak", + "type": "System", + "type_id": 3, + "uid": "82436e80-4ff6-11ef-b543-0242ac110005" + } + }, + "pid": 51, + "terminated_time": 1722510563782, + "terminated_time_dt": "2024-08-01T11:09:23.782445Z", + "uid": "8242ff90-4ff6-11ef-b85f-0242ac110005", + "user": { + "name": "Fitted", + "type": "Admin", + "type_id": 2, + "uid": "82429a96-4ff6-11ef-ac59-0242ac110005" + } + }, + "pid": 74, + "terminated_time": 1722510563782, + "terminated_time_dt": "2024-08-01T11:09:23.782458Z", + "uid": "82423a2e-4ff6-11ef-ac30-0242ac110005", + "user": { + "name": "Prep", + "type": "Unknown", + "type_id": 0, + "uid": "82422f2a-4ff6-11ef-8418-0242ac110005" + } + }, + "terminated_time_dt": "2024-08-01T11:09:23.782Z", + "tid": 31, + "uid": "8241b414-4ff6-11ef-942e-0242ac110005", + "user": { + "account": { + "name": "person catalogs assembled", + "type": "AWS IAM Role", + "type_id": "4", + "uid": "8241a78a-4ff6-11ef-a514-0242ac110005" + }, + "email_addr": "Mabel@appointment.cat", + "groups": [ + { + "name": "minneapolis listen accounts", + "uid": "82419740-4ff6-11ef-8605-0242ac110005" + }, + { + "name": "convert temporal sees", + "type": "pointer launch particle", + "uid": "82419e0c-4ff6-11ef-a40e-0242ac110005" + } + ], + "type": "System", + "type_id": "3", + "uid": "82418dcc-4ff6-11ef-ad9d-0242ac110005" + } + }, + "pid": 55, + "uid": "82411bb2-4ff6-11ef-a29d-0242ac110005" + }, + "user": { + "name": "Villa", + "org": { + "name": "replied reservation circles", + "ou_name": "dale halloween convenience", + "uid": "82442fdc-4ff6-11ef-b680-0242ac110005" + }, + "type": "seek", + "type_id": "99", + "uid": "824425be-4ff6-11ef-8b9f-0242ac110005", + "uid_alt": "trout americans substance" + } + }, + "category_name": "Network Activity", + "category_uid": "4", + "class_name": "NTP Activity", + "class_uid": "4013", + "cloud": { + "account": { + "name": "diet services amazon", + "type": "Linux Account", + "type_id": "9", + "uid": "823f3676-4ff6-11ef-87ce-0242ac110005" + }, + "provider": "son fits additions", + "region": "stick aurora admission" + }, + "connection_info": { + "direction": "Lateral", + "direction_id": "3", + "protocol_num": "24", + "protocol_ver": "1" + }, + "count": 97, + "device": { + "container": { + "hash": { + "algorithm": "magic", + "algorithm_id": 99, + "value": "CB553813B87B309D428B27D4E5A9457DCAD28C846E4C0EFAB7A1A8FA2345B199" + }, + "image": { + "name": "distance beautifully maximum", + "tag": "passed contribution studied", + "uid": "8240a3d0-4ff6-11ef-be39-0242ac110005" + }, + "name": "hormone investigated performances", + "orchestrator": "genes thick degree", + "size": 793369097, + "uid": "82409b10-4ff6-11ef-b701-0242ac110005" + }, + "created_time": "2024-08-01T11:09:23.758Z", + "hostname": "teeth.nato", + "image": { + "labels": [ + "microsoft" + ], + "uid": "8240911a-4ff6-11ef-a984-0242ac110005" + }, + "instance_uid": "8240879c-4ff6-11ef-af64-0242ac110005", + "interface_name": "abstracts cj highs", + "interface_uid": "8240ade4-4ff6-11ef-b741-0242ac110005", + "ip": "216.160.83.56", + "is_managed": false, + "location": { + "city": "Vic screenshot", + "continent": "North America", + "coordinates": [ + 22.1588, + 28.2006 + ], + "country": "GP", + "desc": "Guadeloupe" + }, + "name": "keyboards sudan tp", + "namespace_pid": 56, + "region": "painful lifetime significant", + "subnet": "38.80.125.0/24", + "type": "Unknown", + "type_id": "0", + "vlan_uid": "824080b2-4ff6-11ef-a395-0242ac110005" + }, + "dst_endpoint": { + "container": { + "hash": { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "0A2D96EB4F44895D58B6441A0129F11199AB967C178305172B83A039B4E6D41287DD945B3BCB4937343A8E4ECB95E4A9C84B495FF73B7F404EC88A0A0FA286F3" + }, + "image": { + "labels": [ + "oc", + "inside" + ], + "name": "scientific isa thrown", + "path": "isbn phones proof", + "uid": "823ec95c-4ff6-11ef-9378-0242ac110005" + }, + "name": "fisher invite serial", + "size": 480391375, + "uid": "823eb962-4ff6-11ef-b477-0242ac110005" + }, + "hostname": "sporting.edu", + "interface_name": "active rc saying", + "interface_uid": "823ed398-4ff6-11ef-9896-0242ac110005", + "intermediate_ips": [ + "81.2.69.142", + "81.2.69.144" + ], + "ip": "67.43.156.0", + "name": "foul coming meetings", + "namespace_pid": 38, + "port": 26803, + "svc_name": "cyber influence simon", + "type": "Virtual", + "type_id": 6, + "uid": "823eaf30-4ff6-11ef-9671-0242ac110005", + "vpc_uid": "823edb22-4ff6-11ef-bd25-0242ac110005" + }, + "load_balancer": { + "code": 47, + "dst_endpoint": { + "container": { + "hash": { + "algorithm": "CTPH", + "algorithm_id": 5, + "value": "5733974066CC8F9646E6E1E170DB95F2B5D0E7DCDADF8A62A35EB47B61FCE172316B9A40AFD4FC58EC1B104C1DB4D1E2F0858866EDF563DE649A755940BCD18C" + }, + "image": { + "name": "repairs opposed condos", + "path": "circulation franklin everybody", + "tag": "melissa post courage", + "uid": "823e1c46-4ff6-11ef-a5a8-0242ac110005" + }, + "name": "allowed entered philippines", + "size": 4007710700, + "tag": "items preservation orleans", + "uid": "823e1200-4ff6-11ef-833f-0242ac110005" + }, + "hostname": "brake.jobs", + "instance_uid": "823e25ec-4ff6-11ef-8a0b-0242ac110005", + "interface_name": "adelaide hewlett housewives", + "interface_uid": "823e2c9a-4ff6-11ef-9dc6-0242ac110005", + "ip": "31.13.253.50", + "name": "aspect attempted credit", + "namespace_pid": 0, + "port": 42720, + "svc_name": "layout radius connectors", + "type": "Laptop", + "type_id": 3, + "uid": "823e06ac-4ff6-11ef-949d-0242ac110005", + "vpc_uid": "823e3352-4ff6-11ef-8cdc-0242ac110005" + }, + "endpoint_connections": [ + { + "code": 7, + "network_endpoint": { + "hostname": "principle.nato", + "hw_info": { + "keyboard_info": { + "ime": "mark least sean" + }, + "ram_size": 94, + "serial_number": "invest spring distributors" + }, + "instance_uid": "823e6bd8-4ff6-11ef-9050-0242ac110005", + "interface_name": "bouquet shorter node", + "interface_uid": "823e7290-4ff6-11ef-b82d-0242ac110005", + "ip": "155.162.119.5", + "port": 9631, + "svc_name": "surfing lynn leonard", + "type": "Mobile", + "type_id": 5, + "uid": "823e6124-4ff6-11ef-83b0-0242ac110005" + } + }, + { + "code": 95, + "network_endpoint": { + "container": { + "image": { + "name": "usda ian manitoba", + "uid": "823e8d8e-4ff6-11ef-ae19-0242ac110005" + }, + "name": "cad xanax businesses", + "orchestrator": "control flame phrases", + "size": 2100136552, + "uid": "823e83fc-4ff6-11ef-9497-0242ac110005" + }, + "hostname": "ranging.pro", + "instance_uid": "823e94a0-4ff6-11ef-bdd0-0242ac110005", + "interface_name": "platform boat nav", + "interface_uid": "823e9f2c-4ff6-11ef-8022-0242ac110005", + "ip": "102.249.60.133", + "name": "ambien thermal advance", + "namespace_pid": 32, + "port": 58409, + "svc_name": "intention currency persons", + "type": "Browser", + "type_id": 8, + "zone": "beverly fm stage" + } + } + ], + "name": "threats invoice popularity", + "uid": "823df61c-4ff6-11ef-a0b1-0242ac110005" + }, + "message": "c attended regulated", + "metadata": { + "labels": [ + "martin", + "lil" + ], + "log_level": "recovered device retail", + "log_name": "planets van wine", + "log_provider": "execute lite utah", + "original_time": "fairy affecting agricultural", + "processed_time_dt": "2024-08-01T11:09:23.756Z", + "product": { + "cpe_name": "skilled ru contributions", + "name": "raising sodium preliminary", + "uid": "82400ab0-4ff6-11ef-abab-0242ac110005", + "url_string": "mad", + "vendor_name": "answer probe affiliation", + "version": "1.1.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host", + "linux/linux_users", + "load_balancer", + "network_proxy", + "security_control" + ], + "sequence": 44, + "tenant_uid": "8240179e-4ff6-11ef-b399-0242ac110005", + "version": "1.1.0" + }, + "observables": [ + { + "name": "logged nasdaq hosts", + "type": "Hash", + "type_id": "8" + }, + { + "name": "trading friends request", + "type": "gentle", + "type_id": "99" + } + ], + "precision": 47, + "proxy_connection_info": { + "direction": "commodity", + "direction_id": 99, + "protocol_num": 62, + "protocol_ver": "Internet Protocol version 4 (IPv4)", + "protocol_ver_id": 4, + "uid": "8240bb40-4ff6-11ef-9482-0242ac110005" + }, + "proxy_endpoint": { + "container": { + "hash": { + "algorithm": "SHA-1", + "algorithm_id": 2, + "value": "428AC4813390324C88145AE1CB67084A8DA3386B" + }, + "image": { + "name": "jewish rating housewives", + "uid": "8240de40-4ff6-11ef-8dac-0242ac110005" + }, + "name": "actions bullet populations", + "network_driver": "midi florists tired", + "orchestrator": "contract girl traditional", + "size": 1551677878, + "uid": "8240d5bc-4ff6-11ef-8e32-0242ac110005" + }, + "hostname": "fashion.aero", + "instance_uid": "8240e746-4ff6-11ef-a2e6-0242ac110005", + "interface_name": "bring ana ex", + "ip": "175.16.199.0", + "mac": "AA:9E:EF:FA:F6:8C:22:78", + "name": "resources contracts treasury", + "namespace_pid": 71, + "port": 32431, + "svc_name": "democratic benefits supplier", + "type": "Hub", + "type_id": 11, + "uid": "8240c996-4ff6-11ef-a9b6-0242ac110005" + }, + "proxy_http_response": { + "code": 84, + "http_headers": [ + { + "name": "valid involving problem", + "value": "swiss navigator focused" + } + ], + "status": "accident around gamespot" + }, + "proxy_tls": { + "certificate_chain": [ + "pack menu plot" + ], + "cipher": "cent memories rochester", + "ja3_hash": { + "algorithm": "MD5", + "algorithm_id": 1, + "value": "AC725768466500046904D27B548D75C5" + }, + "ja3s_hash": { + "algorithm": "Unknown", + "algorithm_id": 0, + "value": "FF1E2DBC60149EBF225BBC13B2E100CEC2DF9FE5A8024345B354723618C4A4B74622930D7ED086F5B727F66E3E617E0DA4E39B3BFB4B67378F600594D2C05396" + }, + "key_length": 36, + "sni": "identification vincent breakfast", + "tls_extension_list": [ + { + "data": "recruitment", + "type": "server_name", + "type_id": 0 + } + ], + "version": "1.1.0" + }, + "proxy_traffic": { + "packets": 3436547282 + }, + "severity": "indirect", + "severity_id": 99, + "src_endpoint": { + "container": { + "hash": { + "algorithm": "SHA-512", + "algorithm_id": 4, + "value": "FEA9B0C8FDA936ECB33171CEBCAB7B574A0BD1A0A1D6B08474F8E20388709CAA28CB19DD8A53F0238CDD07712528D0AC7DE36988DE03147B1524257D6C190823" + }, + "image": { + "name": "toddler yahoo dressing", + "uid": "82405042-4ff6-11ef-9809-0242ac110005" + }, + "name": "variety summary focused", + "size": 1038161419, + "uid": "824041c4-4ff6-11ef-916a-0242ac110005" + }, + "hostname": "sacrifice.jobs", + "instance_uid": "8240592a-4ff6-11ef-a917-0242ac110005", + "interface_name": "bobby machines drink", + "interface_uid": "82405fb0-4ff6-11ef-8580-0242ac110005", + "ip": "89.160.20.128", + "location": { + "city": "Death stars", + "continent": "Asia", + "coordinates": [ + -54.8511, + 61.8154 + ], + "country": "MO", + "desc": "Macao, Special Administrative Region of China" + }, + "name": "brandon attacked blonde", + "namespace_pid": 19, + "port": 23430, + "type": "Virtual", + "type_id": 6, + "uid": "82403698-4ff6-11ef-bb82-0242ac110005", + "vpc_uid": "824065c8-4ff6-11ef-83f7-0242ac110005", + "zone": "admitted freebsd lazy" + }, + "status": "Success", + "status_id": "1", + "stratum": "Unsynchronized", + "stratum_id": 16, + "time": "2024-08-01T11:09:23.760Z", + "timezone_offset": 59, + "type_name": "NTP Activity: Client Synchronization", + "type_uid": "401303", + "version": "1.1.0" + }, + "process": { + "command_line": "composer oriented salt", + "entity_id": "82411bb2-4ff6-11ef-a29d-0242ac110005", + "parent": { + "command_line": "scientist discover md", + "end": "2024-08-01T11:09:23.782Z", + "entity_id": "8241b414-4ff6-11ef-942e-0242ac110005", + "group": { + "name": "crisis vulnerable challenge" + }, + "name": "Peripheral", + "start": "2024-08-01T11:09:23.767Z", + "thread": { + "id": 31 + }, + "user": { + "email": "Mabel@appointment.cat", + "group": { + "id": [ + "82419740-4ff6-11ef-8605-0242ac110005", + "82419e0c-4ff6-11ef-a40e-0242ac110005" + ], + "name": [ + "minneapolis listen accounts", + "convert temporal sees" + ] + }, + "id": [ + "21", + "82418dcc-4ff6-11ef-ad9d-0242ac110005" + ] + } + }, + "pid": 55, + "start": "2024-08-01T11:09:23.763Z", + "user": { + "id": [ + "20" + ] + } + }, + "related": { + "hash": [ + "FB62C3D023C80BF37169DFFD866BD30AF45E2274F6D63654E805AA43C6D23A16", + "866B6A4496BE310906297BA18911C77BFAE1C93BC72E9928D71B99CA7DB9BBFB64011AE273A934FB07149E380121579F8F57C8B70195D5893BE983497C7401A9", + "9F8E773E3B9D47BE47FA380985087C12F510973FD173B27657A4BAB7D0932A136A0A5D5AC53B909689AE6CC0439BFC3DE52907BC8DD305994F8D5955D3319D7C", + "8879181273A51CEAC15FF28D95FEF4690E668D3565C680638C1FEADEA3A66CCFA9845C83F22F56EA7ED164C8D919019373A1F877DA156F876D0358EB0DEF36E6", + "8735D62A700225288A69C4C58805E742E91D287FC59A68C297753E5B7D1E420B" + ], + "hosts": [ + "teeth.nato", + "keyboards sudan tp", + "sacrifice.jobs", + "sporting.edu" + ], + "ip": [ + "216.160.83.56", + "89.160.20.128", + "67.43.156.0", + "81.2.69.142", + "81.2.69.144" + ], + "user": [ + "20", + "824425be-4ff6-11ef-8b9f-0242ac110005", + "Villa", + "tiny democrats map", + "Dinner", + "8241051e-4ff6-11ef-8c1c-0242ac110005", + "Mabel@appointment.cat", + "21", + "82418dcc-4ff6-11ef-ad9d-0242ac110005", + "Mp", + "82415dc0-4ff6-11ef-8589-0242ac110005", + "Contemporary", + "82416b62-4ff6-11ef-bb14-0242ac110005", + "Clelia@servers.arpa", + "Clock", + "824111ee-4ff6-11ef-80d5-0242ac110005", + "trout americans substance" + ] + }, + "source": { + "domain": [ + "sacrifice.jobs" + ], + "geo": { + "city_name": "Death stars", + "continent_name": "Asia", + "country_iso_code": "MO", + "location": [ + -54.8511, + 61.8154 + ], + "name": "Macao, Special Administrative Region of China" + }, + "ip": "89.160.20.128", + "port": 23430 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "martin", + "lil" + ], + "user": { + "id": "824425be-4ff6-11ef-8b9f-0242ac110005", + "name": "Villa" + } + }, + { + "@timestamp": "2024-08-12T09:32:57.274Z", + "data_stream": { + "dataset": "amazon_security_lake.network_activity", + "namespace": "default", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "email": { + "cc": { + "address": [ + "Loren@receivers.info", + "Madeline@sue.net" + ] + }, + "from": { + "address": [ + "Francoise@audi.museum" + ] + }, + "local_id": "dbc8706e-588d-11ef-af1b-0242ac110005", + "message_id": "dbc878de-588d-11ef-9c86-0242ac110005", + "reply_to": { + "address": [ + "Twana@optimization.aero" + ] + }, + "to": { + "address": [ + "Lizzie@keyword.net" + ] + } + }, + "event": { + "action": "sense-cheat-builder", + "category": [ + "email" + ], + "code": "cats", + "id": "dbc818a8-588d-11ef-aa74-0242ac110005", + "kind": "event", + "original": "{\"message\":\"andale freely producers\",\"status\":\"Success\",\"time\":1723455177274626,\"metadata\":{\"version\":\"1.1.0\",\"product\":{\"name\":\"sunshine lopez dimension\",\"version\":\"1.1.0\",\"path\":\"correctly was books\",\"uid\":\"dbc81042-588d-11ef-aff0-0242ac110005\",\"vendor_name\":\"common posting displayed\"},\"uid\":\"dbc818a8-588d-11ef-aa74-0242ac110005\",\"profiles\":[],\"event_code\":\"cats\",\"log_name\":\"queen lexmark honolulu\",\"log_provider\":\"technique wc mountains\",\"modified_time\":1723455177273194,\"original_time\":\"china compact prototype\",\"tenant_uid\":\"dbc8214a-588d-11ef-8173-0242ac110005\"},\"severity\":\"Medium\",\"email\":{\"size\":3113926462,\"uid\":\"dbc8706e-588d-11ef-af1b-0242ac110005\",\"from\":\"Francoise@audi.museum\",\"cc\":[\"Loren@receivers.info\",\"Madeline@sue.net\"],\"to\":[\"Lizzie@keyword.net\"],\"message_uid\":\"dbc878de-588d-11ef-9c86-0242ac110005\",\"reply_to\":\"Twana@optimization.aero\",\"smtp_from\":\"Shenita@endangered.jobs\",\"smtp_to\":[\"Lydia@or.gov\",\"Malena@writing.firm\"]},\"direction\":\"Inbound\",\"type_uid\":1046489335,\"category_name\":\"Network Activity\",\"class_uid\":4009,\"category_uid\":4,\"class_name\":\"Email Activity\",\"timezone_offset\":29,\"activity_name\":\"sense cheat builder\",\"direction_id\":1,\"email_auth\":{\"dkim\":\"asbestos equal pass\",\"dkim_domain\":\"gibraltar res hip\",\"dkim_signature\":\"phys coordinate pointing\",\"dmarc\":\"bulk stud occasion\",\"dmarc_override\":\"specification adobe dam\",\"dmarc_policy\":\"oem over educated\"},\"enrichments\":[{\"data\":{\"healthcare\":\"hddhj\"},\"name\":\"dip follow theta\",\"type\":\"eastern eleven ratio\",\"value\":\"yards playstation passwords\",\"provider\":\"belkin humanity vid\"},{\"data\":\"ja\",\"name\":\"lang advertise sharp\",\"type\":\"croatia housewives wan\",\"value\":\"thumb routing firms\",\"provider\":\"determining delay team\"}],\"severity_id\":3,\"smtp_hello\":\"isbn purposes yea\",\"src_endpoint\":{\"name\":\"vietnam chamber rational\",\"port\":59948,\"ip\":\"67.43.156.0\",\"hostname\":\"while.mobi\",\"uid\":\"dbc831da-588d-11ef-8bc6-0242ac110005\",\"hw_info\":{\"bios_manufacturer\":\"restricted while suspension\",\"cpu_count\":98,\"keyboard_info\":null,\"ram_size\":54,\"serial_number\":\"ps lol launched\"},\"instance_uid\":\"dbc83cde-588d-11ef-8ecb-0242ac110005\",\"interface_name\":\"buses variation russia\",\"interface_uid\":\"dbc843f0-588d-11ef-8f5a-0242ac110005\",\"svc_name\":\"drunk m week\",\"vlan_uid\":\"dbc84ae4-588d-11ef-89b1-0242ac110005\",\"vpc_uid\":\"dbc85138-588d-11ef-bcda-0242ac110005\"},\"status_detail\":\"croatia ks compile\",\"status_id\":1}", + "outcome": "success", + "provider": "technique wc mountains", + "severity": 3, + "type": [ + "info" + ] + }, + "message": "andale freely producers", + "network": { + "application": [ + "drunk m week" + ] + }, + "ocsf": { + "activity_name": "sense cheat builder", + "category_name": "Network Activity", + "category_uid": "4", + "class_name": "Email Activity", + "class_uid": "4009", + "direction": "Inbound", + "direction_id": "1", + "email": { + "cc": [ + "Loren@receivers.info", + "Madeline@sue.net" + ], + "from": "Francoise@audi.museum", + "message_uid": "dbc878de-588d-11ef-9c86-0242ac110005", + "reply_to": "Twana@optimization.aero", + "size": 3113926462, + "smtp_from": "Shenita@endangered.jobs", + "smtp_to": [ + "Lydia@or.gov", + "Malena@writing.firm" + ], + "to": [ + "Lizzie@keyword.net" + ], + "uid": "dbc8706e-588d-11ef-af1b-0242ac110005" + }, + "email_auth": { + "dkim": "asbestos equal pass", + "dkim_domain": "gibraltar res hip", + "dkim_signature": "phys coordinate pointing", + "dmarc": "bulk stud occasion", + "dmarc_override": "specification adobe dam", + "dmarc_policy": "oem over educated" + }, + "enrichments": [ + { + "data": { + "healthcare": "hddhj" + }, + "name": "dip follow theta", + "provider": "belkin humanity vid", + "type": "eastern eleven ratio", + "value": "yards playstation passwords" + }, + { + "data": "ja", + "name": "lang advertise sharp", + "provider": "determining delay team", + "type": "croatia housewives wan", + "value": "thumb routing firms" + } + ], + "message": "andale freely producers", + "metadata": { + "event_code": "cats", + "log_name": "queen lexmark honolulu", + "log_provider": "technique wc mountains", + "modified_time": "2024-08-12T09:32:57.273Z", + "original_time": "china compact prototype", + "product": { + "name": "sunshine lopez dimension", + "path": "correctly was books", + "uid": "dbc81042-588d-11ef-aff0-0242ac110005", + "vendor_name": "common posting displayed", + "version": "1.1.0" + }, + "tenant_uid": "dbc8214a-588d-11ef-8173-0242ac110005", + "uid": "dbc818a8-588d-11ef-aa74-0242ac110005", + "version": "1.1.0" + }, + "severity": "Medium", + "severity_id": 3, + "smtp_hello": "isbn purposes yea", + "src_endpoint": { + "hostname": "while.mobi", + "hw_info": { + "bios_manufacturer": "restricted while suspension", + "cpu_count": 98, + "ram_size": 54, + "serial_number": "ps lol launched" + }, + "instance_uid": "dbc83cde-588d-11ef-8ecb-0242ac110005", + "interface_name": "buses variation russia", + "interface_uid": "dbc843f0-588d-11ef-8f5a-0242ac110005", + "ip": "67.43.156.0", + "name": "vietnam chamber rational", + "port": 59948, + "svc_name": "drunk m week", + "uid": "dbc831da-588d-11ef-8bc6-0242ac110005", + "vlan_uid": "dbc84ae4-588d-11ef-89b1-0242ac110005", + "vpc_uid": "dbc85138-588d-11ef-bcda-0242ac110005" + }, + "status": "Success", + "status_detail": "croatia ks compile", + "status_id": "1", + "time": "2024-08-12T09:32:57.274Z", + "timezone_offset": 29, + "type_uid": "1046489335" + }, + "related": { + "hosts": [ + "while.mobi" + ], + "ip": [ + "67.43.156.0" + ], + "user": [ + "Loren@receivers.info", + "Madeline@sue.net", + "Francoise@audi.museum", + "Twana@optimization.aero", + "Shenita@endangered.jobs", + "Lydia@or.gov", + "Malena@writing.firm", + "Lizzie@keyword.net" + ] + }, + "source": { + "domain": [ + "while.mobi" + ], + "ip": "67.43.156.0", + "port": 59948 + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] } ] -} \ No newline at end of file +} diff --git a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-system-activity.log-expected.json b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-system-activity.log-expected.json index 7a5d75f1c414..701072c46df1 100644 --- a/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-system-activity.log-expected.json +++ b/packages/amazon_security_lake/data_stream/event/_dev/test/pipeline/test-system-activity.log-expected.json @@ -5565,4 +5565,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml index 49d6fa96971a..8a553ded23de 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Amazon Security Lake Events. -# Base Event docs: https://schema.ocsf.io/1.0.0/base_event?extensions= +# Base Event docs: https://schema.ocsf.io/1.1.0/base_event?extensions= processors: - set: field: ecs.version @@ -20,6 +20,60 @@ processors: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + description: Recursively traverses the ocsf object to convert suspected timestamps to milliseconds. + tag: convert_timestamps_to_milliseconds + lang: painless + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + source: >- + def convertToMilliseconds(long timestamp) { + if ((long)1e19 - 1 < timestamp) { + throw new IllegalArgumentException("Timestamp format not recognized: " + timestamp); + } else if ((long)1e16 - 1 < timestamp) { + return timestamp / 1000000; // Convert nanoseconds to milliseconds + } else if ((long)1e13 - 1 < timestamp) { + return timestamp / 1000; // Convert microseconds to milliseconds + } else if ((long)1e10 - 1 < timestamp) { + return timestamp; // Already in milliseconds, no conversion needed + } else { + return timestamp * 1000; // Convert seconds to milliseconds + } + } + + def processFields(Map fields) { + for (entry in fields.entrySet()) { + def fieldName = entry.getKey(); + def fieldValue = entry.getValue(); + // Check if the field is a nested object (Map) + if (fieldValue instanceof Map) { + // Recursively process nested objects + processFields((Map) fieldValue); + } else if (fieldName.endsWith('time') || fieldName.endsWith('_time')) { + // If the field name ends with "time" or "_time" and is a number, convert it + if (fieldValue instanceof Number) { + fields[fieldName] = convertToMilliseconds(((Number) fieldValue).longValue()); + } + } + } + return null; + } + processFields(ctx.ocsf); + + - rename: + field: ocsf.resource + target_field: ocsf.resources + tag: rename_resource_to_resources + ignore_missing: true + if : ctx.ocsf?.resources == null + - rename: + field: ocsf.finding_info_list + target_field: ocsf.finding_info + tag: rename_finding_info_list_to_finding_info + ignore_missing: true + if : ctx.ocsf?.finding_info == null - convert: field: ocsf.class_uid tag: convert_class_uid_to_string @@ -28,12 +82,12 @@ processors: - set: field: event.kind tag: set_event_kind - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','5001','5002','6001','6002','6003','6004'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','5019','6001','6002','6003','6004','6005','6006','6007'].contains(ctx.ocsf.class_uid) value: event - set: field: event.kind tag: set_event_kind - if: ctx.ocsf?.class_uid != null && ['2001'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['2001','2002','2003','2004','2005'].contains(ctx.ocsf.class_uid) value: alert - append: field: event.category @@ -46,7 +100,7 @@ processors: tag: append_vulnerability_into_event_category value: vulnerability allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['2001'].contains(ctx.ocsf.class_uid) && ctx.ocsf.vulnerabilities != null + if: ctx.ocsf?.class_uid != null && ['2001','2002','2003','2004','2005'].contains(ctx.ocsf.class_uid) && ctx.ocsf.vulnerabilities != null - append: field: event.category tag: append_iam_into_event_category @@ -70,7 +124,7 @@ processors: tag: append_network_into_event_category value: network allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['4001','4003','4004','4005','4007','4008','4010'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['4001','4003','4004','4005','4007','4008','4010','4013'].contains(ctx.ocsf.class_uid) - append: field: event.category tag: append_api_into_event_category @@ -82,7 +136,7 @@ processors: tag: append_file_into_event_category value: file allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1001','4006','4008','4010','4011'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','4006','4008','4010','4011','6006'].contains(ctx.ocsf.class_uid) - append: field: event.category tag: append_email_into_event_category @@ -124,7 +178,7 @@ processors: tag: append_info_into_event_type value: info allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','5001','5002','6002','6003','6004'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1007','2001', '2002','2003','2004','2005','3001','3002','3003','3005','3006','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5004','5019','6002','6003','6004','6005','6006','6007'].contains(ctx.ocsf.class_uid) - append: field: event.type tag: append_user_into_event_type @@ -148,7 +202,7 @@ processors: tag: append_creation_into_event_type value: creation allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1001','3001','4006','5002'].contains(ctx.ocsf.class_uid) && ['Create','File Create','Log'].contains(ctx.ocsf.activity_name) + if: ctx.ocsf?.class_uid != null && ['1001','2005','3001','4006','5002'].contains(ctx.ocsf.class_uid) && ['Create','File Create','Log'].contains(ctx.ocsf.activity_name) - append: field: event.type tag: append_access_into_event_type @@ -166,13 +220,13 @@ processors: tag: append_start_into_event_type value: start allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1007','3002','4001','4007','6002'].contains(ctx.ocsf.class_uid) && ['Launch','Logon','Open','Start'].contains(ctx.ocsf.activity_name) + if: ctx.ocsf?.class_uid != null && ['1007','3002','4001','4013','4007','6002','6007'].contains(ctx.ocsf.class_uid) && ['Launch','Logon','Open','Start','Started','Symmetric Active Exchange','Client Synchronization','Broadcast','Control'].contains(ctx.ocsf.activity_name) - append: field: event.type tag: append_end_into_event_type value: end allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1007','3002','4001','4007','6002'].contains(ctx.ocsf.class_uid) && ['Terminate','Logoff','Close','Stop'].contains(ctx.ocsf.activity_name) + if: ctx.ocsf?.class_uid != null && ['1007','2005','3002','4001','4007','4013','6002','6007'].contains(ctx.ocsf.class_uid) && ['Terminate','Logoff','Close','Completed','Stop','Symmetric Passive Response','Server Response','Private Use Case','Other'].contains(ctx.ocsf.activity_name) - append: field: event.type tag: append_denied_into_event_type @@ -190,7 +244,7 @@ processors: tag: append_change_into_event_type value: change allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['1001','4006','4010'].contains(ctx.ocsf.class_uid) && ['Update','File Supersede','File Overwrite','Update','Rename'].contains(ctx.ocsf.activity_name) + if: ctx.ocsf?.class_uid != null && ['1001','2005','4006','4010'].contains(ctx.ocsf.class_uid) && ['Update','File Supersede','File Overwrite','Update','Rename'].contains(ctx.ocsf.activity_name) - append: field: event.type tag: append_connection_into_event_type @@ -202,13 +256,13 @@ processors: tag: append_installation_into_event_type value: installation allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['6002'].contains(ctx.ocsf.class_uid) && ['Install'].contains(ctx.ocsf.activity_name) + if: ctx.ocsf?.class_uid != null && ['6002','5004'].contains(ctx.ocsf.class_uid) && ['Install','Log','Collect'].contains(ctx.ocsf.activity_name) - append: field: event.type tag: append_error_into_event_type value: error allow_duplicates: false - if: ctx.ocsf?.class_uid != null && ['6004'].contains(ctx.ocsf.class_uid) && ['Access Error'].contains(ctx.ocsf.activity_name) + if: ctx.ocsf?.class_uid != null && ['6004','6007'].contains(ctx.ocsf.class_uid) && ['Access Error','Error'].contains(ctx.ocsf.activity_name) - set: field: cloud.account.id tag: set_cloud_account_uid @@ -363,6 +417,11 @@ processors: tag: convert_cloud_account_type_id_to_string type: string ignore_missing: true + - convert: + field: ocsf.resource.owner.type_id + tag: convert_resource_owner_type_id_to_string + type: string + ignore_missing: true - convert: field: ocsf.count tag: convert_count_to_long @@ -588,17 +647,6 @@ processors: tag: convert_type_id_to_string type: string ignore_missing: true - - script: - lang: painless - tag: script_to_map_observables_into_key_value_pair - description: Map observables into key value pair. - if: ctx.ocsf?.observables != null && ctx.ocsf.observables instanceof List - source: > - for (int i = 0; i < ctx.ocsf.observables.length; ++i) { - if (ctx['ocsf']['observables'][i]['value'] != null) { - ctx.ocsf.observables[i][ctx['ocsf']['observables'][i]['name']] = ctx['ocsf']['observables'][i]['value']; - } - } - convert: field: ocsf.severity_id tag: convert_severity_id_to_long @@ -699,37 +747,37 @@ processors: ignore_missing: true - pipeline: name: '{{ IngestPipeline "pipeline_object_actor" }}' - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','5001','5002','6001','6002','6003','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.actor != null + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','2003','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4011','4012','4013','5001','5002','5003','5019','6001','6002','6003','6004','6005','6006','6007'].contains(ctx.ocsf.class_uid) && ctx.ocsf.actor != null tag: pipeline_object_actor ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_attack" }}' - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2001','4001','4002','4003','4005','4006','4007','4008','4009','4011','4012'].contains(ctx.ocsf.class_uid) && ctx.ocsf.attacks != null + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2001','4001','4002','4003','4005','4006','4007','4008','4009','4011','4012','4013'].contains(ctx.ocsf.class_uid) && ctx.ocsf.attacks != null tag: pipeline_object_attack ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_network_connection_info" }}' - if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008'].contains(ctx.ocsf.class_uid) && ctx.ocsf.connection_info != null + if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008','4013','6006'].contains(ctx.ocsf.class_uid) && ctx.ocsf.connection_info != null tag: pipeline_object_network_connection_info ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_device" }}' - if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4011','4012','5001','5002','6001','6002','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.device != null + if: ctx.ocsf?.class_uid != null && ['1001','1002','1003','1004','1005','1006','1007','2002','2003','3001','3002','3003','3004','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4011','4012','4013','5001','5002','5004','5019','6001','6002','6004','6007'].contains(ctx.ocsf.class_uid) && ctx.ocsf.device != null tag: pipeline_object_device ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_http_request" }}' - if: ctx.ocsf?.class_uid != null && ['3001','3002','4002','6003','6004'].contains(ctx.ocsf.class_uid) && ctx.ocsf.http_request != null + if: ctx.ocsf?.class_uid != null && ['3001','3002','4002','6003','6004','6005'].contains(ctx.ocsf.class_uid) && ctx.ocsf.http_request != null tag: pipeline_object_http_request ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_malware" }}' - if: ctx.ocsf?.class_uid != null && ['2001','4001','4002','4003','4005','4006','4007','4008','4009','4011','4012'].contains(ctx.ocsf.class_uid) && ctx.ocsf.malware != null + if: ctx.ocsf?.class_uid != null && ['2001','4001','4002','4003','4005','4006','4007','4008','4009','4011','4012','4013'].contains(ctx.ocsf.class_uid) && ctx.ocsf.malware != null tag: pipeline_object_malware ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_network_endpoint" }}' - if: ctx.ocsf?.class_uid != null && ['3001','3002','3003','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','6001','6003','6004'].contains(ctx.ocsf.class_uid) && (ctx.ocsf.dst_endpoint != null || ctx.ocsf.src_endpoint != null) + if: ctx.ocsf?.class_uid != null && ['3001','3002','3003','3005','4001','4002','4003','4004','4005','4006','4007','4008','4009','4010','4013','6001','6003','6004','6005','6006'].contains(ctx.ocsf.class_uid) && (ctx.ocsf.dst_endpoint != null || ctx.ocsf.src_endpoint != null) tag: pipeline_object_network_endpoint ignore_missing_pipeline: true - pipeline: @@ -739,27 +787,27 @@ processors: ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_proxy" }}' - if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008'].contains(ctx.ocsf.class_uid) && ctx.ocsf.proxy != null + if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008','4013'].contains(ctx.ocsf.class_uid) && ctx.ocsf.proxy != null tag: pipeline_object_proxy ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_tls" }}' - if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008'].contains(ctx.ocsf.class_uid) && ctx.ocsf.tls != null + if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008','4013'].contains(ctx.ocsf.class_uid) && ctx.ocsf.tls != null tag: pipeline_object_tls ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_traffic" }}' - if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008'].contains(ctx.ocsf.class_uid) && ctx.ocsf.traffic != null + if: ctx.ocsf?.class_uid != null && ['4001','4002','4003','4005','4006','4007','4008','4013'].contains(ctx.ocsf.class_uid) && ctx.ocsf.traffic != null tag: pipeline_object_traffic ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_user" }}' - if: ctx.ocsf?.class_uid != null && ['3001','3002','3003','3005','3006'].contains(ctx.ocsf.class_uid) && ctx.ocsf.user != null + if: ctx.ocsf?.class_uid != null && ['2005','3001','3002','3003','3005','3006','5003'].contains(ctx.ocsf.class_uid) && ctx.ocsf.user != null tag: pipeline_object_user ignore_missing_pipeline: true - pipeline: name: '{{ IngestPipeline "pipeline_object_file" }}' - if: ctx.ocsf?.class_uid != null && ['1001','4006','4010','4011'].contains(ctx.ocsf.class_uid) + if: ctx.ocsf?.class_uid != null && ['1001','4006','4010','4011','6006'].contains(ctx.ocsf.class_uid) tag: pipeline_object_file ignore_missing_pipeline: true - pipeline: @@ -994,6 +1042,10 @@ processors: tag: remove_duplicate_custom_fields_from_malware_cves_array ignore_missing: true if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + - remove: + field: aws + tag: remove_aws_fields + ignore_missing: true - remove: field: - ocsf.time diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_application_activity.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_application_activity.yml index 741c5a785be5..d7e402a1eca6 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_application_activity.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_application_activity.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing API Activity category. -# API Activity class docs: https://schema.ocsf.io/1.0.0/categories/application?extensions= +# API Activity class docs: https://schema.ocsf.io/1.1.0/categories/application?extensions= processors: - foreach: field: ocsf.resources diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_discovery.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_discovery.yml index d9322ab19053..6f6446831165 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_discovery.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_discovery.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing API Activity category. -# API Activity class docs: https://schema.ocsf.io/1.0.0/categories/discovery?extensions= +# API Activity class docs: https://schema.ocsf.io/1.1.0/categories/discovery?extensions= processors: - set: field: rule.category diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_findings.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_findings.yml index 347f06373c0f..9f996b89124d 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_findings.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_findings.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Findings category. -# Security Findings Class docs: https://schema.ocsf.io/1.0.0/categories/findings?extensions= +# Security Findings Class docs: https://schema.ocsf.io/1.1.0/categories/findings?extensions= processors: - set: field: event.reference diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_identity_and_access_management.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_identity_and_access_management.yml index da114b33d82f..ed1002cecc49 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_identity_and_access_management.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_identity_and_access_management.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Identity & Access Management category. -# Category docs: https://schema.ocsf.io/1.0.0/categories/iam?extensions= +# Category docs: https://schema.ocsf.io/1.1.0/categories/iam?extensions= processors: - set: field: user.changes.domain diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_network_activity.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_network_activity.yml index 69a0cd4574bb..10b22390f97c 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_network_activity.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_network_activity.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Network Activity category. -# Network Activity Class docs: https://schema.ocsf.io/1.0.0/categories/network?extensions= +# Network Activity Class docs: https://schema.ocsf.io/1.1.0/categories/network?extensions= processors: - convert: field: ocsf.disposition_id diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml index 8c1ab02ed585..210eaf1ce6d7 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system_activity.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing System Activity category. -# System Activity Class docs: https://schema.ocsf.io/1.0.0/categories/system?extensions= +# System Activity Class docs: https://schema.ocsf.io/1.1.0/categories/system?extensions= processors: - convert: field: ocsf.access_mask diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_actor.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_actor.yml index 3b2580319b47..48c4e8a85195 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_actor.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_actor.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Actor object. -# Actor object docs: https://schema.ocsf.io/1.0.0/objects/actor?extensions= +# Actor object docs: https://schema.ocsf.io/1.1.0/objects/actor?extensions= processors: - set: field: container.id diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_attack.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_attack.yml index c760fd60a50f..20fe17297f75 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_attack.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_attack.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Attack object. -# Attack object docs: https://schema.ocsf.io/1.0.0/objects/attack?extensions= +# Attack object docs: https://schema.ocsf.io/1.1.0/objects/attack?extensions= processors: - foreach: field: ocsf.attacks diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_device.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_device.yml index e1622502ef5a..a949ab475f0c 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_device.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_device.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Device object. -# Device object docs: https://schema.ocsf.io/1.0.0/objects/device?extensions= +# Device object docs: https://schema.ocsf.io/1.1.0/objects/device?extensions= processors: - set: field: host.domain diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_file.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_file.yml index 75160a3ea7e3..4c27525a4054 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_file.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_file.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing File object. -# File object docs: https://schema.ocsf.io/1.0.0/objects/file?extensions= +# File object docs: https://schema.ocsf.io/1.1.0/objects/file?extensions= processors: - remove: field: diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_http_request.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_http_request.yml index 5bed93443394..45a5567db1f7 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_http_request.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_http_request.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Http Request object. -# Http Request object docs: https://schema.ocsf.io/1.0.0/objects/http_request?extensions= +# Http Request object docs: https://schema.ocsf.io/1.1.0/objects/http_request?extensions= processors: - set: field: http.request.id diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_malware.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_malware.yml index 653e91bfe751..12cc9ecf0889 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_malware.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_malware.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Malware object. -# Malware object docs: https://schema.ocsf.io/1.0.0/objects/malware?extensions= +# Malware object docs: https://schema.ocsf.io/1.1.0/objects/malware?extensions= processors: - foreach: field: ocsf.malware diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_connection_info.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_connection_info.yml index a5cde447b830..18513e4098da 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_connection_info.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_connection_info.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Network Connection object. -# Network Connection object docs: https://schema.ocsf.io/1.0.0/objects/network_connection_info?extensions= +# Network Connection object docs: https://schema.ocsf.io/1.1.0/objects/network_connection_info?extensions= processors: - convert: field: ocsf.connection_info.boundary_id diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_endpoint.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_endpoint.yml index cb532f58e68c..320c91d35647 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_endpoint.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_network_endpoint.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Network Endpoint object. -# Network Endpoint object docs: https://schema.ocsf.io/1.0.0/objects/network_endpoint?extensions= +# Network Endpoint object docs: https://schema.ocsf.io/1.1.0/objects/network_endpoint?extensions= processors: - append: field: source.domain diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_process.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_process.yml index e9ae423f1214..49595bf8ced8 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_process.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_process.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Process object. -# Process object docs: https://schema.ocsf.io/1.0.0/objects/process?extensions= +# Process object docs: https://schema.ocsf.io/1.1.0/objects/process?extensions= processors: - set: field: container.id diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_proxy.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_proxy.yml index ec49777db755..95606ecbda51 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_proxy.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_proxy.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Network Proxy object. -# Network Proxy object docs: https://schema.ocsf.io/1.0.0/objects/network_proxy?extensions= +# Network Proxy object docs: https://schema.ocsf.io/1.1.0/objects/network_proxy?extensions= processors: - convert: field: ocsf.proxy.location.is_on_premises diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_system_activity_helper.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_system_activity_helper.yml index e6e49674c9b7..163eaf0921bf 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_system_activity_helper.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_system_activity_helper.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing System Activity helper category. -# System Activity Class docs: https://schema.ocsf.io/1.0.0/categories/system?extensions= +# System Activity Class docs: https://schema.ocsf.io/1.1.0/categories/system?extensions= processors: - remove: field: diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_tls.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_tls.yml index fb0b272afaa1..61409c7f1d33 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_tls.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_tls.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing TLS object. -# TLS object docs: https://schema.ocsf.io/1.0.0/objects/tls?extensions= +# TLS object docs: https://schema.ocsf.io/1.1.0/objects/tls?extensions= processors: - set: field: tls.cipher diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_traffic.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_traffic.yml index 2629b54fb14b..1b2ab5343f1a 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_traffic.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_traffic.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing Network Traffic object. -# Network Traffic object docs: https://schema.ocsf.io/1.0.0/objects/network_traffic?extensions= +# Network Traffic object docs: https://schema.ocsf.io/1.1.0/objects/network_traffic?extensions= processors: - convert: field: ocsf.traffic.bytes_in diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml index c51d99a351a7..803acf7a1956 100644 --- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml +++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_user.yml @@ -1,6 +1,6 @@ --- description: Pipeline for processing User object. -# User object docs: https://schema.ocsf.io/1.0.0/objects/user?extensions= +# User object docs: https://schema.ocsf.io/1.1.0/objects/user?extensions= processors: - set: field: user.target.domain @@ -87,6 +87,38 @@ processors: value: '{{{ocsf.user.uid_alt}}}' allow_duplicates: false if: ctx.ocsf?.user?.uid_alt != null + - foreach: + field: ocsf.user.ldap_person.email_addrs + if: ctx.ocsf?.user?.ldap_person?.email_addrs instanceof List + ignore_failure: true + processor: + append: + field: user.ldap_person.email_addrs + tag: append_user_ldap_person_email_addrs + value: '{{{_ingest._value.name}}}' + allow_duplicates: false + - foreach: + field: ocsf.user.ldap_person.labels + if: ctx.ocsf?.user?.ldap_person?.labels instanceof List + ignore_failure: true + processor: + append: + field: user.ldap_person.labels + tag: append_user_ldap_person_labels + value: '{{{_ingest._value.name}}}' + allow_duplicates: false + - convert: + field: ocsf.user.ldap_person.location.is_on_premises + tag: convert_user_ldap_person_location_is_on_premises_to_boolean + type: boolean + ignore_missing: true + on_failure: + - remove: + field: ocsf.user.ldap_person.location.is_on_premises + ignore_missing: true + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' on_failure: - append: field: error.message diff --git a/packages/amazon_security_lake/data_stream/event/fields/actor-fields-flattened.yml b/packages/amazon_security_lake/data_stream/event/fields/actor-fields-flattened.yml new file mode 100644 index 000000000000..03904b41c3a0 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/actor-fields-flattened.yml @@ -0,0 +1,1638 @@ +- name: ocsf + type: group + fields: + - name: actor + type: group + fields: + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: idp + type: group + fields: + - name: name + type: keyword + description: The name of the identity provider. + - name: uid + type: keyword + description: The unique identifier of the identity provider. + - name: invoked_by + type: keyword + description: The name of the service that invoked the activity as described in the event. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: count + type: integer + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. diff --git a/packages/amazon_security_lake/data_stream/event/fields/api-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/api-fields.yml new file mode 100644 index 000000000000..852880315189 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/api-fields.yml @@ -0,0 +1,154 @@ +- name: ocsf + type: group + fields: + - name: api + type: group + description: Describes details about a typical API (Application Programming Interface) call. + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: group + type: group + description: The information pertaining to the API group. + fields: + - name: desc + type: text + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: request + type: group + description: Details pertaining to the API request. + fields: + - name: uid + type: keyword + description: The unique request identifier. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: response + type: group + description: Details pertaining to the API response. + fields: + - name: code + type: integer + description: The numeric response sent to a request. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: text + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: message + type: text + description: The description of the event/finding, as defined by the source. + - name: service + type: group + description: The information pertaining to the API service. + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. diff --git a/packages/amazon_security_lake/data_stream/event/fields/base-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/base-fields.yml index c034c1b6dbbd..ce287c5392ef 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/base-fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/base-fields.yml @@ -14,7 +14,6 @@ - name: event.dataset type: constant_keyword description: Event dataset. - value: amazon_security_lake.event - name: '@timestamp' type: date description: Event timestamp. diff --git a/packages/amazon_security_lake/data_stream/event/fields/beats.yml b/packages/amazon_security_lake/data_stream/event/fields/beats.yml index 4084f1dc7f51..e2a02e078e81 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/beats.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/beats.yml @@ -1,6 +1,12 @@ -- name: input.type +- description: Type of Filebeat input. + name: input.type type: keyword - description: Type of filebeat input. -- name: log.offset +- description: Flags for the log file. + name: log.flags + type: keyword +- description: Offset of the entry in the log file. + name: log.offset type: long - description: Log offset. +- description: Log message optimized for viewing in a log viewer. + name: event.message + type: text diff --git a/packages/amazon_security_lake/data_stream/event/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/device-fields.yml new file mode 100644 index 000000000000..1fbf81b593e4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/device-fields.yml @@ -0,0 +1,348 @@ +- name: ocsf + type: group + fields: + - name: device + type: group + fields: + - name: autoscale_uid + type: keyword + description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: created_time + type: date + description: The time when the device was known to have been created. + - name: created_time_dt + type: date + description: TThe time when the device was known to have been created. + - name: desc + type: keyword + description: The description of the device, ordinarily as reported by the operating system. + - name: domain + type: keyword + description: 'The network domain where the device resides. For example: work.example.com.' + - name: first_seen_time + type: date + description: The initial discovery time of the device. + - name: first_seen_time_dt + type: date + description: The initial discovery time of the device. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: hostname + type: keyword + description: The devicename. + - name: hw_info + type: group + fields: + - name: bios_date + type: keyword + description: 'The BIOS date. For example: 03/31/16.' + - name: bios_manufacturer + type: keyword + description: 'The BIOS manufacturer. For example: LENOVO.' + - name: bios_ver + type: keyword + description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' + - name: chassis + type: keyword + description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. + - name: cpu_bits + type: long + description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' + - name: cpu_cores + type: long + description: 'The number of processor cores in all installed processors. For Example: 42.' + - name: cpu_count + type: long + description: 'The number of physical processors on a system. For example: 1.' + - name: cpu_speed + type: long + description: 'The speed of the processor in Mhz. For Example: 4200.' + - name: cpu_type + type: keyword + description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' + - name: desktop_display + type: group + fields: + - name: color_depth + type: long + description: The numeric color depth. + - name: physical_height + type: long + description: The numeric physical height of display. + - name: physical_orientation + type: long + description: The numeric physical orientation of display. + - name: physical_width + type: long + description: The numeric physical width of display. + - name: scale_factor + type: long + description: The numeric scale factor of display. + - name: keyboard_info + type: group + fields: + - name: function_keys + type: long + description: The number of function keys on client keyboard. + - name: ime + type: keyword + description: The Input Method Editor (IME) file name. + - name: keyboard_layout + type: keyword + description: The keyboard locale identifier name (e.g., en-US). + - name: keyboard_subtype + type: long + description: The keyboard numeric code. + - name: keyboard_type + type: keyword + description: The keyboard type (e.g., xt, ico). + - name: ram_size + type: long + description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' + - name: serial_number + type: keyword + description: The device manufacturer serial number. + - name: hypervisor + type: keyword + description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: imei + type: keyword + description: The International Mobile Station Equipment Identifier that is associated with the device. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: ip + type: ip + description: The device IP address, in either IPv4 or IPv6 format. + - name: is_compliant + type: boolean + description: The event occurred on a compliant device. + - name: is_managed + type: boolean + description: The event occurred on a managed device. + - name: is_personal + type: boolean + description: The event occurred on a personal device. + - name: is_trusted + type: boolean + description: The event occurred on a trusted device. + - name: last_seen_time + type: date + description: The most recent discovery time of the device. + - name: last_seen_time_dt + type: date + description: The most recent discovery time of the device. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The device Media Access Control (MAC) address. + - name: modified_time + type: date + description: The time when the device was last known to have been modified. + - name: modified_time_dt + type: date + description: The time when the device was last known to have been modified. + - name: name + type: keyword + description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: network_interfaces + type: group + fields: + - name: hostname + type: keyword + description: The hostname associated with the network interface. + - name: ip + type: ip + description: The IP address associated with the network interface. + - name: mac + type: keyword + description: The MAC address of the network interface. + - name: name + type: keyword + description: The name of the network interface. + - name: namespace + type: keyword + description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. + - name: subnet_prefix + type: long + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. + - name: type + type: keyword + description: The type of network interface. + - name: type_id + type: keyword + description: The network interface type identifier. + - name: uid + type: keyword + description: The unique identifier for the network interface. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: os + type: group + fields: + - name: build + type: keyword + description: The operating system build number. + - name: country + type: keyword + description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. + - name: edition + type: keyword + description: The operating system edition. For example, Professional. + - name: lang + type: keyword + description: The two letter lower case language codes, as defined by ISO 639-1. + - name: name + type: keyword + description: The operating system name. + - name: sp_name + type: keyword + description: The name of the latest Service Pack. + - name: sp_ver + type: keyword + description: The version number of the latest Service Pack. + - name: type + type: keyword + description: The type of the operating system. + - name: type_id + type: keyword + description: The type identifier of the operating system. + - name: version + type: keyword + description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". + - name: region + type: keyword + description: The region where the virtual machine is located. For example, an AWS Region. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: subnet + type: ip_range + description: The subnet mask. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: type + type: keyword + description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The device type ID. + - name: uid + type: keyword + description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/event/fields/fields.yml b/packages/amazon_security_lake/data_stream/event/fields/fields.yml index 670974d5c4bc..bfa26366a867 100644 --- a/packages/amazon_security_lake/data_stream/event/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/event/fields/fields.yml @@ -10,3669 +10,945 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. - - name: actor + - name: action_id + type: integer + description: The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. + - name: action + type: keyword + description: The normalized caption of action_id. + - name: actual_permissions + type: long + description: The permissions that were granted to the in a platform-native format. + - name: analytic type: group fields: - - name: authorizations + - name: category + type: keyword + description: The analytic category. + - name: desc + type: keyword + description: The description of the analytic that generated the finding. + - name: name + type: keyword + description: The name of the analytic that generated the finding. + - name: related_analytics type: group fields: - - name: decision + - name: category type: keyword - description: Authorization Result/outcome, e.g. allowed, denied. - - name: policy - type: group - fields: - - name: desc - type: keyword - description: The description of the policy. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: 'The policy name. For example: IAM Policy.' - - name: uid - type: keyword - description: A unique identifier of the policy instance. - - name: version - type: keyword - description: The policy version number. - - name: idp + description: The analytic category. + - name: desc + type: keyword + description: The description of the analytic that generated the finding. + - name: name + type: keyword + description: The name of the analytic that generated the finding. + - name: related_analytics + type: flattened + - name: type + type: keyword + description: The analytic type. + - name: type_id + type: keyword + description: The analytic type ID. + - name: uid + type: keyword + description: The unique identifier of the analytic that generated the finding. + - name: version + type: keyword + description: 'The analytic version. For example: 1.1.' + - name: type + type: keyword + description: The analytic type. + - name: type_id + type: keyword + description: The analytic type ID. + - name: uid + type: keyword + description: The unique identifier of the analytic that generated the finding. + - name: version + type: keyword + description: 'The analytic version. For example: 1.1.' + - name: answers + type: group + fields: + - name: class + type: keyword + description: 'The class of DNS data contained in this resource record. See RFC1035. For example: IN.' + - name: flag_ids + type: keyword + description: The list of DNS answer header flag IDs. + - name: flags + type: keyword + description: The list of DNS answer header flags. + - name: packet_uid + type: keyword + description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + - name: rdata + type: keyword + description: The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record. + - name: ttl + type: long + description: The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached. + - name: type + type: keyword + description: 'The type of data contained in this resource record. See RFC1035. For example: CNAME.' + - name: app + type: group + fields: + - name: lang + type: keyword + description: The two letter lower case language codes, as defined by ISO 639-1. + - name: name + type: keyword + description: The CIS benchmark name. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: path + type: keyword + description: The installation path of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: The version of the product, as defined by the event source. + - name: app_name + type: keyword + description: The name of the application that is associated with the event or object. + - name: attacks + type: group + fields: + - name: tactics type: group fields: - name: name type: keyword - description: The name of the identity provider. + description: The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. - name: uid type: keyword - description: The unique identifier of the identity provider. - - name: invoked_by - type: keyword - description: The name of the service that invoked the activity as described in the event. - - name: process + description: The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. + - name: technique type: group fields: - - name: auid + - name: name type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line + description: 'The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Drive-by Compromise.' + - name: uid + type: keyword + description: 'The unique identifier of the attack technique, as defined by ATT&CK MatrixTM. For example: T1189.' + - name: version + type: keyword + description: The ATT&CK Matrix version. + - name: attempt + type: long + description: The attempt number for attempting to deliver the email. + - name: auth_protocol + type: keyword + description: The authentication protocol as defined by the caption of 'auth_protocol_id'. In the case of 'Other', it is defined by the event source. + - name: auth_protocol_id + type: keyword + description: The normalized identifier of the authentication protocol used to create the user session. + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container + description: The description of the policy. + - name: group type: group fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver + - name: domain type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid + description: The group description. + - name: name type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime + description: The group name. + - name: privileges type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag + description: The group privileges. + - name: type type: keyword - description: The tag used by the container. It can indicate version, format, OS. + description: The type of the group or account. - name: uid type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name type: keyword - description: The effective group under which this process is running. - - name: euid + description: 'The policy name. For example: IAM Policy.' + - name: uid type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: actual_permissions - type: long - description: The permissions that were granted to the in a platform-native format. - - name: analytic - type: group - fields: - - name: category - type: keyword - description: The analytic category. - - name: desc - type: keyword - description: The description of the analytic that generated the finding. - - name: name - type: keyword - description: The name of the analytic that generated the finding. - - name: related_analytics - type: group - fields: - - name: category - type: keyword - description: The analytic category. - - name: desc - type: keyword - description: The description of the analytic that generated the finding. - - name: name - type: keyword - description: The name of the analytic that generated the finding. - - name: related_analytics - type: flattened - - name: type - type: keyword - description: The analytic type. - - name: type_id - type: keyword - description: The analytic type ID. - - name: uid - type: keyword - description: The unique identifier of the analytic that generated the finding. - - name: version - type: keyword - description: 'The analytic version. For example: 1.1.' - - name: type - type: keyword - description: The analytic type. - - name: type_id - type: keyword - description: The analytic type ID. - - name: uid - type: keyword - description: The unique identifier of the analytic that generated the finding. - - name: version - type: keyword - description: 'The analytic version. For example: 1.1.' - - name: answers - type: group - fields: - - name: class - type: keyword - description: 'The class of DNS data contained in this resource record. See RFC1035. For example: IN.' - - name: flag_ids - type: keyword - description: The list of DNS answer header flag IDs. - - name: flags - type: keyword - description: The list of DNS answer header flags. - - name: packet_uid - type: keyword - description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - - name: rdata - type: keyword - description: The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record. - - name: ttl - type: long - description: The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached. - - name: type - type: keyword - description: 'The type of data contained in this resource record. See RFC1035. For example: CNAME.' - - name: api - type: group - fields: - - name: operation - type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version - type: keyword - description: The version of the API service. - - name: app - type: group - fields: - - name: lang - type: keyword - description: The two letter lower case language codes, as defined by ISO 639-1. - - name: name - type: keyword - description: The CIS benchmark name. - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: The version of the product, as defined by the event source. - - name: app_name - type: keyword - description: The name of the application that is associated with the event or object. - - name: attacks - type: group - fields: - - name: tactics - type: group - fields: - - name: name - type: keyword - description: The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. - - name: uid - type: keyword - description: The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. - - name: technique - type: group - fields: - - name: name - type: keyword - description: 'The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Drive-by Compromise.' - - name: uid - type: keyword - description: 'The unique identifier of the attack technique, as defined by ATT&CK MatrixTM. For example: T1189.' - - name: version - type: keyword - description: The ATT&CK Matrix version. - - name: attempt - type: long - description: The attempt number for attempting to deliver the email. - - name: auth_protocol - type: keyword - description: The authentication protocol as defined by the caption of 'auth_protocol_id'. In the case of 'Other', it is defined by the event source. - - name: auth_protocol_id - type: keyword - description: The normalized identifier of the authentication protocol used to create the user session. - - name: banner - type: keyword - description: The initial SMTP connection response that a messaging server receives after it connects to a email server. - - name: base_address - type: keyword - description: The memory address that was access or requested. - - name: capabilities - type: keyword - description: A list of RDP capabilities. - - name: category_name - type: keyword - description: 'The event category name, as defined by category_uid value: Identity & Access Management.' - - name: category_uid - type: keyword - description: The category unique identifier of the event.3 Identity & Access ManagementIdentity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: certificate_chain - type: keyword - description: The list of observed certificates in an RDP TLS connection. - - name: cis_benchmark_result - type: group - fields: - - name: desc - type: keyword - description: The CIS benchmark description. - - name: name - type: keyword - description: The CIS benchmark name. - - name: remediation - type: group - fields: - - name: desc - type: keyword - description: The description of the remediation strategy. - - name: kb_articles - type: keyword - description: The KB article/s related to the entity. - - name: rule - type: group - fields: - - name: category - type: keyword - description: The rule category. - - name: desc - type: keyword - description: The description of the rule that generated the event. - - name: name - type: keyword - description: The name of the rule that generated the event. - - name: type - type: keyword - description: The rule type. - - name: uid - type: keyword - description: The unique identifier of the rule that generated the event. - - name: version - type: keyword - description: The rule version. - - name: cis_csc - type: group - fields: - - name: control - type: keyword - description: The CIS critical security control. - - name: version - type: keyword - description: The CIS critical security control version. - - name: class_name - type: keyword - description: 'The event class name, as defined by class_uid value: Security Finding.' - - name: class_uid - type: keyword - description: The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. - - name: client_dialects - type: keyword - description: The list of SMB dialects that the client speaks. - - name: client_hassh - type: group - fields: - - name: algorithm - type: keyword - description: "The concatenation of key exchange, encryption, authentication and compression algorithms (separated by ';'). NOTE: This is not the underlying algorithm for the hash implementation." - - name: fingerprint - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: cloud - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: project_uid - type: keyword - description: The unique identifier of a Cloud project. - - name: provider - type: keyword - description: The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc. - - name: region - type: keyword - description: The name of the cloud region, as defined by the cloud provider. - - name: zone - type: keyword - description: The availability zone in the cloud region, as defined by the cloud provider. - - name: codes - type: long - description: The list of return codes to the FTP command. - - name: command - type: keyword - description: The command name. - - name: command_responses - type: keyword - description: The list of responses to the FTP command. - - name: compliance - type: group - fields: - - name: status_detail - type: keyword - description: The status details contains additional information about the event outcome. - - name: requirements - type: keyword - description: A list of applicable compliance requirements for which this finding is related to. - - name: status - type: keyword - description: The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. - - name: comment - type: keyword - description: The user provided comment about why the entity was changed. - - name: component - type: keyword - description: The name or relative pathname of a sub-component of the data object, if applicable. - - name: confidence - type: keyword - description: The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source. - - name: confidence_id - type: keyword - description: The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature. - - name: confidence_score - type: long - description: The confidence score as reported by the event source. - - name: connection_info - type: group - fields: - - name: boundary - type: keyword - description: The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source.For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. - - name: boundary_id - type: keyword - description: The normalized identifier of the boundary of the connection. For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. - - name: direction - type: keyword - description: The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source. - - name: direction_id - type: keyword - description: The normalized identifier of the direction of the initiated connection, traffic, or email. - - name: protocol_name - type: keyword - description: 'The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See Protocol Numbers. For example: tcp or udp.' - - name: protocol_num - type: keyword - description: 'The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See Protocol Numbers. For example: 6 for TCP and 17 for UDP.' - - name: protocol_ver - type: keyword - description: The Internet Protocol version. - - name: protocol_ver_id - type: keyword - description: The Internet Protocol version identifier. - - name: tcp_flags - type: long - description: The network connection TCP header flags (i.e., control bits). - - name: uid - type: keyword - description: The unique identifier of the connection. - - name: connection_uid - type: keyword - description: The network connection identifier. - - name: count - type: long - description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. - - name: create_mask - type: keyword - description: The original Windows mask that is required to create the object. - - name: data_sources - type: keyword - description: The data sources for the finding. - - name: dce_rpc - type: group - fields: - - name: command - type: keyword - description: The request command (e.g. REQUEST, BIND). - - name: command_response - type: keyword - description: The reply to the request command (e.g. RESPONSE, BINDACK or FAULT). - - name: flags - type: keyword - description: The list of interface flags. - - name: opnum - type: long - description: An operation number used to identify a specific remote procedure call (RPC) method or a method in an interface. - - name: rpc_interface - type: group - fields: - - name: ack_reason - type: long - description: An integer that provides a reason code or additional information about the acknowledgment result. - - name: ack_result - type: long - description: An integer that denotes the acknowledgment result of the DCE/RPC call. - - name: uuid - type: keyword - description: The unique identifier of the particular remote procedure or service. - - name: version - type: keyword - description: The version of the DCE/RPC protocol being used in the session. - - name: device - type: group - fields: - - name: autoscale_uid - type: keyword - description: The unique identifier of the cloud autoscale configuration. - - name: created_time - type: date - description: The time when the device was known to have been created. - - name: created_time_dt - type: date - description: TThe time when the device was known to have been created. - - name: desc - type: keyword - description: The description of the device, ordinarily as reported by the operating system. - - name: domain - type: keyword - description: 'The network domain where the device resides. For example: work.example.com.' - - name: first_seen_time - type: date - description: The initial discovery time of the device. - - name: first_seen_time_dt - type: date - description: The initial discovery time of the device. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: hostname - type: keyword - description: The devicename. - - name: hw_info - type: group - fields: - - name: bios_date - type: keyword - description: 'The BIOS date. For example: 03/31/16.' - - name: bios_manufacturer - type: keyword - description: 'The BIOS manufacturer. For example: LENOVO.' - - name: bios_ver - type: keyword - description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' - - name: chassis - type: keyword - description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. - - name: cpu_bits - type: long - description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' - - name: cpu_cores - type: long - description: 'The number of processor cores in all installed processors. For Example: 42.' - - name: cpu_count - type: long - description: 'The number of physical processors on a system. For example: 1.' - - name: cpu_speed - type: long - description: 'The speed of the processor in Mhz. For Example: 4200.' - - name: cpu_type - type: keyword - description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' - - name: desktop_display - type: group - fields: - - name: color_depth - type: long - description: The numeric color depth. - - name: physical_height - type: long - description: The numeric physical height of display. - - name: physical_orientation - type: long - description: The numeric physical orientation of display. - - name: physical_width - type: long - description: The numeric physical width of display. - - name: scale_factor - type: long - description: The numeric scale factor of display. - - name: keyboard_info - type: group - fields: - - name: function_keys - type: long - description: The number of function keys on client keyboard. - - name: ime - type: keyword - description: The Input Method Editor (IME) file name. - - name: keyboard_layout - type: keyword - description: The keyboard locale identifier name (e.g., en-US). - - name: keyboard_subtype - type: long - description: The keyboard numeric code. - - name: keyboard_type - type: keyword - description: The keyboard type (e.g., xt, ico). - - name: ram_size - type: long - description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' - - name: serial_number - type: keyword - description: The device manufacturer serial number. - - name: hypervisor - type: keyword - description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: imei - type: keyword - description: The International Mobile Station Equipment Identifier that is associated with the device. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: ip - type: ip - description: The device IP address, in either IPv4 or IPv6 format. - - name: is_compliant - type: boolean - description: The event occurred on a compliant device. - - name: is_managed - type: boolean - description: The event occurred on a managed device. - - name: is_personal - type: boolean - description: The event occurred on a personal device. - - name: is_trusted - type: boolean - description: The event occurred on a trusted device. - - name: last_seen_time - type: date - description: The most recent discovery time of the device. - - name: last_seen_time_dt - type: date - description: The most recent discovery time of the device. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The device Media Access Control (MAC) address. - - name: modified_time - type: date - description: The time when the device was last known to have been modified. - - name: modified_time_dt - type: date - description: The time when the device was last known to have been modified. - - name: name - type: keyword - description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. - - name: network_interfaces - type: group - fields: - - name: hostname - type: keyword - description: The hostname associated with the network interface. - - name: ip - type: ip - description: The IP address associated with the network interface. - - name: mac - type: keyword - description: The MAC address of the network interface. - - name: name - type: keyword - description: The name of the network interface. - - name: namespace - type: keyword - description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. - - name: subnet_prefix - type: long - description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. - - name: type - type: keyword - description: The type of network interface. - - name: type_id - type: keyword - description: The network interface type identifier. - - name: uid - type: keyword - description: The unique identifier for the network interface. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: os - type: group - fields: - - name: build - type: keyword - description: The operating system build number. - - name: country - type: keyword - description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. - - name: cpu_bits - type: long - description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. - - name: edition - type: keyword - description: The operating system edition. For example, Professional. - - name: lang - type: keyword - description: The two letter lower case language codes, as defined by ISO 639-1. - - name: name - type: keyword - description: The operating system name. - - name: sp_name - type: keyword - description: The name of the latest Service Pack. - - name: sp_ver - type: keyword - description: The version number of the latest Service Pack. - - name: type - type: keyword - description: The type of the operating system. - - name: type_id - type: keyword - description: The type identifier of the operating system. - - name: version - type: keyword - description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". - - name: region - type: keyword - description: The region where the virtual machine is located. For example, an AWS Region. - - name: risk_level - type: keyword - description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. - - name: risk_level_id - type: keyword - description: The normalized risk level id. - - name: risk_score - type: long - description: The risk score as reported by the event source. - - name: subnet - type: ip_range - description: The subnet mask. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: type - type: keyword - description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - - name: type_id - type: keyword - description: The device type ID. - - name: uid - type: keyword - description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - - name: dialect - type: keyword - description: The negotiated protocol dialect. - - name: direction - type: keyword - description: The direction of the email, as defined by the direction_id value. - - name: direction_id - type: keyword - description: The direction of the email relative to the scanning host or organization. - - name: disposition - type: keyword - description: The event disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source. - - name: disposition_id - type: keyword - description: When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product. - - name: driver - type: group - fields: - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. + description: A unique identifier of the policy instance. - name: version type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: dst_endpoint + description: The policy version number. + - name: banner + type: keyword + description: The initial SMTP connection response that a messaging server receives after it connects to a email server. + - name: base_address + type: keyword + description: The memory address that was access or requested. + - name: capabilities + type: keyword + description: A list of RDP capabilities. + - name: category_name + type: keyword + description: 'The event category name, as defined by category_uid value: Identity & Access Management.' + - name: category_uid + type: keyword + description: The category unique identifier of the event.3 Identity & Access ManagementIdentity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc. + - name: certificate type: group fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints type: group fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code + - name: algorithm type: keyword - description: The postal code of the location. - - name: provider + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id type: keyword - description: The provider of the geographical location data. - - name: region + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - - name: duration - type: long - description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. - - name: email - type: group - fields: - - name: cc - type: keyword - description: The email header Cc values, as defined by RFC 5322. - - name: delivered_to - type: keyword - description: The Delivered-To email header field. - - name: from - type: keyword - description: The email header From values, as defined by RFC 5322. - - name: message_uid - type: keyword - description: The email header Message-Id value, as defined by RFC 5322. - - name: raw_header - type: keyword - description: The email authentication header. - - name: reply_to - type: keyword - description: The email header Reply-To values, as defined by RFC 5322. - - name: size - type: long - description: The size in bytes of the email, including attachments. - - name: smtp_from + description: The digital fingerprint value. + - name: issuer type: keyword - description: The value of the SMTP MAIL FROM command. - - name: smtp_to + description: The certificate issuer distinguished name. + - name: serial_number type: keyword - description: The value of the SMTP envelope RCPT TO command. + description: The serial number of the certificate used to create the digital signature. - name: subject type: keyword - description: The email header Subject value, as defined by RFC 5322. - - name: to - type: keyword - description: The email header To values, as defined by RFC 5322. - - name: uid - type: keyword - description: The email unique identifier. - - name: x_originating_ip - type: ip - description: The X-Originating-IP header identifying the emails originating IP address(es). - - name: email_auth - type: group - fields: - - name: dkim - type: keyword - description: The DomainKeys Identified Mail (DKIM) status of the email. - - name: dkim_domain - type: keyword - description: The DomainKeys Identified Mail (DKIM) signing domain of the email. - - name: dkim_signature - type: keyword - description: The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system. - - name: dmarc - type: keyword - description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email. - - name: dmarc_override - type: keyword - description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action. - - name: dmarc_policy - type: keyword - description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status. - - name: spf - type: keyword - description: The Sender Policy Framework (SPF) status of the email. - - name: email_uid - type: keyword - description: The unique identifier of the email, used to correlate related email alert and activity events. - - name: end_time - type: date - description: The end time of a time period, or the time of the most recent event included in the aggregate event. - - name: end_time_dt - type: date - description: The end time of a time period, or the time of the most recent event included in the aggregate event. - - name: enrichments - type: group - fields: - - name: data - type: flattened - description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - - name: name - type: keyword - description: The name of the attribute to which the enriched data pertains. - - name: provider - type: keyword - description: The enrichment data provider name. - - name: type - type: keyword - description: The enrichment type. For example, location. - - name: value - type: keyword - description: The value of the attribute to which the enriched data pertains. - - name: entity - type: group - fields: - - name: data - type: flattened - description: The managed entity content as a JSON object. - - name: name - type: keyword - description: The name of the managed entity. - - name: type - type: keyword - description: The managed entity type. - - name: uid - type: keyword - description: The identifier of the managed entity. + description: The certificate subject distinguished name. - name: version type: keyword - description: The version of the managed entity. - - name: entity_result + description: The certificate version. + - name: certificate_chain + type: keyword + description: The list of observed certificates in an RDP TLS connection. + - name: cis_benchmark_result type: group fields: - - name: data - type: flattened - description: The managed entity content as a JSON object. - - name: name + - name: desc type: keyword - description: The name of the managed entity. - - name: type + description: The CIS benchmark description. + - name: name type: keyword - description: The managed entity type. - - name: uid + description: The CIS benchmark name. + - name: remediation + type: group + fields: + - name: desc + type: keyword + description: The description of the remediation strategy. + - name: kb_articles + type: keyword + description: The KB article/s related to the entity. + - name: kb_article_list + type: flattened + description: A list of KB articles or patches related to an endpoint. + - name: references + type: keyword + description: A list of supporting URL/s, references that help describe the remediation strategy. + - name: rule + type: group + fields: + - name: category + type: keyword + description: The rule category. + - name: desc + type: keyword + description: The description of the rule that generated the event. + - name: name + type: keyword + description: The name of the rule that generated the event. + - name: type + type: keyword + description: The rule type. + - name: uid + type: keyword + description: The unique identifier of the rule that generated the event. + - name: version + type: keyword + description: The rule version. + - name: cis_csc + type: group + fields: + - name: control type: keyword - description: The identifier of the managed entity. + description: The CIS critical security control. - name: version type: keyword - description: The version of the managed entity. - - name: evidence - type: flattened - description: The data the finding exposes to the analyst. - - name: expiration_time - type: date - description: The share expiration time. - - name: expiration_time_dt - type: date - description: The share expiration time. - - name: exit_code + description: The CIS critical security control version. + - name: class_name type: keyword - description: The exit code reported by a process when it terminates. The convention is that zero indicates success and any non-zero exit code indicates that some error occurred. - - name: file + description: 'The event class name, as defined by class_uid value: Security Finding.' + - name: class_uid + type: keyword + description: The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. + - name: client_dialects + type: keyword + description: The list of SMB dialects that the client speaks. + - name: client_hassh type: group fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor + - name: algorithm + type: keyword + description: "The concatenation of key exchange, encryption, authentication and compression algorithms (separated by ';'). NOTE: This is not the underlying algorithm for the hash implementation." + - name: fingerprint type: group fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain + - name: algorithm type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id type: keyword - description: The user's email address. - - name: full_name + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + description: The digital fingerprint value. + - name: cloud + type: group + fields: + - name: account + type: group + fields: - name: name type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + description: The name of the account (e.g. GCP Account Name). - name: type type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id type: keyword - description: The account type identifier. + description: The normalized account type identifier. - name: uid type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt + description: The unique identifier of the account (e.g. AWS Account ID). + - name: org + type: group + fields: + - name: name type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: project_uid + type: keyword + description: The unique identifier of a Cloud project. + - name: provider + type: keyword + description: The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc. + - name: region + type: keyword + description: The name of the cloud region, as defined by the cloud provider. + - name: zone + type: keyword + description: The availability zone in the cloud region, as defined by the cloud provider. + - name: codes + type: long + description: The list of return codes to the FTP command. + - name: command + type: keyword + description: The command name. + - name: command_responses + type: keyword + description: The list of responses to the FTP command. + - name: compliance + type: group + description: The compliance object provides context to compliance findings. + fields: + - name: control + type: keyword + description: A Control is prescriptive, prioritized, and simplified set of best practices that one can use to strengthen their cybersecurity posture. e.g. AWS SecurityHub Controls, CIS Controls. + - name: requirements + type: keyword + description: A list of requirements associated to a specific control in an industry or regulatory framework. e.g. NIST.800-53.r5 AU-10. + - name: standards + type: keyword + description: Security standards are a set of criteria organizations can follow to protect sensitive and confidential information. e.g. NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001. + - name: status + type: keyword + description: The resultant status of the compliance check normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. + - name: status_code + type: keyword + description: The resultant status code of the compliance check. + - name: status_detail + type: text + description: The contextual description of the status, status_code values. + - name: status_id + type: integer + description: The normalized status identifier of the compliance check. + - name: comment + type: keyword + description: The user provided comment about why the entity was changed. + - name: component + type: keyword + description: The name or relative pathname of a sub-component of the data object, if applicable. + - name: confidence + type: keyword + description: The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source. + - name: confidence_id + type: keyword + description: The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature. + - name: confidence_score + type: long + description: The confidence score as reported by the event source. + - name: connection_info + type: group + fields: + - name: boundary + type: keyword + description: The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source.For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. + - name: boundary_id + type: keyword + description: The normalized identifier of the boundary of the connection. For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. + - name: direction + type: keyword + description: The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source. + - name: direction_id + type: keyword + description: The normalized identifier of the direction of the initiated connection, traffic, or email. + - name: protocol_name + type: keyword + description: 'The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See Protocol Numbers. For example: tcp or udp.' + - name: protocol_num + type: keyword + description: 'The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See Protocol Numbers. For example: 6 for TCP and 17 for UDP.' + - name: protocol_ver + type: keyword + description: The Internet Protocol version. + - name: protocol_ver_id + type: keyword + description: The Internet Protocol version identifier. + - name: tcp_flags type: long - description: The Bitmask value that represents the file attributes. - - name: company_name + description: The network connection TCP header flags (i.e., control bits). + - name: uid type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality + description: The unique identifier of the connection. + - name: connection_uid + type: keyword + description: The network connection identifier. + - name: count + type: long + description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. + - name: create_mask + type: keyword + description: The original Windows mask that is required to create the object. + - name: data_sources + type: keyword + description: The data sources for the finding. + - name: database + type: flattened + description: The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data. + - name: databucket + type: flattened + description: The data bucket object is a basic container that holds data, typically organized through the use of data partitions. + - name: dce_rpc + type: group + fields: + - name: command type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id + description: The request command (e.g. REQUEST, BIND). + - name: command_response type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator + description: The reply to the request command (e.g. RESPONSE, BINDACK or FAULT). + - name: flags + type: keyword + description: The list of interface flags. + - name: opnum + type: long + description: An operation number used to identify a specific remote procedure call (RPC) method or a method in an interface. + - name: rpc_interface type: group fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr + - name: ack_reason + type: long + description: An integer that provides a reason code or additional information about the acknowledgment result. + - name: ack_result + type: long + description: An integer that denotes the acknowledgment result of the DCE/RPC call. + - name: uuid type: keyword - description: The user's email address. - - name: full_name + description: The unique identifier of the particular remote procedure or service. + - name: version type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups + description: The version of the DCE/RPC protocol being used in the session. + - name: dialect + type: keyword + description: The negotiated protocol dialect. + - name: direction + type: keyword + description: The direction of the email, as defined by the direction_id value. + - name: direction_id + type: keyword + description: The direction of the email relative to the scanning host or organization. + - name: disposition + type: keyword + description: The event disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source. + - name: disposition_id + type: keyword + description: When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product. + - name: driver + type: group + fields: + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor type: group fields: - - name: desc - type: keyword - description: The group description. - - name: name + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid type: keyword - description: The group name. - - name: privileges + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain type: keyword - description: The group privileges. - - name: type + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr type: keyword - description: The type of the group or account. - - name: uid + description: The user's email address. + - name: full_name type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + description: The account type identifier. - name: uid type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator type: group fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The name of the account (e.g. GCP Account Name). + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id type: keyword - description: The normalized account type identifier. + description: The account type identifier. - name: uid type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes type: group fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges + - name: algorithm type: keyword - description: The group privileges. - - name: type + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id type: keyword - description: The type of the group or account. - - name: uid + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type type: keyword - description: The username. For example, janedoe1. - - name: org + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier type: group fields: - - name: name + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid + description: The user's email address. + - name: full_name type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The name of the account (e.g. GCP Account Name). + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id type: keyword - description: The normalized account type identifier. + description: The account type identifier. - name: uid type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups + description: 'The name of the file. For example: svchost.exe.' + - name: owner type: group fields: - - name: desc - type: keyword - description: The group description. - - name: name + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid type: keyword - description: The group name. - - name: privileges + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain type: keyword - description: The group privileges. - - name: type + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr type: keyword - description: The type of the group or account. - - name: uid + description: The user's email address. + - name: full_name type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + description: The account type identifier. - name: uid type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product type: group fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - name: name type: keyword - description: The name of the feature. + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. - name: uid type: keyword - description: The unique identifier of the feature. + description: The unique identifier of the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. - name: version type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate + description: The object security descriptor. + - name: signature type: group fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. - name: created_time type: date - description: The time when the certificate was created. + description: The time when the digital signature was created. - name: created_time_dt type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest type: group fields: - name: algorithm @@ -3684,57 +960,172 @@ - name: value type: keyword description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid + - name: size + type: long + description: The size of data, in bytes. + - name: type type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: duration + type: long + description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. + - name: email + type: group + fields: + - name: cc + type: keyword + description: The email header Cc values, as defined by RFC 5322. + - name: delivered_to + type: keyword + description: The Delivered-To email header field. + - name: from + type: keyword + description: The email header From values, as defined by RFC 5322. + - name: message_uid + type: keyword + description: The email header Message-Id value, as defined by RFC 5322. + - name: raw_header + type: keyword + description: The email authentication header. + - name: reply_to + type: keyword + description: The email header Reply-To values, as defined by RFC 5322. - name: size type: long - description: The size of data, in bytes. + description: The size in bytes of the email, including attachments. + - name: smtp_from + type: keyword + description: The value of the SMTP MAIL FROM command. + - name: smtp_to + type: keyword + description: The value of the SMTP envelope RCPT TO command. + - name: subject + type: keyword + description: The email header Subject value, as defined by RFC 5322. + - name: to + type: keyword + description: The email header To values, as defined by RFC 5322. + - name: uid + type: keyword + description: The email unique identifier. + - name: x_originating_ip + type: ip + description: The X-Originating-IP header identifying the emails originating IP address(es). + - name: email_auth + type: group + fields: + - name: dkim + type: keyword + description: The DomainKeys Identified Mail (DKIM) status of the email. + - name: dkim_domain + type: keyword + description: The DomainKeys Identified Mail (DKIM) signing domain of the email. + - name: dkim_signature + type: keyword + description: The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system. + - name: dmarc + type: keyword + description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email. + - name: dmarc_override + type: keyword + description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action. + - name: dmarc_policy + type: keyword + description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status. + - name: spf + type: keyword + description: The Sender Policy Framework (SPF) status of the email. + - name: email_uid + type: keyword + description: The unique identifier of the email, used to correlate related email alert and activity events. + - name: end_time + type: date + description: The end time of a time period, or the time of the most recent event included in the aggregate event. + - name: end_time_dt + type: date + description: The end time of a time period, or the time of the most recent event included in the aggregate event. + - name: enrichments + type: group + fields: + - name: data + type: flattened + ignore_malformed: true + description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. + - name: name + type: keyword + description: The name of the attribute to which the enriched data pertains. + - name: provider + type: keyword + description: The enrichment data provider name. - name: type type: keyword - description: The file type. - - name: type_id + description: The enrichment type. For example, location. + - name: value type: keyword - description: The file type ID. + description: The value of the attribute to which the enriched data pertains. + - name: entity + type: group + fields: + - name: data + type: flattened + description: The managed entity content as a JSON object. + - name: name + type: keyword + description: The name of the managed entity. + - name: type + type: keyword + description: The managed entity type. - name: uid type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. + description: The identifier of the managed entity. - name: version type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes + description: The version of the managed entity. + - name: entity_result + type: group + fields: + - name: data type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + description: The managed entity content as a JSON object. + - name: name + type: keyword + description: The name of the managed entity. + - name: type + type: keyword + description: The managed entity type. + - name: uid + type: keyword + description: The identifier of the managed entity. + - name: version + type: keyword + description: The version of the managed entity. + - name: evidence + type: flattened + description: The data the finding exposes to the analyst. + - name: evidences + type: flattened + description: Describes various evidence artifacts associated to the activity/activities that triggered a security detection. + - name: expiration_time + type: date + description: The share expiration time. + - name: expiration_time_dt + type: date + description: The share expiration time. + - name: exit_code + type: keyword + description: The exit code reported by a process when it terminates. The convention is that zero indicates success and any non-zero exit code indicates that some error occurred. - name: file_diff type: keyword description: File content differences used for change detection. For example, a common use case is to identify itemized changes within INI or configuration/property setting values. @@ -4116,18 +1507,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -4293,6 +1677,12 @@ - name: kb_articles type: keyword description: The KB article/s related to the entity. + - name: kb_article_list + type: flattened + description: A list of KB articles or patches related to an endpoint. + - name: references + type: keyword + description: A list of supporting URL/s, references that help describe the remediation strategy. - name: src_url type: keyword description: The URL pointing to the source of the finding. @@ -4308,6 +1698,12 @@ - name: uid type: keyword description: The unique identifier of the reported finding. + - name: finding_info + type: flattened + description: Describes the supporting information about a generated finding. + - name: firewall_rule + type: flattened + description: The firewall rule that triggered the event. - name: group type: group fields: @@ -4449,6 +1845,46 @@ - name: is_renewal type: boolean description: The indication of whether this is a lease/session renewal event. + - name: kb_article_list + type: group + description: The KB Article object contains metadata that describes the patch or update. + fields: + - name: uid + type: keyword + description: The unique identifier for the kb article. + - name: bulletin + type: keyword + description: The kb article bulletin identifier. + - name: classification + type: keyword + description: The vendors classification of the kb article. + - name: created_time + type: long + description: The date the kb article was released by the vendor. + - name: created_time_dt + type: date + description: The date the kb article was released by the vendor. + - name: is_superseded + type: boolean + description: "The patch is superseded" + - name: severity + type: keyword + description: The severity of the kb article. + - name: size + type: long + description: The size in bytes for the kb article. + - name: src_url + type: keyword + description: The kb article link from the source vendor. + - name: title + type: keyword + description: The title of the kb article. + - name: os + type: flattened + description: The operating system the kb article applies. + - name: product + type: flattened + description: The product details the kb article applies. - name: kernel type: group fields: @@ -4482,6 +1918,9 @@ - name: lease_dur type: long description: This represents the length of the DHCP lease in seconds. This is present in DHCP Ack events. (activity_id = 1) + - name: load_balancer + type: flattened + description: The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations. - name: logon_type type: keyword description: The logon type, normalized to the caption of the logon_type_id value. In the case of 'Other', it is defined by the event source. @@ -4551,18 +1990,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: The two letter lower case language codes, as defined by ISO 639-1. @@ -4605,108 +2037,6 @@ - name: message type: keyword description: The description of the event, as defined by the event source. - - name: metadata - type: group - fields: - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: - - name: name - type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid - type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version - type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider - type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version - type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time - type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt - type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: profiles - type: keyword - description: The list of profiles used to create the event. - - name: sequence - type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid - type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version - type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' - name: module type: group fields: @@ -4773,21 +2103,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -4869,21 +2188,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -4974,21 +2282,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -5055,21 +2352,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -5091,18 +2377,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -5268,93 +2547,30 @@ - name: port type: long description: The dynamic port established for impending data transfers. + - name: precision + type: integer + description: The NTP precision quantifies a clock's accuracy and stability in log2 seconds, as defined in RFC-5905. - name: privileges type: keyword description: The list of sensitive privileges, assigned to the new user session. - name: protocol_ver type: keyword description: The Protocol version. - - name: proxy - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). + - name: proxy_connection_info + type: flattened + description: The connection information from the proxy server to the remote server. + - name: proxy_http_request + type: flattened + description: The HTTP Request from the proxy server to the remote server. + - name: proxy_http_response + type: flattened + description: The HTTP Response from the remote server to the proxy server. + - name: proxy_tls + type: flattened + description: The TLS protocol negotiated between the proxy server and the remote server. + - name: proxy_traffic + type: flattened + description: The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time. - name: query type: group fields: @@ -5376,6 +2592,9 @@ - name: type type: keyword description: 'The type of resource records being queried. See RFC1035. For example: A, AAAA, CNAME, MX, and NS.' + - name: query_info + type: flattened + description: The query info object holds information related to data access within a datastore. - name: query_time type: date description: The Domain Name System (DNS) query time. @@ -5386,7 +2605,8 @@ type: flattened description: The event data as received from the event source. - name: raw_data_keyword - type: keyword + type: match_only_text + description: The event data as received from the event source. - name: rcode type: keyword description: The DNS server response code, normalized to the caption of the rcode_id value. In the case of 'Other', it is defined by the event source. @@ -5423,288 +2643,51 @@ - name: uid type: keyword description: The unique identifier for the network interface. - - name: remote_display - type: group - fields: - - name: color_depth - type: long - description: The numeric color depth. - - name: physical_height - type: long - description: The numeric physical height of display. - - name: physical_orientation - type: long - description: The numeric physical orientation of display. - - name: physical_width - type: long - description: The numeric physical width of display. - - name: scale_factor - type: long - description: The numeric scale factor of display. - - name: request - type: group - fields: - - name: flags - type: date - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: requested_permissions - type: long - description: The permissions mask that were requested by the process. - - name: resource + - name: remediation type: group fields: - - name: cloud_partition + - name: desc type: keyword - description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' - - name: criticality + description: The description of the remediation strategy. + - name: kb_articles type: keyword - description: The criticality of the resource as defined by the event source. - - name: data + description: The KB article/s related to the entity. + - name: kb_article_list type: flattened - description: Additional data describing the resource. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: labels - type: keyword - description: The list of labels/tags associated to a resource. - - name: name - type: keyword - description: The name of the resource. - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: region - type: keyword - description: The cloud region of the resource. - - name: type - type: keyword - description: The resource type as defined by the event source. - - name: uid - type: keyword - description: The unique identifier of the resource. - - name: version + description: A list of KB articles or patches related to an endpoint. + - name: references type: keyword - description: The version of the resource. For example 1.2.3. - - name: resources + description: A list of supporting URL/s, references that help describe the remediation strategy. + - name: remote_display type: group fields: - - name: cloud_partition - type: keyword - description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' - - name: criticality - type: keyword - description: The criticality of the resource as defined by the event source. - - name: data - type: flattened - description: Additional data describing the resource. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: labels - type: keyword - description: The list of labels/tags associated to a resource. - - name: name - type: keyword - description: The name of the resource. - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: region - type: keyword - description: The cloud region of the resource. - - name: type - type: keyword - description: The resource type as defined by the event source. + - name: color_depth + type: long + description: The numeric color depth. + - name: physical_height + type: long + description: The numeric physical height of display. + - name: physical_orientation + type: long + description: The numeric physical orientation of display. + - name: physical_width + type: long + description: The numeric physical width of display. + - name: scale_factor + type: long + description: The numeric scale factor of display. + - name: request + type: group + fields: + - name: flags + type: date + description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - name: uid type: keyword - description: The unique identifier of the resource. - - name: version - type: keyword - description: The version of the resource. For example 1.2.3. + description: The unique request identifier. + - name: requested_permissions + type: long + description: The permissions mask that were requested by the process. - name: response type: group fields: @@ -5824,87 +2807,6 @@ - name: smtp_hello type: keyword description: The value of the SMTP HELO or EHLO command sent by the initiator (client). - - name: src_endpoint - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: start_time type: date description: The start time of a time period, or the time of the least recent event included in the aggregate event. @@ -5929,6 +2831,12 @@ - name: status_id type: keyword description: The normalized identifier of the event status. + - name: stratum_id + type: integer + description: The normalized identifier of the stratum level, as defined in RFC-5905. + - name: stratum + type: keyword + description: The stratum level of the NTP server's time source, normalized to the caption of the stratum_id value. - name: time type: date description: The normalized event occurrence time. @@ -6052,6 +2960,9 @@ - name: version type: keyword description: The TLS protocol version. + - name: table + type: flattened + description: The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried. - name: traffic type: group fields: @@ -6081,7 +2992,10 @@ description: The tree id is a unique SMB identifier which represents an open connection to a share. - name: type type: keyword - description: The type of FTP network connection (e.g. active, passive). + description: The type the event. + - name: type_id + type: keyword + description: The normalized event type identifier. - name: type_name type: keyword description: The event type name, as defined by the type_uid. @@ -6124,84 +3038,6 @@ - name: url_string type: keyword description: The URL string. See RFC 1738. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - name: user_result type: group fields: @@ -6280,147 +3116,9 @@ - name: uid_alt type: keyword description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: vulnerabilities - type: group - fields: - - name: cve - type: group - fields: - - name: created_time - type: date - description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - - name: created_time_dt - type: date - description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - - name: cvss - type: group - fields: - - name: base_score - type: double - description: 'The CVSS base score. For example: 9.1.' - - name: depth - type: keyword - description: The CVSS depth represents a depth of the equation used to calculate CVSS score. - - name: metrics - type: group - fields: - - name: name - type: keyword - description: The name of the metric. - - name: value - type: keyword - description: The value of the metric. - - name: overall_score - type: double - description: 'The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: 9.1.' - - name: severity - type: keyword - description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. - - name: vector_string - type: keyword - description: 'The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.' - - name: version - type: keyword - description: 'The CVSS version. For example: 3.1.' - - name: cwe_uid - type: keyword - description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' - - name: cwe_url - type: keyword - description: 'Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.' - - name: modified_time - type: date - description: The Record Modified Date identifies when the CVE record was last updated. - - name: modified_time_dt - type: date - description: The Record Modified Date identifies when the CVE record was last updated. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: type - type: keyword - description: The vulnerability type as selected from a large dropdown menu during CVE refinement. - - name: uid - type: keyword - description: 'The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.' - - name: desc - type: keyword - description: The description of the vulnerability. - - name: fix_available - type: boolean - description: Indicates if a fix is available for the reported vulnerability. - - name: kb_articles - type: keyword - description: The KB article/s related to the entity. - - name: packages - type: group - fields: - - name: architecture - type: keyword - description: Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. - - name: epoch - type: long - description: The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. - - name: license - type: keyword - description: The software license applied to this package. - - name: name - type: keyword - description: The software package name. - - name: release - type: keyword - description: Release is the number of times a version of the software has been packaged. - - name: version - type: keyword - description: The software package version. - - name: references - type: keyword - description: Supporting reference URLs. - - name: related_vulnerabilities - type: keyword - description: List of vulnerabilities that are related to this vulnerability. - - name: severity - type: keyword - description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. - - name: title - type: keyword - description: The title of the vulnerability. - - name: vendor_name - type: keyword - description: The vendor who identified the vulnerability. + - name: version + type: keyword + description: The version number of the NTP protocol. - name: web_resources type: group fields: diff --git a/packages/amazon_security_lake/data_stream/event/fields/file-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/file-fields.yml new file mode 100644 index 000000000000..f0d2fe6bc6b1 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/file-fields.yml @@ -0,0 +1,509 @@ +- name: ocsf + type: group + fields: + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. diff --git a/packages/amazon_security_lake/data_stream/event/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/metadata-fields.yml new file mode 100644 index 000000000000..01b1c11c4dc4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/metadata-fields.yml @@ -0,0 +1,122 @@ +- name: ocsf + type: group + fields: + - name: metadata + type: group + fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: extensions + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_level + type: keyword + description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' diff --git a/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml new file mode 100644 index 000000000000..55a1bbb690d6 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/misc-fields.yml @@ -0,0 +1,89 @@ +# The misc fields are used to store additional information about the event that does not fit into the other categories and spans across multiple event types. +# They have extended mappings in their respective data streams +- name: ocsf + type: group + fields: + # These fields are used to store misc information about a findings category event. + - name: assignee + type: flattened + description: The details of the user assigned to an Incident. + - name: assignee_group + type: flattened + description: The details of the group assigned to an Incident. + - name: desc + type: keyword + description: The short description of the incident. + - name: priority + type: keyword + description: The priority, normalized to the caption of the priority_id value. + - name: priority_id + type: integer + description: The priority, normalized to the ID of the priority_id value. + - name: src_url + type: keyword + description: A Url link used to access the original incident. + - name: verdict + type: keyword + description: The verdict assigned to an Incident finding. + - name: verdict_id + type: integer + description: The normalized verdict of an Incident. + # These fields are used to store misc information about a discovery category event. + - name: prev_security_states + type: group + description: The previous security states of the device. + fields: + - name: state + type: keyword + description: The security state, normalized to the caption of the state_id value. + - name: state_id + type: keyword + description: The security state of the managed entity. + - name: security_level + type: keyword + description: The current security level of the entity. + - name: security_level_id + type: integer + description: The current security level of the entity. + - name: security_states + type: group + description: The current security states of the device. + fields: + - name: state + type: keyword + description: The security state, normalized to the caption of the state_id value. + - name: state_id + type: keyword + description: The security state of the managed entity. + # These fields are used to store misc information about an application activity category event. + - name: command_uid + type: keyword + description: The command identifier that is associated with this scan event. This ID uniquely identifies the proactive scan command, e.g., if remotely initiated. + - name: num_* + type: integer + description: The number fields for counting various item scan results. + - name: policy + type: flattened + description: The policy that was used to scan the device. + - name: scan + type: group + description: The Scan object describes characteristics of a proactive scan. + fields: + - name: name + type: keyword + description: The administrator-supplied or application-generated name of the scan. + - name: type + type: keyword + description: The type of scan. + - name: type_id + type: keyword + description: The type id of the scan. + - name: uid + type: keyword + description: The application-defined unique identifier assigned to an instance of a scan. + - name: schedule_uid + type: keyword + description: The unique identifier of the schedule associated with a scan job. + - name: total + type: integer + description: The total number of items that were scanned; zero if no items were scanned. diff --git a/packages/amazon_security_lake/data_stream/event/fields/network-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/network-endpoint-fields.yml new file mode 100644 index 000000000000..91fca432e6eb --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/network-endpoint-fields.yml @@ -0,0 +1,213 @@ +- name: ocsf + type: group + fields: + - name: dst_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. + - name: src_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/event/fields/proxy-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/proxy-endpoint-fields.yml new file mode 100644 index 000000000000..898740ab4d10 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/proxy-endpoint-fields.yml @@ -0,0 +1,108 @@ +- name: ocsf + type: group + fields: + - name: proxy_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: port + type: long + description: The port used for communication within the network connection. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/event/fields/proxy-fields-deprecated.yml b/packages/amazon_security_lake/data_stream/event/fields/proxy-fields-deprecated.yml new file mode 100644 index 000000000000..11d1f9a9bdb8 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/proxy-fields-deprecated.yml @@ -0,0 +1,84 @@ +- name: ocsf + type: group + fields: + - name: proxy + type: group + fields: + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). diff --git a/packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml new file mode 100644 index 000000000000..e3d9d54d6704 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/resource-fields.yml @@ -0,0 +1,141 @@ +- name: ocsf + type: group + fields: + - name: resources + type: group + fields: + - name: cloud_partition + type: keyword + description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' + - name: criticality + type: keyword + description: The criticality of the resource as defined by the event source. + - name: data + type: flattened + description: Additional data describing the resource. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: labels + type: keyword + description: The list of labels/tags associated to a resource. + - name: name + type: keyword + description: The name of the resource. + - name: namespace + type: keyword + description: The namespace is useful when similar entities exist that you need to keep separate. + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: type_id + type: keyword + description: The resource group type identifier. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: region + type: keyword + description: The cloud region of the resource. + - name: type + type: keyword + description: The resource type as defined by the event source. + - name: type_id + type: keyword + description: The resource type identifier. + - name: uid + type: keyword + description: The unique identifier of the resource. + - name: version + type: keyword + description: The version of the resource. For example 1.2.3. diff --git a/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml new file mode 100644 index 000000000000..904fd937ffa0 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/user-fields.yml @@ -0,0 +1,254 @@ +- name: ocsf + type: group + fields: + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml b/packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml new file mode 100644 index 000000000000..621cf5229443 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/fields/vulnerability-fields.yml @@ -0,0 +1,162 @@ +- name: ocsf + type: group + fields: + - name: vulnerabilities + type: group + fields: + - name: cve + type: group + fields: + - name: created_time + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. + - name: created_time_dt + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. + - name: cvss + type: group + fields: + - name: base_score + type: double + description: 'The CVSS base score. For example: 9.1.' + - name: depth + type: keyword + description: The CVSS depth represents a depth of the equation used to calculate CVSS score. + - name: metrics + type: group + fields: + - name: name + type: keyword + description: The name of the metric. + - name: value + type: keyword + description: The value of the metric. + - name: overall_score + type: double + description: 'The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: 9.1.' + - name: severity + type: keyword + description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. + - name: vector_string + type: keyword + description: 'The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.' + - name: version + type: keyword + description: 'The CVSS version. For example: 3.1.' + - name: cwe + type: flattened + description: The Common Weakness Enumeration (CWE) object describes the type of weakness identified in the vulnerability. + - name: cwe_uid + type: keyword + description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' + - name: cwe_url + type: keyword + description: 'Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.' + - name: desc + type: keyword + description: The description of the vulnerability. + - name: epss + type: flattened + description: The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. + - name: fix_available + type: boolean + description: Indicates if a fix is available for the reported vulnerability. + - name: modified_time + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: modified_time_dt + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: type + type: keyword + description: The vulnerability type as selected from a large dropdown menu during CVE refinement. + - name: uid + type: keyword + description: 'The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.' + - name: references + type: keyword + description: Supporting reference URLs. + - name: title + type: keyword + description: The title of the cve. + - name: kb_articles + type: keyword + description: The KB article/s related to the entity. + - name: cwe + type: group + description: The Common Weakness Enumeration (CWE) object describes the type of weakness identified in the vulnerability. + fields: + - name: caption + type: keyword + description: The caption assigned to the Common Weakness Enumeration unique identifier. + - name: src_url + type: keyword + description: URL pointing to the CWE Specification. + - name: uid + type: keyword + description: The Common Weakness Enumeration unique number assigned to a specific weakness. + - name: packages + type: group + fields: + - name: architecture + type: keyword + description: Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. + - name: epoch + type: long + description: The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. + - name: license + type: keyword + description: The software license applied to this package. + - name: name + type: keyword + description: The software package name. + - name: release + type: keyword + description: Release is the number of times a version of the software has been packaged. + - name: version + type: keyword + description: The software package version. + - name: references + type: keyword + description: Supporting reference URLs. + - name: related_vulnerabilities + type: keyword + description: List of vulnerabilities that are related to this vulnerability. + - name: severity + type: keyword + description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. + - name: title + type: keyword + description: The title of the vulnerability. + - name: vendor_name + type: keyword + description: The vendor who identified the vulnerability. diff --git a/packages/amazon_security_lake/data_stream/event/manifest.yml b/packages/amazon_security_lake/data_stream/event/manifest.yml index 9187b7416155..3ae37f501ab3 100644 --- a/packages/amazon_security_lake/data_stream/event/manifest.yml +++ b/packages/amazon_security_lake/data_stream/event/manifest.yml @@ -122,12 +122,7 @@ streams: required: false show_user: false description: If the SQS queue will have events that correspond to files that this integration shouldn't process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that don’t match one of the regexes will not be processed. - default: | - # Example: if you want to consume events that contain 'CloudTrail' in the S3 object key and apply parquet decoding to the events. - # - regex: '/CloudTrail/' - # decoding.codec.parquet.enabled: true - # decoding.codec.parquet.batch_size: 100 - # decoding.codec.parquet.process_parallel: true + default: "# Example: if you want to consume events that contain 'CloudTrail' in the S3 object key and apply parquet decoding to the events.\n# - regex: '/CloudTrail/'\n# decoding.codec.parquet.enabled: true\n# decoding.codec.parquet.batch_size: 100\n# decoding.codec.parquet.process_parallel: true \n" - name: region type: text title: "[SQS] Region" @@ -268,3 +263,6 @@ streams: elasticsearch: dynamic_dataset: true dynamic_namespace: true + index_template: + mappings: + dynamic: true diff --git a/packages/amazon_security_lake/data_stream/event/sample_event.json b/packages/amazon_security_lake/data_stream/event/sample_event.json new file mode 100644 index 000000000000..7c2bf8e23805 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/event/sample_event.json @@ -0,0 +1,160 @@ +{ + "@timestamp": "2023-09-21T06:27:59.358Z", + "agent": { + "ephemeral_id": "997d41db-2945-4b29-a606-62cf3d2208ae", + "id": "d68b8849-ddc7-453c-b14c-d770658c905e", + "name": "elastic-agent-83792", + "type": "filebeat", + "version": "8.14.3" + }, + "cloud": { + "account": { + "id": "65194d7c-584c-11ee-8857-0242ac110005" + }, + "provider": "infrared delayed visiting", + "region": "initial lucia designer" + }, + "data_stream": { + "dataset": "amazon_security_lake.event", + "namespace": "86127", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "d68b8849-ddc7-453c-b14c-d770658c905e", + "snapshot": false, + "version": "8.14.3" + }, + "event": { + "action": "look", + "agent_id_status": "verified", + "category": [ + "package" + ], + "dataset": "amazon_security_lake.event", + "ingested": "2024-08-13T19:04:14Z", + "kind": "event", + "outcome": "success", + "provider": "jurisdiction protecting witness", + "severity": 6, + "start": "2023-09-21T06:59:23.200Z", + "type": [ + "info" + ] + }, + "host": { + "domain": "allied had insulation", + "hostname": "zinc.biz", + "id": "651987a6-584c-11ee-ad31-0242ac110005", + "ip": [ + "81.2.69.142" + ], + "name": "knows col covered", + "type": "Unknown" + }, + "input": { + "type": "aws-s3" + }, + "log": { + "file": { + "path": "https://security-lake-logs-bucket-19310.s3.us-east-1.amazonaws.com/application/application_lifecycle.parquet" + }, + "offset": 0 + }, + "message": "issues kings loop", + "ocsf": { + "activity_id": "99", + "activity_name": "look", + "app": { + "feature": { + "name": "mit received implemented", + "uid": "6519aa4c-584c-11ee-ac40-0242ac110005", + "version": "1.0.0" + }, + "lang": "en", + "name": "bottom loud knowledge", + "path": "path o f", + "uid": "6519a3da-584c-11ee-8c89-0242ac110005", + "vendor_name": "ss keeping administered", + "version": "1.0.0" + }, + "category_name": "Application Activity", + "category_uid": "6", + "class_name": "Application Lifecycle", + "class_uid": "6002", + "cloud": { + "account": { + "type": "AWS Account", + "type_id": "10" + }, + "org": { + "name": "exclusive variables tag", + "ou_name": "custom packard pierre", + "uid": "65193f12-584c-11ee-ae9b-0242ac110005" + } + }, + "device": { + "created_time": "2023-09-21T06:27:59.358Z", + "hw_info": { + "ram_size": 84, + "serial_number": "training blink executives" + }, + "instance_uid": "65197efa-584c-11ee-bc04-0242ac110005", + "interface_name": "lightbox bugs spain", + "interface_uid": "6519835a-584c-11ee-b813-0242ac110005", + "is_personal": false, + "org": { + "name": "chaos winner entered", + "ou_name": "music client leaf", + "uid": "65197a86-584c-11ee-96c1-0242ac110005" + }, + "region": "casio paris norway", + "subnet_uid": "6519725c-584c-11ee-b6a2-0242ac110005", + "type_id": "0", + "uid_alt": "older audience trends" + }, + "metadata": { + "log_name": "collaboration blood loan", + "modified_time_dt": "2023-09-21T06:59:23.198Z", + "original_time": "effectively dimensional reservation", + "product": { + "lang": "en", + "name": "enzyme cookie citations", + "uid": "65195f88-584c-11ee-8118-0242ac110005", + "url_string": "deck", + "vendor_name": "rochester school force", + "version": "1.0.0" + }, + "profiles": [ + "cloud", + "container", + "datetime", + "host" + ], + "version": "1.0.0" + }, + "severity": "Fatal", + "start_time_dt": "2023-09-21T06:59:23.200Z", + "status": "Success", + "status_detail": "rat forth dishes", + "status_id": "1", + "type_name": "Application Lifecycle: Other", + "type_uid": "600299" + }, + "related": { + "hosts": [ + "allied had insulation", + "zinc.biz", + "knows col covered" + ], + "ip": [ + "81.2.69.142" + ] + }, + "tags": [ + "forwarded", + "amazon_security_lake-event" + ] +} \ No newline at end of file diff --git a/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml new file mode 100644 index 000000000000..76096c38c9bb --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/actor-fields.yml @@ -0,0 +1,1815 @@ +- name: ocsf + type: group + fields: + - name: actor + type: group + fields: + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: idp + type: group + fields: + - name: name + type: keyword + description: The name of the identity provider. + - name: uid + type: keyword + description: The unique identifier of the identity provider. + - name: invoked_by + type: keyword + description: The name of the service that invoked the activity as described in the event. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: count + type: integer + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/api-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/api-fields.yml new file mode 100644 index 000000000000..852880315189 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/api-fields.yml @@ -0,0 +1,154 @@ +- name: ocsf + type: group + fields: + - name: api + type: group + description: Describes details about a typical API (Application Programming Interface) call. + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: group + type: group + description: The information pertaining to the API group. + fields: + - name: desc + type: text + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: request + type: group + description: Details pertaining to the API request. + fields: + - name: uid + type: keyword + description: The unique request identifier. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: response + type: group + description: Details pertaining to the API response. + fields: + - name: code + type: integer + description: The numeric response sent to a request. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: text + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: message + type: text + description: The description of the event/finding, as defined by the source. + - name: service + type: group + description: The information pertaining to the API service. + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/assignee-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/assignee-fields.yml new file mode 100644 index 000000000000..74d4ea4ae382 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/assignee-fields.yml @@ -0,0 +1,254 @@ +- name: ocsf + type: group + fields: + - name: assignee + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml index 2b6a3f72f7a0..cde591e75479 100644 --- a/packages/amazon_security_lake/data_stream/findings/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/findings/fields/fields.yml @@ -57,57 +57,28 @@ - name: version type: keyword description: 'The analytic version. For example: 1.1.' - - name: api + - name: assignee_group type: group + description: The details of the group assigned to an Incident. fields: - - name: operation + - name: desc + type: text + description: The group description. + - name: domain type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges type: keyword - description: The version of the API service. + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: attacks type: group fields: @@ -200,16 +171,29 @@ description: The availability zone in the cloud region, as defined by the cloud provider. - name: compliance type: group + description: The compliance object provides context to compliance findings. fields: - - name: status_detail + - name: control type: keyword - description: The status details contains additional information about the event outcome. + description: A Control is prescriptive, prioritized, and simplified set of best practices that one can use to strengthen their cybersecurity posture. e.g. AWS SecurityHub Controls, CIS Controls. - name: requirements type: keyword - description: A list of applicable compliance requirements for which this finding is related to. + description: A list of requirements associated to a specific control in an industry or regulatory framework. e.g. NIST.800-53.r5 AU-10. + - name: standards + type: keyword + description: Security standards are a set of criteria organizations can follow to protect sensitive and confidential information. e.g. NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001. - name: status type: keyword - description: The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. + description: The resultant status of the compliance check normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. + - name: status_code + type: keyword + description: The resultant status code of the compliance check. + - name: status_detail + type: text + description: The contextual description of the status, status_code values. + - name: status_id + type: integer + description: The normalized status identifier of the compliance check. - name: confidence type: keyword description: The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source. @@ -225,6 +209,9 @@ - name: data_sources type: keyword description: The data sources for the finding. + - name: desc + type: keyword + description: The short description of the incident. - name: duration type: long description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. @@ -239,6 +226,7 @@ fields: - name: data type: flattened + ignore_malformed: true description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - name: name type: keyword @@ -255,6 +243,9 @@ - name: evidence type: flattened description: The data the finding exposes to the analyst. + - name: evidences + type: flattened + description: Describes various evidence artifacts associated to the activity/activities that triggered a security detection. - name: finding type: group fields: @@ -312,6 +303,12 @@ - name: kb_articles type: keyword description: The KB article/s related to the entity. + - name: kb_article_list + type: flattened + description: A list of KB articles or patches related to an endpoint. + - name: references + type: keyword + description: A list of supporting URL/s, references that help describe the remediation strategy. - name: src_url type: keyword description: The URL pointing to the source of the finding. @@ -327,6 +324,46 @@ - name: uid type: keyword description: The unique identifier of the reported finding. + - name: firewall_rule + description: The Firewall Rule object represents a specific rule within a firewall policy or event. + type: group + fields: + - name: category + type: keyword + description: The rule category. + - name: condition + type: text + description: The rule trigger condition for the rule. For example, SQL_INJECTION. + - name: desc + type: text + description: The description of the rule that generated the event. + - name: duration + type: integer + description: The rule response time duration, usually used for challenge completion time. + - name: match_details + type: keyword + description: The data in a request that rule matched. + - name: match_location + type: keyword + description: The location of the matched data in the source which resulted in the triggered firewall rule. For example, HEADER. + - name: name + type: keyword + description: The name of the rule that generated the event. + - name: rate_limit + type: integer + description: The rate limit for a rate-based rule. + - name: sensitivity + type: keyword + description: The sensitivity of the firewall rule in the matched event. For example, HIGH. + - name: type + type: keyword + description: The rule type. + - name: uid + type: keyword + description: The unique identifier of the rule that generated the event. + - name: version + type: keyword + description: The rule version. For example, 1.1. - name: impact type: keyword description: The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source. @@ -408,18 +445,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: The two letter lower case language codes, as defined by ISO 639-1. @@ -462,108 +492,6 @@ - name: message type: keyword description: The description of the event, as defined by the event source. - - name: metadata - type: group - fields: - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: - - name: name - type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid - type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version - type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider - type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version - type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time - type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt - type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: profiles - type: keyword - description: The list of profiles used to create the event. - - name: sequence - type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid - type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version - type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' - name: nist type: keyword description: The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk. @@ -597,1631 +525,33 @@ - name: value type: keyword description: The value associated with the observable attribute. - - name: process + - name: priority + type: keyword + description: The priority, normalized to the caption of the priority_id value. + - name: priority_id + type: integer + description: The priority, normalized to the ID of the priority_id value. + - name: remediation type: group fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line + - name: desc type: keyword - description: 'The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '''' is to be used.' - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: 'The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.' - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid + description: The description of the remediation strategy. + - name: kb_articles type: keyword - description: The effective group under which this process is running. - - name: euid + description: The KB article/s related to the entity. + - name: kb_article_list + type: flattened + description: A list of KB articles or patches related to an endpoint. + - name: references type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: 'The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '''' is to be used.' - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: 'The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.' - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The short name of the endpoint. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The name of the network interface (e.g. eth2). - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The short name of the endpoint. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The name of the network interface (e.g. eth2). - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + description: A list of supporting URL/s, references that help describe the remediation strategy. - name: raw_data type: flattened description: The event data as received from the event source. - name: raw_data_keyword - type: keyword - - name: resources - type: group - fields: - - name: cloud_partition - type: keyword - description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' - - name: criticality - type: keyword - description: The criticality of the resource as defined by the event source. - - name: data - type: flattened - description: Additional data describing the resource. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: labels - type: keyword - description: The list of labels/tags associated to a resource. - - name: name - type: keyword - description: The name of the resource. - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: region - type: keyword - description: The cloud region of the resource. - - name: type - type: keyword - description: The resource type as defined by the event source. - - name: uid - type: keyword - description: The unique identifier of the resource. - - name: version - type: keyword - description: The version of the resource. For example 1.2.3. + type: match_only_text + description: The raw event data keyword as received from the event source. - name: risk_level type: keyword description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. @@ -2237,6 +567,9 @@ - name: severity_id type: long description: The normalized identifier of the event severity. The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events. + - name: src_url + type: keyword + description: A Url link used to access the original incident. - name: start_time type: date description: The start time of a time period, or the time of the least recent event included in the aggregate event. @@ -2279,144 +612,9 @@ - name: unmapped type: flattened description: The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. - - name: vulnerabilities - type: group - fields: - - name: cve - type: group - fields: - - name: created_time - type: date - description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - - name: created_time_dt - type: date - description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - - name: cvss - type: group - fields: - - name: base_score - type: double - description: 'The CVSS base score. For example: 9.1.' - - name: depth - type: keyword - description: The CVSS depth represents a depth of the equation used to calculate CVSS score. - - name: metrics - type: group - fields: - - name: name - type: keyword - description: The name of the metric. - - name: value - type: keyword - description: The value of the metric. - - name: overall_score - type: double - description: 'The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: 9.1.' - - name: severity - type: keyword - description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. - - name: vector_string - type: keyword - description: 'The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.' - - name: version - type: keyword - description: 'The CVSS version. For example: 3.1.' - - name: cwe_uid - type: keyword - description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' - - name: cwe_url - type: keyword - description: 'Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.' - - name: modified_time - type: date - description: The Record Modified Date identifies when the CVE record was last updated. - - name: modified_time_dt - type: date - description: The Record Modified Date identifies when the CVE record was last updated. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: type - type: keyword - description: The vulnerability type as selected from a large dropdown menu during CVE refinement. - - name: uid - type: keyword - description: 'The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.' - - name: desc - type: keyword - description: The description of the vulnerability. - - name: fix_available - type: boolean - description: Indicates if a fix is available for the reported vulnerability. - - name: kb_articles - type: keyword - description: The KB article/s related to the entity. - - name: packages - type: group - fields: - - name: architecture - type: keyword - description: Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. - - name: epoch - type: long - description: The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. - - name: license - type: keyword - description: The software license applied to this package. - - name: name - type: keyword - description: The software package name. - - name: release - type: keyword - description: Release is the number of times a version of the software has been packaged. - - name: version - type: keyword - description: The software package version. - - name: references - type: keyword - description: Supporting reference URLs. - - name: related_vulnerabilities - type: keyword - description: List of vulnerabilities that are related to this vulnerability. - - name: severity - type: keyword - description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. - - name: title - type: keyword - description: The title of the vulnerability. - - name: vendor_name - type: keyword - description: The vendor who identified the vulnerability. + - name: verdict + type: keyword + description: The verdict assigned to an Incident finding. + - name: verdict_id + type: integer + description: The normalized verdict of an Incident. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/finding-info-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/finding-info-fields.yml new file mode 100644 index 000000000000..3349999ea2bc --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/finding-info-fields.yml @@ -0,0 +1,137 @@ +- name: ocsf + type: group + fields: + - name: finding_info + type: group + description: Describes the supporting information about a generated finding. + fields: + - name: uid + type: keyword + description: The unique identifier of the reported finding. + - name: title + type: text + description: A title or a brief phrase summarizing the reported finding. + - name: desc + type: text + description: The description of the reported finding. + - name: created_time + type: long + description: The time when the finding was created. + - name: created_time_dt + type: date + description: The time (date) when the finding was created. + - name: first_seen_time + type: long + description: The time when the finding was first observed. + - name: first_seen_time_dt + type: date + description: The time (date) when the finding was first observed. + - name: last_seen_time + type: long + description: The time when the finding was most recently observed. + - name: last_seen_time_dt + type: date + description: The time (date) when the finding was most recently observed. + - name: modified_time + type: long + description: The time when the finding was last modified. + - name: modified_time_dt + type: date + description: The time (date) when the finding was last modified. + - name: src_url + type: keyword + description: The URL pointing to the source of the finding. + - name: product_uid + type: keyword + description: The unique identifier of the product that reported the finding. + - name: types + type: keyword + description: One or more types of the reported finding. + - name: data_sources + type: keyword + description: A list of data sources utilized in generation of the finding. + - name: analytic + type: group + description: The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion. + fields: + - name: category + type: keyword + description: The analytic category. + - name: desc + type: text + description: The description of the analytic that generated the finding. + - name: name + type: keyword + description: The name of the analytic that generated the finding. + - name: related_analytics + type: flattened + description: Other analytics related to this analytic. + - name: type + type: keyword + description: The analytic type. + - name: type_id + type: keyword + description: The analytic type ID. + - name: uid + type: keyword + description: The unique identifier of the analytic that generated the finding. + - name: version + type: keyword + description: The analytic version. For example, 1.1. + - name: attacks + type: group + description: MITRE ATT&CK Details. + fields: + - name: sub_technique + type: flattened + description: The Sub Technique object describes the sub technique ID and/or name associated to an attack. + - name: tactic + type: flattened + description: The Tactic object describes the tactic ID and/or name that is associated to an attack. + - name: tactics + type: flattened + description: The Tactic object describes the tactic ID and/or tactic name that are associated with the attack technique. + - name: technique + type: flattened + description: The Technique object describes the technique ID and/or name associated to an attack, as defined by ATT&CK MatrixTM. + - name: version + type: keyword + description: The ATT&CK MatrixTM version. + - name: kill_chain + type: group + description: The Cyber Kill Chain provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. + fields: + - name: phase + type: keyword + description: The cyber kill chain phase. + - name: phase_id + type: integer + description: The cyber kill chain phase identifier. + - name: related_analytics + type: flattened + description: Other analytics related to this finding. + - name: related_events + type: group + description: Describes events and/or other findings related to the finding as identified by the security product. + fields: + - name: attacks + type: flattened + description: MITRE ATT&CK Details. + - name: kill_chain + type: flattened + description: The Cyber Kill Chain provides a detailed description of each phase and its associated activities within the broader context of a cyber attack. + - name: observables + type: flattened + description: The observables associated with the event or a finding. + - name: product_uid + type: keyword + description: The unique identifier of the product that reported the related event. + - name: type + type: keyword + description: The type of the related event. For example, Process Activity, Launch. + - name: type_uid + type: integer + description: The unique identifier of the related event type. For example, 100701. + - name: uid + type: keyword + description: The unique identifier of the related event. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/metadata-fields.yml new file mode 100644 index 000000000000..01b1c11c4dc4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/metadata-fields.yml @@ -0,0 +1,122 @@ +- name: ocsf + type: group + fields: + - name: metadata + type: group + fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: extensions + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_level + type: keyword + description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' diff --git a/packages/amazon_security_lake/data_stream/findings/fields/process-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/process-fields.yml new file mode 100644 index 000000000000..9a2a81816026 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/process-fields.yml @@ -0,0 +1,1388 @@ +- name: ocsf + type: group + fields: + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: 'The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '''' is to be used.' + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: 'The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.' + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: keyword + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: 'The full command line used to launch an application, service, process, or job. For example: ssh user@10.0.0.10. If the command line is unavailable or missing, the empty string '''' is to be used.' + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: 'The full container unique identifier for this instantiation of the container. For example: ac2ea168264a08f9aaca0dfc82ff3551418dfd22d02b713142a6843caa2f61bf.' + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: keyword + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The short name of the endpoint. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The name of the network interface (e.g. eth2). + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The short name of the endpoint. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The name of the network interface (e.g. eth2). + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/resource-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/resource-fields.yml new file mode 100644 index 000000000000..e3d9d54d6704 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/resource-fields.yml @@ -0,0 +1,141 @@ +- name: ocsf + type: group + fields: + - name: resources + type: group + fields: + - name: cloud_partition + type: keyword + description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' + - name: criticality + type: keyword + description: The criticality of the resource as defined by the event source. + - name: data + type: flattened + description: Additional data describing the resource. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: labels + type: keyword + description: The list of labels/tags associated to a resource. + - name: name + type: keyword + description: The name of the resource. + - name: namespace + type: keyword + description: The namespace is useful when similar entities exist that you need to keep separate. + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: type_id + type: keyword + description: The resource group type identifier. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: region + type: keyword + description: The cloud region of the resource. + - name: type + type: keyword + description: The resource type as defined by the event source. + - name: type_id + type: keyword + description: The resource type identifier. + - name: uid + type: keyword + description: The unique identifier of the resource. + - name: version + type: keyword + description: The version of the resource. For example 1.2.3. diff --git a/packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml b/packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml new file mode 100644 index 000000000000..621cf5229443 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/findings/fields/vulnerability-fields.yml @@ -0,0 +1,162 @@ +- name: ocsf + type: group + fields: + - name: vulnerabilities + type: group + fields: + - name: cve + type: group + fields: + - name: created_time + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. + - name: created_time_dt + type: date + description: The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. + - name: cvss + type: group + fields: + - name: base_score + type: double + description: 'The CVSS base score. For example: 9.1.' + - name: depth + type: keyword + description: The CVSS depth represents a depth of the equation used to calculate CVSS score. + - name: metrics + type: group + fields: + - name: name + type: keyword + description: The name of the metric. + - name: value + type: keyword + description: The value of the metric. + - name: overall_score + type: double + description: 'The CVSS overall score, impacted by base, temporal, and environmental metrics. For example: 9.1.' + - name: severity + type: keyword + description: The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. + - name: vector_string + type: keyword + description: 'The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H.' + - name: version + type: keyword + description: 'The CVSS version. For example: 3.1.' + - name: cwe + type: flattened + description: The Common Weakness Enumeration (CWE) object describes the type of weakness identified in the vulnerability. + - name: cwe_uid + type: keyword + description: 'The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787.' + - name: cwe_url + type: keyword + description: 'Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html.' + - name: desc + type: keyword + description: The description of the vulnerability. + - name: epss + type: flattened + description: The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. + - name: fix_available + type: boolean + description: Indicates if a fix is available for the reported vulnerability. + - name: modified_time + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: modified_time_dt + type: date + description: The Record Modified Date identifies when the CVE record was last updated. + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: type + type: keyword + description: The vulnerability type as selected from a large dropdown menu during CVE refinement. + - name: uid + type: keyword + description: 'The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345.' + - name: references + type: keyword + description: Supporting reference URLs. + - name: title + type: keyword + description: The title of the cve. + - name: kb_articles + type: keyword + description: The KB article/s related to the entity. + - name: cwe + type: group + description: The Common Weakness Enumeration (CWE) object describes the type of weakness identified in the vulnerability. + fields: + - name: caption + type: keyword + description: The caption assigned to the Common Weakness Enumeration unique identifier. + - name: src_url + type: keyword + description: URL pointing to the CWE Specification. + - name: uid + type: keyword + description: The Common Weakness Enumeration unique number assigned to a specific weakness. + - name: packages + type: group + fields: + - name: architecture + type: keyword + description: Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. + - name: epoch + type: long + description: The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. + - name: license + type: keyword + description: The software license applied to this package. + - name: name + type: keyword + description: The software package name. + - name: release + type: keyword + description: Release is the number of times a version of the software has been packaged. + - name: version + type: keyword + description: The software package version. + - name: references + type: keyword + description: Supporting reference URLs. + - name: related_vulnerabilities + type: keyword + description: List of vulnerabilities that are related to this vulnerability. + - name: severity + type: keyword + description: The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source. + - name: title + type: keyword + description: The title of the vulnerability. + - name: vendor_name + type: keyword + description: The vendor who identified the vulnerability. diff --git a/packages/amazon_security_lake/data_stream/findings/manifest.yml b/packages/amazon_security_lake/data_stream/findings/manifest.yml index 38c95d073a94..6cc244e9afe4 100644 --- a/packages/amazon_security_lake/data_stream/findings/manifest.yml +++ b/packages/amazon_security_lake/data_stream/findings/manifest.yml @@ -1,3 +1,9 @@ title: Amazon Security Lake Findings Events dataset: amazon_security_lake.findings type: logs +elasticsearch: + dynamic_dataset: true + dynamic_namespace: true + index_template: + mappings: + dynamic: true diff --git a/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml new file mode 100644 index 000000000000..76096c38c9bb --- /dev/null +++ b/packages/amazon_security_lake/data_stream/iam/fields/actor-fields.yml @@ -0,0 +1,1815 @@ +- name: ocsf + type: group + fields: + - name: actor + type: group + fields: + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: idp + type: group + fields: + - name: name + type: keyword + description: The name of the identity provider. + - name: uid + type: keyword + description: The unique identifier of the identity provider. + - name: invoked_by + type: keyword + description: The name of the service that invoked the activity as described in the event. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: count + type: integer + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/api-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/api-fields.yml new file mode 100644 index 000000000000..852880315189 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/iam/fields/api-fields.yml @@ -0,0 +1,154 @@ +- name: ocsf + type: group + fields: + - name: api + type: group + description: Describes details about a typical API (Application Programming Interface) call. + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: group + type: group + description: The information pertaining to the API group. + fields: + - name: desc + type: text + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: request + type: group + description: Details pertaining to the API request. + fields: + - name: uid + type: keyword + description: The unique request identifier. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: response + type: group + description: Details pertaining to the API response. + fields: + - name: code + type: integer + description: The numeric response sent to a request. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: text + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: message + type: text + description: The description of the event/finding, as defined by the source. + - name: service + type: group + description: The information pertaining to the API service. + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/device-fields.yml new file mode 100644 index 000000000000..1fbf81b593e4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/iam/fields/device-fields.yml @@ -0,0 +1,348 @@ +- name: ocsf + type: group + fields: + - name: device + type: group + fields: + - name: autoscale_uid + type: keyword + description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: created_time + type: date + description: The time when the device was known to have been created. + - name: created_time_dt + type: date + description: TThe time when the device was known to have been created. + - name: desc + type: keyword + description: The description of the device, ordinarily as reported by the operating system. + - name: domain + type: keyword + description: 'The network domain where the device resides. For example: work.example.com.' + - name: first_seen_time + type: date + description: The initial discovery time of the device. + - name: first_seen_time_dt + type: date + description: The initial discovery time of the device. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: hostname + type: keyword + description: The devicename. + - name: hw_info + type: group + fields: + - name: bios_date + type: keyword + description: 'The BIOS date. For example: 03/31/16.' + - name: bios_manufacturer + type: keyword + description: 'The BIOS manufacturer. For example: LENOVO.' + - name: bios_ver + type: keyword + description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' + - name: chassis + type: keyword + description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. + - name: cpu_bits + type: long + description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' + - name: cpu_cores + type: long + description: 'The number of processor cores in all installed processors. For Example: 42.' + - name: cpu_count + type: long + description: 'The number of physical processors on a system. For example: 1.' + - name: cpu_speed + type: long + description: 'The speed of the processor in Mhz. For Example: 4200.' + - name: cpu_type + type: keyword + description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' + - name: desktop_display + type: group + fields: + - name: color_depth + type: long + description: The numeric color depth. + - name: physical_height + type: long + description: The numeric physical height of display. + - name: physical_orientation + type: long + description: The numeric physical orientation of display. + - name: physical_width + type: long + description: The numeric physical width of display. + - name: scale_factor + type: long + description: The numeric scale factor of display. + - name: keyboard_info + type: group + fields: + - name: function_keys + type: long + description: The number of function keys on client keyboard. + - name: ime + type: keyword + description: The Input Method Editor (IME) file name. + - name: keyboard_layout + type: keyword + description: The keyboard locale identifier name (e.g., en-US). + - name: keyboard_subtype + type: long + description: The keyboard numeric code. + - name: keyboard_type + type: keyword + description: The keyboard type (e.g., xt, ico). + - name: ram_size + type: long + description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' + - name: serial_number + type: keyword + description: The device manufacturer serial number. + - name: hypervisor + type: keyword + description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: imei + type: keyword + description: The International Mobile Station Equipment Identifier that is associated with the device. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: ip + type: ip + description: The device IP address, in either IPv4 or IPv6 format. + - name: is_compliant + type: boolean + description: The event occurred on a compliant device. + - name: is_managed + type: boolean + description: The event occurred on a managed device. + - name: is_personal + type: boolean + description: The event occurred on a personal device. + - name: is_trusted + type: boolean + description: The event occurred on a trusted device. + - name: last_seen_time + type: date + description: The most recent discovery time of the device. + - name: last_seen_time_dt + type: date + description: The most recent discovery time of the device. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The device Media Access Control (MAC) address. + - name: modified_time + type: date + description: The time when the device was last known to have been modified. + - name: modified_time_dt + type: date + description: The time when the device was last known to have been modified. + - name: name + type: keyword + description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: network_interfaces + type: group + fields: + - name: hostname + type: keyword + description: The hostname associated with the network interface. + - name: ip + type: ip + description: The IP address associated with the network interface. + - name: mac + type: keyword + description: The MAC address of the network interface. + - name: name + type: keyword + description: The name of the network interface. + - name: namespace + type: keyword + description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. + - name: subnet_prefix + type: long + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. + - name: type + type: keyword + description: The type of network interface. + - name: type_id + type: keyword + description: The network interface type identifier. + - name: uid + type: keyword + description: The unique identifier for the network interface. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: os + type: group + fields: + - name: build + type: keyword + description: The operating system build number. + - name: country + type: keyword + description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. + - name: edition + type: keyword + description: The operating system edition. For example, Professional. + - name: lang + type: keyword + description: The two letter lower case language codes, as defined by ISO 639-1. + - name: name + type: keyword + description: The operating system name. + - name: sp_name + type: keyword + description: The name of the latest Service Pack. + - name: sp_ver + type: keyword + description: The version number of the latest Service Pack. + - name: type + type: keyword + description: The type of the operating system. + - name: type_id + type: keyword + description: The type identifier of the operating system. + - name: version + type: keyword + description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". + - name: region + type: keyword + description: The region where the virtual machine is located. For example, an AWS Region. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: subnet + type: ip_range + description: The subnet mask. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: type + type: keyword + description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The device type ID. + - name: uid + type: keyword + description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml index ab245e5d92b0..604c94947a96 100644 --- a/packages/amazon_security_lake/data_stream/iam/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/iam/fields/fields.yml @@ -7,1713 +7,6 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. - - name: actor - type: group - fields: - - name: authorizations - type: group - fields: - - name: decision - type: keyword - description: Authorization Result/outcome, e.g. allowed, denied. - - name: policy - type: group - fields: - - name: desc - type: keyword - description: The description of the policy. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: 'The policy name. For example: IAM Policy.' - - name: uid - type: keyword - description: A unique identifier of the policy instance. - - name: version - type: keyword - description: The policy version number. - - name: idp - type: group - fields: - - name: name - type: keyword - description: The name of the identity provider. - - name: uid - type: keyword - description: The unique identifier of the identity provider. - - name: invoked_by - type: keyword - description: The name of the service that invoked the activity as described in the event. - - name: process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: api - type: group - fields: - - name: operation - type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version - type: keyword - description: The version of the API service. - name: auth_protocol type: keyword description: The authentication protocol as defined by the caption of 'auth_protocol_id'. In the case of 'Other', it is defined by the event source. @@ -1795,444 +88,33 @@ - name: name type: keyword description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: project_uid - type: keyword - description: The unique identifier of a Cloud project. - - name: provider - type: keyword - description: The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc. - - name: region - type: keyword - description: The name of the cloud region, as defined by the cloud provider. - - name: zone - type: keyword - description: The availability zone in the cloud region, as defined by the cloud provider. - - name: comment - type: keyword - description: The user provided comment about why the entity was changed. - - name: count - type: long - description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. - - name: device - type: group - fields: - - name: autoscale_uid - type: keyword - description: The unique identifier of the cloud autoscale configuration. - - name: created_time - type: date - description: The time when the device was known to have been created. - - name: created_time_dt - type: date - description: TThe time when the device was known to have been created. - - name: desc - type: keyword - description: The description of the device, ordinarily as reported by the operating system. - - name: domain - type: keyword - description: 'The network domain where the device resides. For example: work.example.com.' - - name: first_seen_time - type: date - description: The initial discovery time of the device. - - name: first_seen_time_dt - type: date - description: The initial discovery time of the device. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: hostname - type: keyword - description: The devicename. - - name: hw_info - type: group - fields: - - name: bios_date - type: keyword - description: 'The BIOS date. For example: 03/31/16.' - - name: bios_manufacturer - type: keyword - description: 'The BIOS manufacturer. For example: LENOVO.' - - name: bios_ver - type: keyword - description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' - - name: chassis - type: keyword - description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. - - name: cpu_bits - type: long - description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' - - name: cpu_cores - type: long - description: 'The number of processor cores in all installed processors. For Example: 42.' - - name: cpu_count - type: long - description: 'The number of physical processors on a system. For example: 1.' - - name: cpu_speed - type: long - description: 'The speed of the processor in Mhz. For Example: 4200.' - - name: cpu_type - type: keyword - description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' - - name: desktop_display - type: group - fields: - - name: color_depth - type: long - description: The numeric color depth. - - name: physical_height - type: long - description: The numeric physical height of display. - - name: physical_orientation - type: long - description: The numeric physical orientation of display. - - name: physical_width - type: long - description: The numeric physical width of display. - - name: scale_factor - type: long - description: The numeric scale factor of display. - - name: keyboard_info - type: group - fields: - - name: function_keys - type: long - description: The number of function keys on client keyboard. - - name: ime - type: keyword - description: The Input Method Editor (IME) file name. - - name: keyboard_layout - type: keyword - description: The keyboard locale identifier name (e.g., en-US). - - name: keyboard_subtype - type: long - description: The keyboard numeric code. - - name: keyboard_type - type: keyword - description: The keyboard type (e.g., xt, ico). - - name: ram_size - type: long - description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' - - name: serial_number - type: keyword - description: The device manufacturer serial number. - - name: hypervisor - type: keyword - description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: imei - type: keyword - description: The International Mobile Station Equipment Identifier that is associated with the device. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: ip - type: ip - description: The device IP address, in either IPv4 or IPv6 format. - - name: is_compliant - type: boolean - description: The event occurred on a compliant device. - - name: is_managed - type: boolean - description: The event occurred on a managed device. - - name: is_personal - type: boolean - description: The event occurred on a personal device. - - name: is_trusted - type: boolean - description: The event occurred on a trusted device. - - name: last_seen_time - type: date - description: The most recent discovery time of the device. - - name: last_seen_time_dt - type: date - description: The most recent discovery time of the device. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The device Media Access Control (MAC) address. - - name: modified_time - type: date - description: The time when the device was last known to have been modified. - - name: modified_time_dt - type: date - description: The time when the device was last known to have been modified. - - name: name - type: keyword - description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. - - name: network_interfaces - type: group - fields: - - name: hostname - type: keyword - description: The hostname associated with the network interface. - - name: ip - type: ip - description: The IP address associated with the network interface. - - name: mac - type: keyword - description: The MAC address of the network interface. - - name: name - type: keyword - description: The name of the network interface. - - name: namespace - type: keyword - description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. - - name: type - type: keyword - description: The type of network interface. - - name: type_id - type: keyword - description: The network interface type identifier. - - name: uid - type: keyword - description: The unique identifier for the network interface. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: os - type: group - fields: - - name: build - type: keyword - description: The operating system build number. - - name: country - type: keyword - description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. - - name: cpu_bits - type: long - description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. - - name: edition - type: keyword - description: The operating system edition. For example, Professional. - - name: lang - type: keyword - description: The two letter lower case language codes, as defined by ISO 639-1. - - name: name - type: keyword - description: The operating system name. - - name: sp_name - type: keyword - description: The name of the latest Service Pack. - - name: sp_ver - type: keyword - description: The version number of the latest Service Pack. - - name: type - type: keyword - description: The type of the operating system. - - name: type_id - type: keyword - description: The type identifier of the operating system. - - name: version - type: keyword - description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". - - name: region - type: keyword - description: The region where the virtual machine is located. For example, an AWS Region. - - name: risk_level - type: keyword - description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. - - name: risk_level_id - type: keyword - description: The normalized risk level id. - - name: risk_score - type: long - description: The risk score as reported by the event source. - - name: subnet - type: ip_range - description: The subnet mask. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: type - type: keyword - description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - - name: type_id - type: keyword - description: The device type ID. - - name: uid - type: keyword - description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - - name: dst_endpoint - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code + - name: ou_name type: keyword - description: The postal code of the location. - - name: provider + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid type: keyword - description: The provider of the geographical location data. - - name: region + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: project_uid type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid + description: The unique identifier of a Cloud project. + - name: provider type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid + description: The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc. + - name: region type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid + description: The name of the cloud region, as defined by the cloud provider. + - name: zone type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). + description: The availability zone in the cloud region, as defined by the cloud provider. + - name: comment + type: keyword + description: The user provided comment about why the entity was changed. + - name: count + type: long + description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. - name: duration type: long description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. @@ -2247,6 +129,7 @@ fields: - name: data type: flattened + ignore_malformed: true description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - name: name type: keyword @@ -2530,21 +413,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -2626,21 +498,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -2731,21 +592,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -2812,21 +662,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -2848,18 +687,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -3142,21 +974,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -3179,201 +1001,15 @@ type: keyword description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator type: group fields: - name: account @@ -3424,21 +1060,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -3451,389 +1077,295 @@ - name: uid_alt type: keyword description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path + - name: desc type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid + - name: algorithm type: keyword - description: The unique identifier of the product. - - name: vendor_name + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id type: keyword - description: The name of the vendor of the product. - - name: version + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type type: keyword - description: The object security descriptor. - - name: signature + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier type: group fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate + - name: account type: group fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version + - name: name type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm + description: The name of the account (e.g. GCP Account Name). + - name: type type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value + description: The normalized account type identifier. + - name: uid type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The name of the account (e.g. GCP Account Name). + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + description: The type of the user. For example, System, AWS IAM User, etc. - name: type_id type: keyword - description: The normalized account type identifier. + description: The account type identifier. - name: uid type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups + description: 'The name of the file. For example: svchost.exe.' + - name: owner type: group fields: - - name: desc + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid type: keyword - description: The group description. - - name: name + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain type: keyword - description: The group name. - - name: privileges + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr type: keyword - description: The group privileges. + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword - description: The type of the group or account. + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. - name: uid type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder type: keyword - description: The username. For example, janedoe1. - - name: org + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product type: group fields: - - name: name + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid + description: The name of the product. + - name: path type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + description: The installation path of the product. - name: uid type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name + description: The unique identifier of the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor type: keyword - description: The name of the account (e.g. GCP Account Name). + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. - name: type type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + description: The file type. - name: type_id type: keyword - description: The normalized account type identifier. + description: The file type ID. - name: uid type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group type: group fields: - name: desc @@ -3851,223 +1383,201 @@ - name: uid type: keyword description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type + - name: integrity type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id type: keyword - description: The account type identifier. - - name: uid + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: logon_type - type: keyword - description: The logon type, normalized to the caption of the logon_type_id value. In the case of 'Other', it is defined by the event source. - - name: logon_type_id - type: keyword - description: The normalized logon type identifier - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: metadata - type: group - fields: - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: + description: The list of loaded module names. - name: name type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider - type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version - type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time - type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt - type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session type: group fields: - - name: name + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer type: keyword - description: The name of the feature. + description: The identifier of the session issuer. + - name: mfa + type: boolean - name: uid type: keyword - description: The unique identifier of the feature. - - name: version + description: The unique identifier of the session. + - name: uuid type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. - name: uid type: keyword - description: The unique identifier of the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: profiles - type: keyword - description: The list of profiles used to create the event. - - name: sequence - type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid - type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version - type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' - - name: observables - type: group - fields: - - name: name - type: keyword - description: 'The full name of the observable attribute. The name is a pointer/reference to an attribute within the event data. For example: file.name.' - - name: reputation - type: group - fields: - - name: base_score - type: double - description: The reputation score as reported by the event source. - - name: provider - type: keyword - description: The provider of the reputation information. - - name: score - type: keyword - description: The reputation score, normalized to the caption of the score_id value. In the case of 'Other', it is defined by the event source. - - name: score_id - type: keyword - description: The normalized reputation score identifier. - - name: type - type: keyword - description: The observable value type name. - - name: type_id - type: keyword - description: The observable value type identifier. - - name: value - type: keyword - description: The value associated with the observable attribute. - - name: privileges - type: keyword - description: The list of sensitive privileges, assigned to the new user session. - - name: raw_data - type: flattened - description: The event data as received from the event source. - - name: resource - type: group - fields: - - name: cloud_partition - type: keyword - description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' - - name: criticality + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox type: keyword - description: The criticality of the resource as defined by the event source. - - name: data - type: flattened - description: Additional data describing the resource. - - name: group + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session type: group fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid type: keyword - description: The group privileges. - - name: type + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer type: keyword - description: The type of the group or account. + description: The identifier of the session issuer. + - name: mfa + type: boolean - name: uid type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: labels - type: keyword - description: The list of labels/tags associated to a resource. - - name: name + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid type: keyword - description: The name of the resource. - - name: owner + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user type: group fields: - name: account @@ -4145,18 +1655,57 @@ - name: uid_alt type: keyword description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: region + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: logon_type + type: keyword + description: The logon type, normalized to the caption of the logon_type_id value. In the case of 'Other', it is defined by the event source. + - name: logon_type_id + type: keyword + description: The normalized logon type identifier + - name: message + type: keyword + description: The description of the event, as defined by the event source. + - name: observables + type: group + fields: + - name: name type: keyword - description: The cloud region of the resource. + description: 'The full name of the observable attribute. The name is a pointer/reference to an attribute within the event data. For example: file.name.' + - name: reputation + type: group + fields: + - name: base_score + type: double + description: The reputation score as reported by the event source. + - name: provider + type: keyword + description: The provider of the reputation information. + - name: score + type: keyword + description: The reputation score, normalized to the caption of the score_id value. In the case of 'Other', it is defined by the event source. + - name: score_id + type: keyword + description: The normalized reputation score identifier. - name: type type: keyword - description: The resource type as defined by the event source. - - name: uid + description: The observable value type name. + - name: type_id type: keyword - description: The unique identifier of the resource. - - name: version + description: The observable value type identifier. + - name: value type: keyword - description: The version of the resource. For example 1.2.3. + description: The value associated with the observable attribute. + - name: privileges + type: keyword + description: The list of sensitive privileges, assigned to the new user session. + - name: raw_data + type: flattened + description: The event data as received from the event source. + - name: raw_data_keyword + type: match_only_text + description: The raw event data keyword as received from the event source. - name: service type: group fields: @@ -4210,87 +1759,6 @@ - name: severity_id type: long description: The normalized identifier of the event severity. The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events. - - name: src_endpoint - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: start_time type: date description: The start time of a time period, or the time of the least recent event included in the aggregate event. @@ -4327,84 +1795,6 @@ - name: unmapped type: flattened description: The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - name: user_result type: group fields: diff --git a/packages/amazon_security_lake/data_stream/iam/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/metadata-fields.yml new file mode 100644 index 000000000000..01b1c11c4dc4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/iam/fields/metadata-fields.yml @@ -0,0 +1,122 @@ +- name: ocsf + type: group + fields: + - name: metadata + type: group + fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: extensions + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_level + type: keyword + description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' diff --git a/packages/amazon_security_lake/data_stream/iam/fields/network-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/network-endpoint-fields.yml new file mode 100644 index 000000000000..91fca432e6eb --- /dev/null +++ b/packages/amazon_security_lake/data_stream/iam/fields/network-endpoint-fields.yml @@ -0,0 +1,213 @@ +- name: ocsf + type: group + fields: + - name: dst_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. + - name: src_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml new file mode 100644 index 000000000000..e3d9d54d6704 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/iam/fields/resource-fields.yml @@ -0,0 +1,141 @@ +- name: ocsf + type: group + fields: + - name: resources + type: group + fields: + - name: cloud_partition + type: keyword + description: 'The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov).' + - name: criticality + type: keyword + description: The criticality of the resource as defined by the event source. + - name: data + type: flattened + description: Additional data describing the resource. + - name: group + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: labels + type: keyword + description: The list of labels/tags associated to a resource. + - name: name + type: keyword + description: The name of the resource. + - name: namespace + type: keyword + description: The namespace is useful when similar entities exist that you need to keep separate. + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: type_id + type: keyword + description: The resource group type identifier. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: region + type: keyword + description: The cloud region of the resource. + - name: type + type: keyword + description: The resource type as defined by the event source. + - name: type_id + type: keyword + description: The resource type identifier. + - name: uid + type: keyword + description: The unique identifier of the resource. + - name: version + type: keyword + description: The version of the resource. For example 1.2.3. diff --git a/packages/amazon_security_lake/data_stream/iam/fields/user-fields.yml b/packages/amazon_security_lake/data_stream/iam/fields/user-fields.yml new file mode 100644 index 000000000000..904fd937ffa0 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/iam/fields/user-fields.yml @@ -0,0 +1,254 @@ +- name: ocsf + type: group + fields: + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/iam/manifest.yml b/packages/amazon_security_lake/data_stream/iam/manifest.yml index 647d7100d49d..cab4af81f2d6 100644 --- a/packages/amazon_security_lake/data_stream/iam/manifest.yml +++ b/packages/amazon_security_lake/data_stream/iam/manifest.yml @@ -1,3 +1,9 @@ title: Amazon Security Lake Identity and Access Management Events dataset: amazon_security_lake.iam type: logs +elasticsearch: + dynamic_dataset: true + dynamic_namespace: true + index_template: + mappings: + dynamic: true diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml new file mode 100644 index 000000000000..76096c38c9bb --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/actor-fields.yml @@ -0,0 +1,1815 @@ +- name: ocsf + type: group + fields: + - name: actor + type: group + fields: + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: idp + type: group + fields: + - name: name + type: keyword + description: The name of the identity provider. + - name: uid + type: keyword + description: The unique identifier of the identity provider. + - name: invoked_by + type: keyword + description: The name of the service that invoked the activity as described in the event. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: count + type: integer + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/api-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/api-fields.yml new file mode 100644 index 000000000000..852880315189 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/api-fields.yml @@ -0,0 +1,154 @@ +- name: ocsf + type: group + fields: + - name: api + type: group + description: Describes details about a typical API (Application Programming Interface) call. + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: group + type: group + description: The information pertaining to the API group. + fields: + - name: desc + type: text + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: request + type: group + description: Details pertaining to the API request. + fields: + - name: uid + type: keyword + description: The unique request identifier. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: response + type: group + description: Details pertaining to the API response. + fields: + - name: code + type: integer + description: The numeric response sent to a request. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: text + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: message + type: text + description: The description of the event/finding, as defined by the source. + - name: service + type: group + description: The information pertaining to the API service. + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/device-fields.yml new file mode 100644 index 000000000000..1fbf81b593e4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/device-fields.yml @@ -0,0 +1,348 @@ +- name: ocsf + type: group + fields: + - name: device + type: group + fields: + - name: autoscale_uid + type: keyword + description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: created_time + type: date + description: The time when the device was known to have been created. + - name: created_time_dt + type: date + description: TThe time when the device was known to have been created. + - name: desc + type: keyword + description: The description of the device, ordinarily as reported by the operating system. + - name: domain + type: keyword + description: 'The network domain where the device resides. For example: work.example.com.' + - name: first_seen_time + type: date + description: The initial discovery time of the device. + - name: first_seen_time_dt + type: date + description: The initial discovery time of the device. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: hostname + type: keyword + description: The devicename. + - name: hw_info + type: group + fields: + - name: bios_date + type: keyword + description: 'The BIOS date. For example: 03/31/16.' + - name: bios_manufacturer + type: keyword + description: 'The BIOS manufacturer. For example: LENOVO.' + - name: bios_ver + type: keyword + description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' + - name: chassis + type: keyword + description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. + - name: cpu_bits + type: long + description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' + - name: cpu_cores + type: long + description: 'The number of processor cores in all installed processors. For Example: 42.' + - name: cpu_count + type: long + description: 'The number of physical processors on a system. For example: 1.' + - name: cpu_speed + type: long + description: 'The speed of the processor in Mhz. For Example: 4200.' + - name: cpu_type + type: keyword + description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' + - name: desktop_display + type: group + fields: + - name: color_depth + type: long + description: The numeric color depth. + - name: physical_height + type: long + description: The numeric physical height of display. + - name: physical_orientation + type: long + description: The numeric physical orientation of display. + - name: physical_width + type: long + description: The numeric physical width of display. + - name: scale_factor + type: long + description: The numeric scale factor of display. + - name: keyboard_info + type: group + fields: + - name: function_keys + type: long + description: The number of function keys on client keyboard. + - name: ime + type: keyword + description: The Input Method Editor (IME) file name. + - name: keyboard_layout + type: keyword + description: The keyboard locale identifier name (e.g., en-US). + - name: keyboard_subtype + type: long + description: The keyboard numeric code. + - name: keyboard_type + type: keyword + description: The keyboard type (e.g., xt, ico). + - name: ram_size + type: long + description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' + - name: serial_number + type: keyword + description: The device manufacturer serial number. + - name: hypervisor + type: keyword + description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: imei + type: keyword + description: The International Mobile Station Equipment Identifier that is associated with the device. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: ip + type: ip + description: The device IP address, in either IPv4 or IPv6 format. + - name: is_compliant + type: boolean + description: The event occurred on a compliant device. + - name: is_managed + type: boolean + description: The event occurred on a managed device. + - name: is_personal + type: boolean + description: The event occurred on a personal device. + - name: is_trusted + type: boolean + description: The event occurred on a trusted device. + - name: last_seen_time + type: date + description: The most recent discovery time of the device. + - name: last_seen_time_dt + type: date + description: The most recent discovery time of the device. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The device Media Access Control (MAC) address. + - name: modified_time + type: date + description: The time when the device was last known to have been modified. + - name: modified_time_dt + type: date + description: The time when the device was last known to have been modified. + - name: name + type: keyword + description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: network_interfaces + type: group + fields: + - name: hostname + type: keyword + description: The hostname associated with the network interface. + - name: ip + type: ip + description: The IP address associated with the network interface. + - name: mac + type: keyword + description: The MAC address of the network interface. + - name: name + type: keyword + description: The name of the network interface. + - name: namespace + type: keyword + description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. + - name: subnet_prefix + type: long + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. + - name: type + type: keyword + description: The type of network interface. + - name: type_id + type: keyword + description: The network interface type identifier. + - name: uid + type: keyword + description: The unique identifier for the network interface. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: os + type: group + fields: + - name: build + type: keyword + description: The operating system build number. + - name: country + type: keyword + description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. + - name: edition + type: keyword + description: The operating system edition. For example, Professional. + - name: lang + type: keyword + description: The two letter lower case language codes, as defined by ISO 639-1. + - name: name + type: keyword + description: The operating system name. + - name: sp_name + type: keyword + description: The name of the latest Service Pack. + - name: sp_ver + type: keyword + description: The version number of the latest Service Pack. + - name: type + type: keyword + description: The type of the operating system. + - name: type_id + type: keyword + description: The type identifier of the operating system. + - name: version + type: keyword + description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". + - name: region + type: keyword + description: The region where the virtual machine is located. For example, an AWS Region. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: subnet + type: ip_range + description: The subnet mask. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: type + type: keyword + description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The device type ID. + - name: uid + type: keyword + description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml index 7dafaf441ca0..247eefdfaa72 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/fields.yml @@ -7,2508 +7,57 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. - - name: actor - type: group - fields: - - name: authorizations - type: group - fields: - - name: decision - type: keyword - description: Authorization Result/outcome, e.g. allowed, denied. - - name: policy - type: group - fields: - - name: desc - type: keyword - description: The description of the policy. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: 'The policy name. For example: IAM Policy.' - - name: uid - type: keyword - description: A unique identifier of the policy instance. - - name: version - type: keyword - description: The policy version number. - - name: idp - type: group - fields: - - name: name - type: keyword - description: The name of the identity provider. - - name: uid - type: keyword - description: The unique identifier of the identity provider. - - name: invoked_by - type: keyword - description: The name of the service that invoked the activity as described in the event. - - name: process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: answers - type: group - fields: - - name: class - type: keyword - description: 'The class of DNS data contained in this resource record. See RFC1035. For example: IN.' - - name: flag_ids - type: keyword - description: The list of DNS answer header flag IDs. - - name: flags - type: keyword - description: The list of DNS answer header flags. - - name: packet_uid - type: keyword - description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - - name: rdata - type: keyword - description: The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record. - - name: ttl - type: long - description: The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached. - - name: type - type: keyword - description: 'The type of data contained in this resource record. See RFC1035. For example: CNAME.' - - name: api - type: group - fields: - - name: operation - type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version - type: keyword - description: The version of the API service. - - name: app_name - type: keyword - description: The name of the application that is associated with the event or object. - - name: attacks - type: group - fields: - - name: tactics - type: group - fields: - - name: name - type: keyword - description: The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. - - name: uid - type: keyword - description: The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. - - name: technique - type: group - fields: - - name: name - type: keyword - description: 'The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Drive-by Compromise.' - - name: uid - type: keyword - description: 'The unique identifier of the attack technique, as defined by ATT&CK MatrixTM. For example: T1189.' - - name: version - type: keyword - description: The ATT&CK Matrix version. - - name: attempt - type: long - description: The attempt number for attempting to deliver the email. - - name: banner - type: keyword - description: The initial SMTP connection response that a messaging server receives after it connects to a email server. - - name: capabilities - type: keyword - description: A list of RDP capabilities. - - name: category_name - type: keyword - description: 'The event category name, as defined by category_uid value: Identity & Access Management.' - - name: category_uid - type: keyword - description: The category unique identifier of the event.3 Identity & Access ManagementIdentity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc. - - name: certificate_chain - type: keyword - description: The list of observed certificates in an RDP TLS connection. - - name: class_name - type: keyword - description: 'The event class name, as defined by class_uid value: Security Finding.' - - name: class_uid - type: keyword - description: The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. - - name: client_dialects - type: keyword - description: The list of SMB dialects that the client speaks. - - name: client_hassh - type: group - fields: - - name: algorithm - type: keyword - description: "The concatenation of key exchange, encryption, authentication and compression algorithms (separated by ';'). NOTE: This is not the underlying algorithm for the hash implementation." - - name: fingerprint - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: cloud - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: project_uid - type: keyword - description: The unique identifier of a Cloud project. - - name: provider - type: keyword - description: The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc. - - name: region - type: keyword - description: The name of the cloud region, as defined by the cloud provider. - - name: zone - type: keyword - description: The availability zone in the cloud region, as defined by the cloud provider. - - name: codes - type: long - description: The list of return codes to the FTP command. - - name: command - type: keyword - description: The command name. - - name: command_responses - type: keyword - description: The list of responses to the FTP command. - - name: connection_info - type: group - fields: - - name: boundary - type: keyword - description: The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source.For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. - - name: boundary_id - type: keyword - description: The normalized identifier of the boundary of the connection. For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. - - name: direction - type: keyword - description: The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source. - - name: direction_id - type: keyword - description: The normalized identifier of the direction of the initiated connection, traffic, or email. - - name: protocol_name - type: keyword - description: 'The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See Protocol Numbers. For example: tcp or udp.' - - name: protocol_num - type: keyword - description: 'The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See Protocol Numbers. For example: 6 for TCP and 17 for UDP.' - - name: protocol_ver - type: keyword - description: The Internet Protocol version. - - name: protocol_ver_id - type: keyword - description: The Internet Protocol version identifier. - - name: tcp_flags - type: long - description: The network connection TCP header flags (i.e., control bits). - - name: uid - type: keyword - description: The unique identifier of the connection. - - name: count - type: long - description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. - - name: dce_rpc - type: group - fields: - - name: command - type: keyword - description: The request command (e.g. REQUEST, BIND). - - name: command_response - type: keyword - description: The reply to the request command (e.g. RESPONSE, BINDACK or FAULT). - - name: flags - type: keyword - description: The list of interface flags. - - name: opnum - type: long - description: An operation number used to identify a specific remote procedure call (RPC) method or a method in an interface. - - name: rpc_interface - type: group - fields: - - name: ack_reason - type: long - description: An integer that provides a reason code or additional information about the acknowledgment result. - - name: ack_result - type: long - description: An integer that denotes the acknowledgment result of the DCE/RPC call. - - name: uuid - type: keyword - description: The unique identifier of the particular remote procedure or service. - - name: version - type: keyword - description: The version of the DCE/RPC protocol being used in the session. - - name: device - type: group - fields: - - name: autoscale_uid - type: keyword - description: The unique identifier of the cloud autoscale configuration. - - name: created_time - type: date - description: The time when the device was known to have been created. - - name: created_time_dt - type: date - description: TThe time when the device was known to have been created. - - name: desc - type: keyword - description: The description of the device, ordinarily as reported by the operating system. - - name: domain - type: keyword - description: 'The network domain where the device resides. For example: work.example.com.' - - name: first_seen_time - type: date - description: The initial discovery time of the device. - - name: first_seen_time_dt - type: date - description: The initial discovery time of the device. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: hostname - type: keyword - description: The devicename. - - name: hw_info - type: group - fields: - - name: bios_date - type: keyword - description: 'The BIOS date. For example: 03/31/16.' - - name: bios_manufacturer - type: keyword - description: 'The BIOS manufacturer. For example: LENOVO.' - - name: bios_ver - type: keyword - description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' - - name: chassis - type: keyword - description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. - - name: cpu_bits - type: long - description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' - - name: cpu_cores - type: long - description: 'The number of processor cores in all installed processors. For Example: 42.' - - name: cpu_count - type: long - description: 'The number of physical processors on a system. For example: 1.' - - name: cpu_speed - type: long - description: 'The speed of the processor in Mhz. For Example: 4200.' - - name: cpu_type - type: keyword - description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' - - name: desktop_display - type: group - fields: - - name: color_depth - type: long - description: The numeric color depth. - - name: physical_height - type: long - description: The numeric physical height of display. - - name: physical_orientation - type: long - description: The numeric physical orientation of display. - - name: physical_width - type: long - description: The numeric physical width of display. - - name: scale_factor - type: long - description: The numeric scale factor of display. - - name: keyboard_info - type: group - fields: - - name: function_keys - type: long - description: The number of function keys on client keyboard. - - name: ime - type: keyword - description: The Input Method Editor (IME) file name. - - name: keyboard_layout - type: keyword - description: The keyboard locale identifier name (e.g., en-US). - - name: keyboard_subtype - type: long - description: The keyboard numeric code. - - name: keyboard_type - type: keyword - description: The keyboard type (e.g., xt, ico). - - name: ram_size - type: long - description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' - - name: serial_number - type: keyword - description: The device manufacturer serial number. - - name: hypervisor - type: keyword - description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: imei - type: keyword - description: The International Mobile Station Equipment Identifier that is associated with the device. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: ip - type: ip - description: The device IP address, in either IPv4 or IPv6 format. - - name: is_compliant - type: boolean - description: The event occurred on a compliant device. - - name: is_managed - type: boolean - description: The event occurred on a managed device. - - name: is_personal - type: boolean - description: The event occurred on a personal device. - - name: is_trusted - type: boolean - description: The event occurred on a trusted device. - - name: last_seen_time - type: date - description: The most recent discovery time of the device. - - name: last_seen_time_dt - type: date - description: The most recent discovery time of the device. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The device Media Access Control (MAC) address. - - name: modified_time - type: date - description: The time when the device was last known to have been modified. - - name: modified_time_dt - type: date - description: The time when the device was last known to have been modified. - - name: name - type: keyword - description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. - - name: network_interfaces - type: group - fields: - - name: hostname - type: keyword - description: The hostname associated with the network interface. - - name: ip - type: ip - description: The IP address associated with the network interface. - - name: mac - type: keyword - description: The MAC address of the network interface. - - name: name - type: keyword - description: The name of the network interface. - - name: namespace - type: keyword - description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. - - name: subnet_prefix - type: long - description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. - - name: type - type: keyword - description: The type of network interface. - - name: type_id - type: keyword - description: The network interface type identifier. - - name: uid - type: keyword - description: The unique identifier for the network interface. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: os - type: group - fields: - - name: build - type: keyword - description: The operating system build number. - - name: country - type: keyword - description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. - - name: cpu_bits - type: long - description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. - - name: edition - type: keyword - description: The operating system edition. For example, Professional. - - name: lang - type: keyword - description: The two letter lower case language codes, as defined by ISO 639-1. - - name: name - type: keyword - description: The operating system name. - - name: sp_name - type: keyword - description: The name of the latest Service Pack. - - name: sp_ver - type: keyword - description: The version number of the latest Service Pack. - - name: type - type: keyword - description: The type of the operating system. - - name: type_id - type: keyword - description: The type identifier of the operating system. - - name: version - type: keyword - description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". - - name: region - type: keyword - description: The region where the virtual machine is located. For example, an AWS Region. - - name: risk_level - type: keyword - description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. - - name: risk_level_id - type: keyword - description: The normalized risk level id. - - name: risk_score - type: long - description: The risk score as reported by the event source. - - name: subnet - type: ip_range - description: The subnet mask. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: type - type: keyword - description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - - name: type_id - type: keyword - description: The device type ID. - - name: uid - type: keyword - description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - - name: dialect - type: keyword - description: The negotiated protocol dialect. - - name: direction - type: keyword - description: The direction of the email, as defined by the direction_id value. - - name: direction_id - type: keyword - description: The direction of the email relative to the scanning host or organization. - - name: disposition - type: keyword - description: The event disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source. - - name: disposition_id - type: keyword - description: When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product. - - name: dst_endpoint - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - - name: duration - type: long - description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. - - name: email + - name: action_id + type: integer + description: The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. + - name: action + type: keyword + description: The normalized caption of action_id. + - name: answers type: group fields: - - name: cc - type: keyword - description: The email header Cc values, as defined by RFC 5322. - - name: delivered_to + - name: class type: keyword - description: The Delivered-To email header field. - - name: from + description: 'The class of DNS data contained in this resource record. See RFC1035. For example: IN.' + - name: flag_ids type: keyword - description: The email header From values, as defined by RFC 5322. - - name: message_uid + description: The list of DNS answer header flag IDs. + - name: flags type: keyword - description: The email header Message-Id value, as defined by RFC 5322. - - name: raw_header + description: The list of DNS answer header flags. + - name: packet_uid type: keyword - description: The email authentication header. - - name: reply_to + description: The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. + - name: rdata type: keyword - description: The email header Reply-To values, as defined by RFC 5322. - - name: size + description: The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record. + - name: ttl type: long - description: The size in bytes of the email, including attachments. - - name: smtp_from - type: keyword - description: The value of the SMTP MAIL FROM command. - - name: smtp_to - type: keyword - description: The value of the SMTP envelope RCPT TO command. - - name: subject - type: keyword - description: The email header Subject value, as defined by RFC 5322. - - name: to - type: keyword - description: The email header To values, as defined by RFC 5322. - - name: uid - type: keyword - description: The email unique identifier. - - name: x_originating_ip - type: ip - description: The X-Originating-IP header identifying the emails originating IP address(es). - - name: email_auth - type: group - fields: - - name: dkim - type: keyword - description: The DomainKeys Identified Mail (DKIM) status of the email. - - name: dkim_domain - type: keyword - description: The DomainKeys Identified Mail (DKIM) signing domain of the email. - - name: dkim_signature - type: keyword - description: The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system. - - name: dmarc - type: keyword - description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email. - - name: dmarc_override - type: keyword - description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action. - - name: dmarc_policy - type: keyword - description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status. - - name: spf + description: The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached. + - name: type type: keyword - description: The Sender Policy Framework (SPF) status of the email. - - name: email_uid + description: 'The type of data contained in this resource record. See RFC1035. For example: CNAME.' + - name: app_name type: keyword - description: The unique identifier of the email, used to correlate related email alert and activity events. - - name: end_time - type: date - description: The end time of a time period, or the time of the most recent event included in the aggregate event. - - name: end_time_dt - type: date - description: The end time of a time period, or the time of the most recent event included in the aggregate event. - - name: enrichments + description: The name of the application that is associated with the event or object. + - name: authorizations type: group fields: - - name: data - type: flattened - description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - - name: name - type: keyword - description: The name of the attribute to which the enriched data pertains. - - name: provider + - name: decision type: keyword - description: The enrichment data provider name. - - name: type - type: keyword - description: The enrichment type. For example, location. - - name: value - type: keyword - description: The value of the attribute to which the enriched data pertains. - - name: expiration_time - type: date - description: The share expiration time. - - name: expiration_time_dt - type: date - description: The share expiration time. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy type: group fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name + - name: desc type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups + description: The description of the policy. + - name: group type: group fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. - name: desc type: keyword description: The group description. @@ -2526,134 +75,71 @@ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. + description: 'The policy name. For example: IAM Policy.' - name: uid type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt + description: A unique identifier of the policy instance. + - name: version type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator + description: The policy version number. + - name: attacks + type: group + fields: + - name: tactics type: group fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type + description: The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. + - name: uid type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id + description: The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. + - name: technique + type: group + fields: + - name: name type: keyword - description: The account type identifier. + description: 'The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Drive-by Compromise.' - name: uid type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc + description: 'The unique identifier of the attack technique, as defined by ATT&CK MatrixTM. For example: T1189.' + - name: version + type: keyword + description: The ATT&CK Matrix version. + - name: attempt + type: long + description: The attempt number for attempting to deliver the email. + - name: banner + type: keyword + description: The initial SMTP connection response that a messaging server receives after it connects to a email server. + - name: capabilities + type: keyword + description: A list of RDP capabilities. + - name: category_name + type: keyword + description: 'The event category name, as defined by category_uid value: Identity & Access Management.' + - name: category_uid + type: keyword + description: The category unique identifier of the event.3 Identity & Access ManagementIdentity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc. + - name: certificate_chain + type: keyword + description: The list of observed certificates in an RDP TLS connection. + - name: class_name + type: keyword + description: 'The event class name, as defined by class_uid value: Security Finding.' + - name: class_uid + type: keyword + description: The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. + - name: client_dialects + type: keyword + description: The list of SMB dialects that the client speaks. + - name: client_hassh + type: group + fields: + - name: algorithm type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes + description: "The concatenation of key exchange, encryption, authentication and compression algorithms (separated by ';'). NOTE: This is not the underlying algorithm for the hash implementation." + - name: fingerprint type: group fields: - name: algorithm @@ -2665,309 +151,284 @@ - name: value type: keyword description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier + - name: cloud + type: group + fields: + - name: account type: group fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + description: The name of the account (e.g. GCP Account Name). - name: type type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id type: keyword - description: The account type identifier. + description: The normalized account type identifier. - name: uid type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner + description: The unique identifier of the account (e.g. AWS Account ID). + - name: org type: group fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type + description: The name of the organization. For example, Widget, Inc. + - name: ou_name type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid type: keyword - description: The account type identifier. + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - name: uid type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: project_uid + type: keyword + description: The unique identifier of a Cloud project. + - name: provider + type: keyword + description: The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc. + - name: region + type: keyword + description: The name of the cloud region, as defined by the cloud provider. + - name: zone + type: keyword + description: The availability zone in the cloud region, as defined by the cloud provider. + - name: codes + type: long + description: The list of return codes to the FTP command. + - name: command + type: keyword + description: The command name. + - name: command_responses + type: keyword + description: The list of responses to the FTP command. + - name: connection_info + type: group + fields: + - name: boundary + type: keyword + description: The boundary of the connection, normalized to the caption of 'boundary_id'. In the case of 'Other', it is defined by the event source.For cloud connections, this translates to the traffic-boundary(same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. + - name: boundary_id + type: keyword + description: The normalized identifier of the boundary of the connection. For cloud connections, this translates to the traffic-boundary (same VPC, through IGW, etc.). For traditional networks, this is described as Local, Internal, or External. + - name: direction + type: keyword + description: The direction of the initiated connection, traffic, or email, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source. + - name: direction_id + type: keyword + description: The normalized identifier of the direction of the initiated connection, traffic, or email. + - name: protocol_name + type: keyword + description: 'The TCP/IP protocol name in lowercase, as defined by the Internet Assigned Numbers Authority (IANA). See Protocol Numbers. For example: tcp or udp.' + - name: protocol_num + type: keyword + description: 'The TCP/IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA). Use -1 if the protocol is not defined by IANA. See Protocol Numbers. For example: 6 for TCP and 17 for UDP.' + - name: protocol_ver + type: keyword + description: The Internet Protocol version. + - name: protocol_ver_id + type: keyword + description: The Internet Protocol version identifier. + - name: tcp_flags + type: long + description: The network connection TCP header flags (i.e., control bits). + - name: uid + type: keyword + description: The unique identifier of the connection. + - name: count + type: long + description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. + - name: dce_rpc + type: group + fields: + - name: command + type: keyword + description: The request command (e.g. REQUEST, BIND). + - name: command_response + type: keyword + description: The reply to the request command (e.g. RESPONSE, BINDACK or FAULT). + - name: flags + type: keyword + description: The list of interface flags. + - name: opnum + type: long + description: An operation number used to identify a specific remote procedure call (RPC) method or a method in an interface. + - name: rpc_interface + type: group + fields: + - name: ack_reason + type: long + description: An integer that provides a reason code or additional information about the acknowledgment result. + - name: ack_result + type: long + description: An integer that denotes the acknowledgment result of the DCE/RPC call. + - name: uuid + type: keyword + description: The unique identifier of the particular remote procedure or service. + - name: version type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder + description: The version of the DCE/RPC protocol being used in the session. + - name: dialect + type: keyword + description: The negotiated protocol dialect. + - name: direction + type: keyword + description: The direction of the email, as defined by the direction_id value. + - name: direction_id + type: keyword + description: The direction of the email relative to the scanning host or organization. + - name: disposition + type: keyword + description: The event disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source. + - name: disposition_id + type: keyword + description: When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product. + - name: duration + type: long + description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. + - name: email + type: group + fields: + - name: cc + type: keyword + description: The email header Cc values, as defined by RFC 5322. + - name: delivered_to + type: keyword + description: The Delivered-To email header field. + - name: from + type: keyword + description: The email header From values, as defined by RFC 5322. + - name: message_uid + type: keyword + description: The email header Message-Id value, as defined by RFC 5322. + - name: raw_header + type: keyword + description: The email authentication header. + - name: reply_to + type: keyword + description: The email header Reply-To values, as defined by RFC 5322. + - name: size + type: long + description: The size in bytes of the email, including attachments. + - name: smtp_from + type: keyword + description: The value of the SMTP MAIL FROM command. + - name: smtp_to + type: keyword + description: The value of the SMTP envelope RCPT TO command. + - name: subject + type: keyword + description: The email header Subject value, as defined by RFC 5322. + - name: to + type: keyword + description: The email header To values, as defined by RFC 5322. + - name: uid + type: keyword + description: The email unique identifier. + - name: x_originating_ip + type: ip + description: The X-Originating-IP header identifying the emails originating IP address(es). + - name: email_auth + type: group + fields: + - name: dkim type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path + description: The DomainKeys Identified Mail (DKIM) status of the email. + - name: dkim_domain type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor + description: The DomainKeys Identified Mail (DKIM) signing domain of the email. + - name: dkim_signature type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. + description: The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system. + - name: dmarc + type: keyword + description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) status of the email. + - name: dmarc_override + type: keyword + description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) override action. + - name: dmarc_policy + type: keyword + description: The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status. + - name: spf + type: keyword + description: The Sender Policy Framework (SPF) status of the email. + - name: email_uid + type: keyword + description: The unique identifier of the email, used to correlate related email alert and activity events. + - name: end_time + type: date + description: The end time of a time period, or the time of the most recent event included in the aggregate event. + - name: end_time_dt + type: date + description: The end time of a time period, or the time of the most recent event included in the aggregate event. + - name: enrichments + type: group + fields: + - name: data + type: flattened + ignore_malformed: true + description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. + - name: name + type: keyword + description: The name of the attribute to which the enriched data pertains. + - name: provider + type: keyword + description: The enrichment data provider name. - name: type type: keyword - description: The file type. - - name: type_id + description: The enrichment type. For example, location. + - name: value + type: keyword + description: The value of the attribute to which the enriched data pertains. + - name: expiration_time + type: date + description: The share expiration time. + - name: expiration_time_dt + type: date + description: The share expiration time. + - name: firewall_rule + description: The Firewall Rule object represents a specific rule within a firewall policy or event. + type: group + fields: + - name: category + type: keyword + description: The rule category. + - name: condition + type: text + description: The rule trigger condition for the rule. For example, SQL_INJECTION. + - name: desc + type: text + description: The description of the rule that generated the event. + - name: duration + type: integer + description: The rule response time duration, usually used for challenge completion time. + - name: match_details + type: keyword + description: The data in a request that rule matched. + - name: match_location + type: keyword + description: The location of the matched data in the source which resulted in the triggered firewall rule. For example, HEADER. + - name: name type: keyword - description: The file type ID. + description: The name of the rule that generated the event. + - name: rate_limit + type: integer + description: The rate limit for a rate-based rule. + - name: sensitivity + type: keyword + description: The sensitivity of the firewall rule in the matched event. For example, HIGH. + - name: type + type: keyword + description: The rule type. - name: uid type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. + description: The unique identifier of the rule that generated the event. - name: version type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + description: The rule version. For example, 1.1. - name: http_request type: group fields: @@ -3067,6 +528,9 @@ - name: lease_dur type: long description: This represents the length of the DHCP lease in seconds. This is present in DHCP Ack events. (activity_id = 1) + - name: load_balancer + type: flattened + description: The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations. - name: malware type: group fields: @@ -3130,18 +594,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: The two letter lower case language codes, as defined by ISO 639-1. @@ -3184,108 +641,6 @@ - name: message type: keyword description: The description of the event, as defined by the event source. - - name: metadata - type: group - fields: - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: - - name: name - type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid - type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version - type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider - type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version - type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time - type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt - type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: profiles - type: keyword - description: The list of profiles used to create the event. - - name: sequence - type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid - type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version - type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' - name: name type: keyword description: The name of the data affiliated with the command. @@ -3325,90 +680,27 @@ - name: port type: long description: The dynamic port established for impending data transfers. + - name: precision + type: integer + description: The NTP precision quantifies a clock's accuracy and stability in log2 seconds, as defined in RFC-5905. - name: protocol_ver type: keyword description: The Protocol version. - - name: proxy - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). + - name: proxy_connection_info + type: flattened + description: The connection information from the proxy server to the remote server. + - name: proxy_http_request + type: flattened + description: The HTTP Request from the proxy server to the remote server. + - name: proxy_http_response + type: flattened + description: The HTTP Response from the remote server to the proxy server. + - name: proxy_tls + type: flattened + description: The TLS protocol negotiated between the proxy server and the remote server. + - name: proxy_traffic + type: flattened + description: The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time. - name: query type: group fields: @@ -3440,7 +732,8 @@ type: flattened description: The event data as received from the event source. - name: raw_data_keyword - type: keyword + type: match_only_text + description: The raw event data keyword as received from the event source. - name: rcode type: keyword description: The DNS server response code, normalized to the caption of the rcode_id value. In the case of 'Other', it is defined by the event source. @@ -3564,87 +857,6 @@ - name: smtp_hello type: keyword description: The value of the SMTP HELO or EHLO command sent by the initiator (client). - - name: src_endpoint - type: group - fields: - - name: domain - type: keyword - description: The name of the domain. - - name: hostname - type: keyword - description: The fully qualified name of the endpoint. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: intermediate_ips - type: ip - description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. - - name: ip - type: ip - description: The IP address of the endpoint, in either IPv4 or IPv6 format. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The Media Access Control (MAC) address of the endpoint. - - name: name - type: keyword - description: The short name of the endpoint. - - name: port - type: long - description: The port used for communication within the network connection. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: svc_name - type: keyword - description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. - - name: uid - type: keyword - description: The unique identifier of the endpoint. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - name: start_time type: date description: The start time of a time period, or the time of the least recent event included in the aggregate event. @@ -3663,6 +875,12 @@ - name: status_id type: keyword description: The normalized identifier of the event status. + - name: stratum_id + type: integer + description: The normalized identifier of the stratum level, as defined in RFC-5905. + - name: stratum + type: keyword + description: The stratum level of the NTP server's time source, normalized to the caption of the stratum_id value. - name: time type: date description: The normalized event occurrence time. @@ -3858,3 +1076,6 @@ - name: url_string type: keyword description: The URL string. See RFC 1738. + - name: version + type: keyword + description: The version number of the NTP protocol. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/file-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/file-fields.yml new file mode 100644 index 000000000000..f0d2fe6bc6b1 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/file-fields.yml @@ -0,0 +1,509 @@ +- name: ocsf + type: group + fields: + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/metadata-fields.yml new file mode 100644 index 000000000000..01b1c11c4dc4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/metadata-fields.yml @@ -0,0 +1,122 @@ +- name: ocsf + type: group + fields: + - name: metadata + type: group + fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: extensions + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_level + type: keyword + description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/network-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/network-endpoint-fields.yml new file mode 100644 index 000000000000..91fca432e6eb --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/network-endpoint-fields.yml @@ -0,0 +1,213 @@ +- name: ocsf + type: group + fields: + - name: dst_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. + - name: src_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-endpoint-fields.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-endpoint-fields.yml new file mode 100644 index 000000000000..898740ab4d10 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-endpoint-fields.yml @@ -0,0 +1,108 @@ +- name: ocsf + type: group + fields: + - name: proxy_endpoint + type: group + fields: + - name: container + type: flattened + description: The information describing an instance of a container. + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: hw_info + type: flattened + description: The endpoint hardware information. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: os + type: flattened + description: The endpoint operating system. + - name: port + type: long + description: The port used for communication within the network connection. + - name: proxy_endpoint + type: flattened + description: The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: type + type: keyword + description: The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The network endpoint type ID. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-fields-deprecated.yml b/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-fields-deprecated.yml new file mode 100644 index 000000000000..11d1f9a9bdb8 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/network_activity/fields/proxy-fields-deprecated.yml @@ -0,0 +1,84 @@ +- name: ocsf + type: group + fields: + - name: proxy + type: group + fields: + - name: domain + type: keyword + description: The name of the domain. + - name: hostname + type: keyword + description: The fully qualified name of the endpoint. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: intermediate_ips + type: ip + description: The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. + - name: ip + type: ip + description: The IP address of the endpoint, in either IPv4 or IPv6 format. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The Media Access Control (MAC) address of the endpoint. + - name: name + type: keyword + description: The short name of the endpoint. + - name: port + type: long + description: The port used for communication within the network connection. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: svc_name + type: keyword + description: The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. + - name: uid + type: keyword + description: The unique identifier of the endpoint. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). diff --git a/packages/amazon_security_lake/data_stream/network_activity/manifest.yml b/packages/amazon_security_lake/data_stream/network_activity/manifest.yml index b7d7b7e7600d..bc977e86cdd4 100644 --- a/packages/amazon_security_lake/data_stream/network_activity/manifest.yml +++ b/packages/amazon_security_lake/data_stream/network_activity/manifest.yml @@ -1,3 +1,9 @@ title: Amazon Security Lake Network Activity Events dataset: amazon_security_lake.network_activity type: logs +elasticsearch: + dynamic_dataset: true + dynamic_namespace: true + index_template: + mappings: + dynamic: true diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml new file mode 100644 index 000000000000..76096c38c9bb --- /dev/null +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/actor-fields.yml @@ -0,0 +1,1815 @@ +- name: ocsf + type: group + fields: + - name: actor + type: group + fields: + - name: authorizations + type: group + fields: + - name: decision + type: keyword + description: Authorization Result/outcome, e.g. allowed, denied. + - name: policy + type: group + fields: + - name: desc + type: keyword + description: The description of the policy. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: 'The policy name. For example: IAM Policy.' + - name: uid + type: keyword + description: A unique identifier of the policy instance. + - name: version + type: keyword + description: The policy version number. + - name: idp + type: group + fields: + - name: name + type: keyword + description: The name of the identity provider. + - name: uid + type: keyword + description: The unique identifier of the identity provider. + - name: invoked_by + type: keyword + description: The name of the service that invoked the activity as described in the event. + - name: process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: group + fields: + - name: auid + type: keyword + description: The audit user assigned at login by the audit subsystem. + - name: cmd_line + type: keyword + description: The full command line used to launch an application, service, process, or job. + - name: container + type: group + fields: + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: The image name. + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The unique image ID. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: long + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: created_time + type: date + description: The time when the process was created/started. + - name: created_time_dt + type: date + description: The time when the process was created/started. + - name: egid + type: keyword + description: The effective group under which this process is running. + - name: euid + type: keyword + description: The effective user under which this process is running. + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: integer + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The name of the city. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: 'The image name. For example: elixir.' + - name: full_name + type: keyword + description: The user's email address. + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the feature. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the feature. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: uid + type: keyword + description: The unique identifier of the certificate. + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: group + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: integrity + type: keyword + description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). + - name: integrity_id + type: integer + description: The normalized identifier of the process integrity level (Windows only). + - name: lineage + type: keyword + description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' + - name: loaded_modules + type: keyword + description: The list of loaded module names. + - name: name + type: keyword + description: 'The friendly name of the process, for example: Notepad++.' + - name: namespace_pid + type: long + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: parent_process + type: flattened + description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. + - name: parent_process_keyword + type: keyword + ignore_above: 1024 + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: flattened + description: The LDAP attributes of the user. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: pid + type: long + description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. + - name: sandbox + type: keyword + description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: terminated_time + type: date + description: The time when the process was terminated. + - name: terminated_time_dt + type: date + description: The time when the process was terminated. + - name: tid + type: long + description: The Identifier of the thread associated with the event, as returned by the operating system. + - name: uid + type: keyword + description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. + - name: session + type: group + fields: + - name: created_time + type: date + description: The time when the session was created. + - name: created_time_dt + type: date + description: The time when the session was created. + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: expiration_time + type: date + description: The session expiration time. + - name: expiration_time_dt + type: date + description: The session expiration time. + - name: is_remote + type: boolean + description: The indication of whether the session is remote. + - name: issuer + type: keyword + description: The identifier of the session issuer. + - name: mfa + type: boolean + - name: uid + type: keyword + description: The unique identifier of the session. + - name: uuid + type: keyword + description: The universally unique identifier of the session. + - name: count + type: integer + description: The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. + - name: expiration_reason + type: keyword + description: The reason which triggered the session expiration. + - name: is_mfa + type: boolean + description: Indicates whether Multi Factor Authentication was used during authentication. + - name: is_vpn + type: boolean + description: The indication of whether the session is a VPN session. + - name: terminal + type: keyword + description: The Pseudo Terminal associated with the session. Ex, the tty or pts value. + - name: uid_alt + type: keyword + description: The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. + - name: user + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: ldap_person + type: group + fields: + - name: cost_center + type: keyword + description: The cost center associated with the user. + - name: created_time + type: date + format: epoch_second + description: The timestamp when the user was created. + - name: created_time_dt + type: date + description: The date when the user was created. + - name: deleted_time + type: date + format: epoch_second + description: The timestamp when the user was deleted. + - name: deleted_time_dt + type: date + description: The date when the user was deleted. + - name: email_addrs + type: keyword + description: A list of additional email addresses for the user. + - name: employee_uid + type: keyword + description: The employee identifier assigned to the user by the organization. + - name: given_name + type: keyword + description: The given or first name of the user. + - name: hire_time + type: date + format: epoch_second + description: The timestamp when the user was or will be hired by the organization. + - name: hire_time_dt + type: date + description: The date when the user was or will be hired by the organization. + - name: job_title + type: keyword + description: The user's job title. + - name: labels + type: keyword + description: The labels associated with the user. For example in AD this could be the userType, employeeType. + - name: last_login_time + type: date + format: epoch_second + description: The last time when the user logged in. + - name: last_login_time_dt + type: date + description: The last date when the user logged in. + - name: ldap_cn + type: keyword + description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. + - name: ldap_dn + type: keyword + description: The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. + - name: leave_time + type: date + format: epoch_second + description: The timestamp when the user left or will be leaving the organization. + - name: leave_time_dt + type: date + description: The date when the user left or will be leaving the organization. + - name: modified_time + type: date + format: epoch_second + description: The timestamp when the user entry was last modified. + - name: modified_time_dt + type: date + description: The date when the user entry was last modified. + - name: office_location + type: keyword + description: The primary office location associated with the user. This could be any string and isn't a specific address. + - name: surname + type: keyword + description: The last or family name for the user. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: manager + type: group + description: Manager + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/api-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/api-fields.yml new file mode 100644 index 000000000000..852880315189 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/api-fields.yml @@ -0,0 +1,154 @@ +- name: ocsf + type: group + fields: + - name: api + type: group + description: Describes details about a typical API (Application Programming Interface) call. + fields: + - name: operation + type: keyword + description: Verb/Operation associated with the request. + - name: group + type: group + description: The information pertaining to the API group. + fields: + - name: desc + type: text + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: request + type: group + description: Details pertaining to the API request. + fields: + - name: uid + type: keyword + description: The unique request identifier. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api request. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: response + type: group + description: Details pertaining to the API response. + fields: + - name: code + type: integer + description: The numeric response sent to a request. + - name: containers + type: group + description: When working with containerized applications, the set of containers which write to the standard the output of a particular logging driver. + fields: + - name: hash + type: flattened + description: Commit hash of image created for docker or the SHA256 hash of the container. + - name: image + type: flattened + description: The container image used as a template to run the container. + - name: name + type: keyword + description: The container name. + - name: network_driver + type: keyword + description: The network driver used by the container. For example, bridge, overlay, host, none, etc. + - name: orchestrator + type: keyword + description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. + - name: pod_uuid + type: keyword + description: The unique identifier of the pod (or equivalent) that the container is executing on. + - name: runtime + type: keyword + description: The backend running the container, such as containerd or cri-o. + - name: size + type: integer + description: The size of the container image. + - name: tag + type: keyword + description: The tag used by the container. It can indicate version, format, OS. + - name: uid + type: keyword + description: The full container unique identifier for this instantiation of the container. + - name: data + type: flattened + description: The additional data that is associated with the api response. + - name: error + type: keyword + description: Error Code. + - name: error_message + type: text + description: Error Message. + - name: flags + type: keyword + description: The list of communication flags, normalized to the captions of the flag_ids values. + - name: message + type: text + description: The description of the event/finding, as defined by the source. + - name: service + type: group + description: The information pertaining to the API service. + fields: + - name: labels + type: keyword + description: The list of labels associated with the service. + - name: name + type: keyword + description: The name of the service. + - name: uid + type: keyword + description: The unique identifier of the service. + - name: version + type: keyword + description: The version of the service. + - name: version + type: keyword + description: The version of the API service. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/device-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/device-fields.yml new file mode 100644 index 000000000000..1fbf81b593e4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/device-fields.yml @@ -0,0 +1,348 @@ +- name: ocsf + type: group + fields: + - name: device + type: group + fields: + - name: autoscale_uid + type: keyword + description: The unique identifier of the cloud autoscale configuration. + - name: container + type: flattened + description: The information describing an instance of a container. + - name: created_time + type: date + description: The time when the device was known to have been created. + - name: created_time_dt + type: date + description: TThe time when the device was known to have been created. + - name: desc + type: keyword + description: The description of the device, ordinarily as reported by the operating system. + - name: domain + type: keyword + description: 'The network domain where the device resides. For example: work.example.com.' + - name: first_seen_time + type: date + description: The initial discovery time of the device. + - name: first_seen_time_dt + type: date + description: The initial discovery time of the device. + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: domain + type: keyword + description: The domain where the group is defined. For example, the LDAP or Active Directory domain. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: hostname + type: keyword + description: The devicename. + - name: hw_info + type: group + fields: + - name: bios_date + type: keyword + description: 'The BIOS date. For example: 03/31/16.' + - name: bios_manufacturer + type: keyword + description: 'The BIOS manufacturer. For example: LENOVO.' + - name: bios_ver + type: keyword + description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' + - name: chassis + type: keyword + description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. + - name: cpu_bits + type: long + description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' + - name: cpu_cores + type: long + description: 'The number of processor cores in all installed processors. For Example: 42.' + - name: cpu_count + type: long + description: 'The number of physical processors on a system. For example: 1.' + - name: cpu_speed + type: long + description: 'The speed of the processor in Mhz. For Example: 4200.' + - name: cpu_type + type: keyword + description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' + - name: desktop_display + type: group + fields: + - name: color_depth + type: long + description: The numeric color depth. + - name: physical_height + type: long + description: The numeric physical height of display. + - name: physical_orientation + type: long + description: The numeric physical orientation of display. + - name: physical_width + type: long + description: The numeric physical width of display. + - name: scale_factor + type: long + description: The numeric scale factor of display. + - name: keyboard_info + type: group + fields: + - name: function_keys + type: long + description: The number of function keys on client keyboard. + - name: ime + type: keyword + description: The Input Method Editor (IME) file name. + - name: keyboard_layout + type: keyword + description: The keyboard locale identifier name (e.g., en-US). + - name: keyboard_subtype + type: long + description: The keyboard numeric code. + - name: keyboard_type + type: keyword + description: The keyboard type (e.g., xt, ico). + - name: ram_size + type: long + description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' + - name: serial_number + type: keyword + description: The device manufacturer serial number. + - name: hypervisor + type: keyword + description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. + - name: image + type: group + fields: + - name: labels + type: keyword + description: The image labels. + - name: name + type: keyword + description: 'The image name. For example: elixir.' + - name: path + type: keyword + description: The full path to the image file. + - name: tag + type: keyword + description: 'The image tag. For example: 1.11-alpine.' + - name: uid + type: keyword + description: 'The unique image ID. For example: 77af4d6b9913.' + - name: imei + type: keyword + description: The International Mobile Station Equipment Identifier that is associated with the device. + - name: instance_uid + type: keyword + description: The unique identifier of a VM instance. + - name: interface_name + type: keyword + description: The name of the network interface (e.g. eth2). + - name: interface_uid + type: keyword + description: The unique identifier of the network interface. + - name: ip + type: ip + description: The device IP address, in either IPv4 or IPv6 format. + - name: is_compliant + type: boolean + description: The event occurred on a compliant device. + - name: is_managed + type: boolean + description: The event occurred on a managed device. + - name: is_personal + type: boolean + description: The event occurred on a personal device. + - name: is_trusted + type: boolean + description: The event occurred on a trusted device. + - name: last_seen_time + type: date + description: The most recent discovery time of the device. + - name: last_seen_time_dt + type: date + description: The most recent discovery time of the device. + - name: location + type: group + fields: + - name: city + type: keyword + description: The name of the city. + - name: continent + type: keyword + description: The name of the continent. + - name: coordinates + type: geo_point + description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. + - name: country + type: keyword + description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. + - name: desc + type: keyword + description: The description of the geographical location. + - name: is_on_premises + type: boolean + description: The indication of whether the location is on premises. + - name: isp + type: keyword + description: The name of the Internet Service Provider (ISP). + - name: postal_code + type: keyword + description: The postal code of the location. + - name: provider + type: keyword + description: The provider of the geographical location data. + - name: region + type: keyword + description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. + - name: mac + type: keyword + description: The device Media Access Control (MAC) address. + - name: modified_time + type: date + description: The time when the device was last known to have been modified. + - name: modified_time_dt + type: date + description: The time when the device was last known to have been modified. + - name: name + type: keyword + description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. + - name: namespace_pid + type: integer + description: If running under a process namespace (such as in a container), the process identifier within that process namespace. + - name: network_interfaces + type: group + fields: + - name: hostname + type: keyword + description: The hostname associated with the network interface. + - name: ip + type: ip + description: The IP address associated with the network interface. + - name: mac + type: keyword + description: The MAC address of the network interface. + - name: name + type: keyword + description: The name of the network interface. + - name: namespace + type: keyword + description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. + - name: subnet_prefix + type: long + description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. + - name: type + type: keyword + description: The type of network interface. + - name: type_id + type: keyword + description: The network interface type identifier. + - name: uid + type: keyword + description: The unique identifier for the network interface. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: os + type: group + fields: + - name: build + type: keyword + description: The operating system build number. + - name: country + type: keyword + description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. + - name: cpu_bits + type: long + description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. + - name: edition + type: keyword + description: The operating system edition. For example, Professional. + - name: lang + type: keyword + description: The two letter lower case language codes, as defined by ISO 639-1. + - name: name + type: keyword + description: The operating system name. + - name: sp_name + type: keyword + description: The name of the latest Service Pack. + - name: sp_ver + type: keyword + description: The version number of the latest Service Pack. + - name: type + type: keyword + description: The type of the operating system. + - name: type_id + type: keyword + description: The type identifier of the operating system. + - name: version + type: keyword + description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". + - name: region + type: keyword + description: The region where the virtual machine is located. For example, an AWS Region. + - name: risk_level + type: keyword + description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. + - name: risk_level_id + type: keyword + description: The normalized risk level id. + - name: risk_score + type: long + description: The risk score as reported by the event source. + - name: subnet + type: ip_range + description: The subnet mask. + - name: subnet_uid + type: keyword + description: The unique identifier of a virtual subnet. + - name: type + type: keyword + description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. + - name: type_id + type: keyword + description: The device type ID. + - name: uid + type: keyword + description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: vlan_uid + type: keyword + description: The Virtual LAN identifier. + - name: vpc_uid + type: keyword + description: The unique identifier of the Virtual Private Cloud (VPC). + - name: zone + type: keyword + description: The network zone or LAN segment. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml index e45b7ecdf2e0..86d2c79e1692 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/fields.yml @@ -10,22 +10,154 @@ - name: activity_name type: keyword description: The event activity name, as defined by the activity_id. - - name: actor + - name: actual_permissions + type: long + description: The permissions that were granted to the in a platform-native format. + - name: attacks + type: group + fields: + - name: tactics + type: group + fields: + - name: name + type: keyword + description: The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. + - name: uid + type: keyword + description: The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. + - name: technique + type: group + fields: + - name: name + type: keyword + description: 'The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Drive-by Compromise.' + - name: uid + type: keyword + description: 'The unique identifier of the attack technique, as defined by ATT&CK MatrixTM. For example: T1189.' + - name: version + type: keyword + description: The ATT&CK Matrix version. + - name: base_address + type: keyword + description: The memory address that was access or requested. + - name: category_name + type: keyword + description: 'The event category name, as defined by category_uid value: Identity & Access Management.' + - name: category_uid + type: keyword + description: The category unique identifier of the event.3 Identity & Access ManagementIdentity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc. + - name: class_name + type: keyword + description: 'The event class name, as defined by class_uid value: Security Finding.' + - name: class_uid + type: keyword + description: The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. + - name: cloud type: group fields: - - name: authorizations + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: org type: group fields: - - name: decision + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid type: keyword - description: Authorization Result/outcome, e.g. allowed, denied. - - name: policy + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: project_uid + type: keyword + description: The unique identifier of a Cloud project. + - name: provider + type: keyword + description: The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc. + - name: region + type: keyword + description: The name of the cloud region, as defined by the cloud provider. + - name: zone + type: keyword + description: The availability zone in the cloud region, as defined by the cloud provider. + - name: component + type: keyword + description: The name or relative pathname of a sub-component of the data object, if applicable. + - name: connection_uid + type: keyword + description: The network connection identifier. + - name: count + type: long + description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. + - name: create_mask + type: keyword + description: The original Windows mask that is required to create the object. + - name: disposition + type: keyword + description: The event disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source. + - name: disposition_id + type: keyword + description: When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product. + - name: driver + type: group + fields: + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor type: group fields: - - name: desc + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr type: keyword - description: The description of the policy. - - name: group + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups type: group fields: - name: desc @@ -45,3092 +177,365 @@ description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: 'The policy name. For example: IAM Policy.' + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. - name: uid type: keyword - description: A unique identifier of the policy instance. - - name: version + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt type: keyword - description: The policy version number. - - name: idp - type: group - fields: - - name: name - type: keyword - description: The name of the identity provider. - - name: uid + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name type: keyword - description: The unique identifier of the identity provider. - - name: invoked_by - type: keyword - description: The name of the service that invoked the activity as described in the event. - - name: process - type: group - fields: - - name: auid + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator type: group fields: - - name: hash + - name: account type: group fields: - - name: algorithm + - name: name type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id + description: The name of the account (e.g. GCP Account Name). + - name: type type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id type: keyword - description: The digital fingerprint value. - - name: image + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups type: group fields: - - name: labels + - name: desc type: keyword - description: The image labels. + description: The group description. - name: name type: keyword - description: The image name. - - name: path + description: The group name. + - name: privileges type: keyword - description: The full path to the image file. - - name: tag + description: The group privileges. + - name: type type: keyword - description: The tag used by the container. It can indicate version, format, OS. + description: The type of the group or account. - name: uid type: keyword - description: The unique image ID. + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime + description: The account type identifier. + - name: uid type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time type: date - description: The time when the process was created/started. - - name: created_time_dt + description: The time when the file was last modified. + - name: modified_time_dt type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file + description: The time when the file was last modified. + - name: modifier type: group fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor + - name: account type: group fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + description: The name of the account (e.g. GCP Account Name). - name: type type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id type: keyword - description: The account type identifier. + description: The normalized account type identifier. - name: uid type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups type: group fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid + - name: desc type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain + description: The group description. + - name: name type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr + description: The group name. + - name: privileges type: keyword - description: The user's email address. - - name: full_name + description: The group privileges. + - name: type type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: - name: name type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + description: The name of the account (e.g. GCP Account Name). - name: type type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - name: type_id type: keyword - description: The account type identifier. + description: The normalized account type identifier. - name: uid type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups type: group fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id + - name: desc type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value + description: The group description. + - name: name type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: group - fields: - - name: auid - type: keyword - description: The audit user assigned at login by the audit subsystem. - - name: cmd_line - type: keyword - description: The full command line used to launch an application, service, process, or job. - - name: container - type: group - fields: - - name: hash - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: The image name. - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The unique image ID. - - name: name - type: keyword - description: The container name. - - name: network_driver - type: keyword - description: The network driver used by the container. For example, bridge, overlay, host, none, etc. - - name: orchestrator - type: keyword - description: The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. - - name: pod_uuid - type: keyword - description: The unique identifier of the pod (or equivalent) that the container is executing on. - - name: runtime - type: keyword - description: The backend running the container, such as containerd or cri-o. - - name: size - type: long - description: The size of the container image. - - name: tag - type: keyword - description: The tag used by the container. It can indicate version, format, OS. - - name: uid - type: keyword - description: The full container unique identifier for this instantiation of the container. - - name: created_time - type: date - description: The time when the process was created/started. - - name: created_time_dt - type: date - description: The time when the process was created/started. - - name: egid - type: keyword - description: The effective group under which this process is running. - - name: euid - type: keyword - description: The effective user under which this process is running. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The name of the city. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: 'The image name. For example: elixir.' - - name: full_name - type: keyword - description: The user's email address. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the feature. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: group - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: integrity - type: keyword - description: The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). - - name: integrity_id - type: keyword - description: The normalized identifier of the process integrity level (Windows only). - - name: lineage - type: keyword - description: 'The lineage of the process, represented by a list of paths for each ancestor process. For example: [''/usr/sbin/sshd'', ''/usr/bin/bash'', ''/usr/bin/whoami''].' - - name: loaded_modules - type: keyword - description: The list of loaded module names. - - name: name - type: keyword - description: 'The friendly name of the process, for example: Notepad++.' - - name: namespace_pid - type: long - description: If running under a process namespace (such as in a container), the process identifier within that process namespace. - - name: parent_process - type: flattened - description: The parent process of this process object. It is recommended to only populate this field for the first process object, to prevent deep nesting. - - name: parent_process_keyword - type: keyword - ignore_above: 1024 - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: pid - type: long - description: The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process. - - name: sandbox - type: keyword - description: The name of the containment jail (i.e., sandbox). For example, hardened_ps, high_security_ps, oracle_ps, netsvcs_ps, or default_ps. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: terminated_time - type: date - description: The time when the process was terminated. - - name: terminated_time_dt - type: date - description: The time when the process was terminated. - - name: tid - type: long - description: The Identifier of the thread associated with the event, as returned by the operating system. - - name: uid - type: keyword - description: A unique identifier for this process assigned by the producer (tool). Facilitates correlation of a process event with other events for that process. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs that represent a process extended attribute. - - name: session - type: group - fields: - - name: created_time - type: date - description: The time when the session was created. - - name: created_time_dt - type: date - description: The time when the session was created. - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: expiration_time - type: date - description: The session expiration time. - - name: expiration_time_dt - type: date - description: The session expiration time. - - name: is_remote - type: boolean - description: The indication of whether the session is remote. - - name: issuer - type: keyword - description: The identifier of the session issuer. - - name: mfa - type: boolean - - name: uid - type: keyword - description: The unique identifier of the session. - - name: uuid - type: keyword - description: The universally unique identifier of the session. - - name: user - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: actual_permissions - type: long - description: The permissions that were granted to the in a platform-native format. - - name: api - type: group - fields: - - name: operation - type: keyword - description: Verb/Operation associated with the request. - - name: request - type: group - fields: - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: uid - type: keyword - description: The unique request identifier. - - name: response - type: group - fields: - - name: code - type: long - description: The numeric response sent to a request. - - name: error - type: keyword - description: Error Code. - - name: error_message - type: keyword - description: Error Message. - - name: flags - type: keyword - description: The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. - - name: message - type: keyword - description: The description of the event, as defined by the event source. - - name: service - type: group - fields: - - name: labels - type: keyword - description: The list of labels associated with the service. - - name: name - type: keyword - description: The name of the service. - - name: uid - type: keyword - description: The unique identifier of the service. - - name: version - type: keyword - description: The version of the service. - - name: version - type: keyword - description: The version of the API service. - - name: attacks - type: group - fields: - - name: tactics - type: group - fields: - - name: name - type: keyword - description: The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. - - name: uid - type: keyword - description: The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. - - name: technique - type: group - fields: - - name: name - type: keyword - description: 'The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Drive-by Compromise.' - - name: uid - type: keyword - description: 'The unique identifier of the attack technique, as defined by ATT&CK MatrixTM. For example: T1189.' - - name: version - type: keyword - description: The ATT&CK Matrix version. - - name: base_address - type: keyword - description: The memory address that was access or requested. - - name: category_name - type: keyword - description: 'The event category name, as defined by category_uid value: Identity & Access Management.' - - name: category_uid - type: keyword - description: The category unique identifier of the event.3 Identity & Access ManagementIdentity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc. - - name: class_name - type: keyword - description: 'The event class name, as defined by class_uid value: Security Finding.' - - name: class_uid - type: keyword - description: The unique identifier of a class. A Class describes the attributes available in an event.2001 Security FindingSecurity Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products. - - name: cloud - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: project_uid - type: keyword - description: The unique identifier of a Cloud project. - - name: provider - type: keyword - description: The unique name of the Cloud services provider, such as AWS, MS Azure, GCP, etc. - - name: region - type: keyword - description: The name of the cloud region, as defined by the cloud provider. - - name: zone - type: keyword - description: The availability zone in the cloud region, as defined by the cloud provider. - - name: component - type: keyword - description: The name or relative pathname of a sub-component of the data object, if applicable. - - name: connection_uid - type: keyword - description: The network connection identifier. - - name: count - type: long - description: The number of times that events in the same logical group occurred during the event Start Time to End Time period. - - name: create_mask - type: keyword - description: The original Windows mask that is required to create the object. - - name: device - type: group - fields: - - name: autoscale_uid - type: keyword - description: The unique identifier of the cloud autoscale configuration. - - name: created_time - type: date - description: The time when the device was known to have been created. - - name: created_time_dt - type: date - description: TThe time when the device was known to have been created. - - name: desc - type: keyword - description: The description of the device, ordinarily as reported by the operating system. - - name: domain - type: keyword - description: 'The network domain where the device resides. For example: work.example.com.' - - name: first_seen_time - type: date - description: The initial discovery time of the device. - - name: first_seen_time_dt - type: date - description: The initial discovery time of the device. - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: hostname - type: keyword - description: The devicename. - - name: hw_info - type: group - fields: - - name: bios_date - type: keyword - description: 'The BIOS date. For example: 03/31/16.' - - name: bios_manufacturer - type: keyword - description: 'The BIOS manufacturer. For example: LENOVO.' - - name: bios_ver - type: keyword - description: 'The BIOS version. For example: LENOVO G5ETA2WW (2.62).' - - name: chassis - type: keyword - description: The chassis type describes the system enclosure or physical form factor. Such as the following examples for Windows Windows Chassis Types. - - name: cpu_bits - type: long - description: 'The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64.' - - name: cpu_cores - type: long - description: 'The number of processor cores in all installed processors. For Example: 42.' - - name: cpu_count - type: long - description: 'The number of physical processors on a system. For example: 1.' - - name: cpu_speed - type: long - description: 'The speed of the processor in Mhz. For Example: 4200.' - - name: cpu_type - type: keyword - description: 'The processor type. For example: x86 Family 6 Model 37 Stepping 5.' - - name: desktop_display - type: group - fields: - - name: color_depth - type: long - description: The numeric color depth. - - name: physical_height - type: long - description: The numeric physical height of display. - - name: physical_orientation - type: long - description: The numeric physical orientation of display. - - name: physical_width - type: long - description: The numeric physical width of display. - - name: scale_factor - type: long - description: The numeric scale factor of display. - - name: keyboard_info - type: group - fields: - - name: function_keys - type: long - description: The number of function keys on client keyboard. - - name: ime - type: keyword - description: The Input Method Editor (IME) file name. - - name: keyboard_layout - type: keyword - description: The keyboard locale identifier name (e.g., en-US). - - name: keyboard_subtype - type: long - description: The keyboard numeric code. - - name: keyboard_type - type: keyword - description: The keyboard type (e.g., xt, ico). - - name: ram_size - type: long - description: 'The total amount of installed RAM, in Megabytes. For example: 2048.' - - name: serial_number - type: keyword - description: The device manufacturer serial number. - - name: hypervisor - type: keyword - description: The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc. - - name: image - type: group - fields: - - name: labels - type: keyword - description: The image labels. - - name: name - type: keyword - description: 'The image name. For example: elixir.' - - name: path - type: keyword - description: The full path to the image file. - - name: tag - type: keyword - description: 'The image tag. For example: 1.11-alpine.' - - name: uid - type: keyword - description: 'The unique image ID. For example: 77af4d6b9913.' - - name: imei - type: keyword - description: The International Mobile Station Equipment Identifier that is associated with the device. - - name: instance_uid - type: keyword - description: The unique identifier of a VM instance. - - name: interface_name - type: keyword - description: The name of the network interface (e.g. eth2). - - name: interface_uid - type: keyword - description: The unique identifier of the network interface. - - name: ip - type: ip - description: The device IP address, in either IPv4 or IPv6 format. - - name: is_compliant - type: boolean - description: The event occurred on a compliant device. - - name: is_managed - type: boolean - description: The event occurred on a managed device. - - name: is_personal - type: boolean - description: The event occurred on a personal device. - - name: is_trusted - type: boolean - description: The event occurred on a trusted device. - - name: last_seen_time - type: date - description: The most recent discovery time of the device. - - name: last_seen_time_dt - type: date - description: The most recent discovery time of the device. - - name: location - type: group - fields: - - name: city - type: keyword - description: The name of the city. - - name: continent - type: keyword - description: The name of the continent. - - name: coordinates - type: geo_point - description: A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. - - name: country - type: keyword - description: The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. - - name: desc - type: keyword - description: The description of the geographical location. - - name: is_on_premises - type: boolean - description: The indication of whether the location is on premises. - - name: isp - type: keyword - description: The name of the Internet Service Provider (ISP). - - name: postal_code - type: keyword - description: The postal code of the location. - - name: provider - type: keyword - description: The provider of the geographical location data. - - name: region - type: keyword - description: The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. - - name: mac - type: keyword - description: The device Media Access Control (MAC) address. - - name: modified_time - type: date - description: The time when the device was last known to have been modified. - - name: modified_time_dt - type: date - description: The time when the device was last known to have been modified. - - name: name - type: keyword - description: The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. - - name: network_interfaces - type: group - fields: - - name: hostname - type: keyword - description: The hostname associated with the network interface. - - name: ip - type: ip - description: The IP address associated with the network interface. - - name: mac - type: keyword - description: The MAC address of the network interface. - - name: name - type: keyword - description: The name of the network interface. - - name: namespace - type: keyword - description: The namespace is useful in merger or acquisition situations. For example, when similar entities exists that you need to keep separate. - - name: subnet_prefix - type: long - description: The subnet prefix length determines the number of bits used to represent the network part of the IP address. The remaining bits are reserved for identifying individual hosts within that subnet. - - name: type - type: keyword - description: The type of network interface. - - name: type_id - type: keyword - description: The network interface type identifier. - - name: uid - type: keyword - description: The unique identifier for the network interface. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: os - type: group - fields: - - name: build - type: keyword - description: The operating system build number. - - name: country - type: keyword - description: The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes. - - name: cpu_bits - type: long - description: The cpu architecture, the number of bits used for addressing in memory. For example, 32 or 64. - - name: edition - type: keyword - description: The operating system edition. For example, Professional. - - name: lang - type: keyword - description: The two letter lower case language codes, as defined by ISO 639-1. - - name: name - type: keyword - description: The operating system name. - - name: sp_name - type: keyword - description: The name of the latest Service Pack. - - name: sp_ver - type: keyword - description: The version number of the latest Service Pack. - - name: type - type: keyword - description: The type of the operating system. - - name: type_id - type: keyword - description: The type identifier of the operating system. - - name: version - type: keyword - description: The version of the OS running on the device that originated the event. For example, "Windows 10", "OS X 10.7", or "iOS 9". - - name: region - type: keyword - description: The region where the virtual machine is located. For example, an AWS Region. - - name: risk_level - type: keyword - description: The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. - - name: risk_level_id - type: keyword - description: The normalized risk level id. - - name: risk_score - type: long - description: The risk score as reported by the event source. - - name: subnet - type: ip_range - description: The subnet mask. - - name: subnet_uid - type: keyword - description: The unique identifier of a virtual subnet. - - name: type - type: keyword - description: The device type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. - - name: type_id - type: keyword - description: The device type ID. - - name: uid - type: keyword - description: The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: vlan_uid - type: keyword - description: The Virtual LAN identifier. - - name: vpc_uid - type: keyword - description: The unique identifier of the Virtual Private Cloud (VPC). - - name: disposition - type: keyword - description: The event disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source. - - name: disposition_id - type: keyword - description: When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product. - - name: driver - type: group - fields: - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate - type: group - fields: - - name: created_time - type: date - description: The time when the certificate was created. - - name: created_time_dt - type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid - type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. - - name: type - type: keyword - description: The file type. - - name: type_id - type: keyword - description: The file type ID. - - name: uid - type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. - - name: version - type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. - - name: duration - type: long - description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. - - name: end_time - type: date - description: The end time of a time period, or the time of the most recent event included in the aggregate event. - - name: end_time_dt - type: date - description: The end time of a time period, or the time of the most recent event included in the aggregate event. - - name: enrichments - type: group - fields: - - name: data - type: flattened - description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. - - name: name - type: keyword - description: The name of the attribute to which the enriched data pertains. - - name: provider - type: keyword - description: The enrichment data provider name. - - name: type - type: keyword - description: The enrichment type. For example, location. - - name: value - type: keyword - description: The value of the attribute to which the enriched data pertains. - - name: exit_code - type: keyword - description: The exit code reported by a process when it terminates. The convention is that zero indicates success and any non-zero exit code indicates that some error occurred. - - name: file - type: group - fields: - - name: accessed_time - type: date - description: The time when the file was last accessed. - - name: accessed_time_dt - type: date - description: The time when the file was last accessed. - - name: accessor - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: attributes - type: long - description: The Bitmask value that represents the file attributes. - - name: company_name - type: keyword - description: 'The name of the company that published the file. For example: Microsoft Corporation.' - - name: confidentiality - type: keyword - description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. - - name: confidentiality_id - type: keyword - description: The normalized identifier of the file content confidentiality indicator. - - name: created_time - type: date - description: The time when the file was created. - - name: created_time_dt - type: date - description: The time when the file was created. - - name: creator - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: desc - type: keyword - description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' - - name: hashes - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: is_system - type: boolean - description: The indication of whether the object is part of the operating system. - - name: mime_type - type: keyword - description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. - - name: modified_time - type: date - description: The time when the file was last modified. - - name: modified_time_dt - type: date - description: The time when the file was last modified. - - name: modifier - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. - - name: name - type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. - - name: type - type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid - type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt - type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: name - type: keyword - description: 'The name of the file. For example: svchost.exe.' - - name: owner - type: group - fields: - - name: account - type: group - fields: - - name: name - type: keyword - description: The name of the account (e.g. GCP Account Name). - - name: type - type: keyword - description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. - - name: type_id - type: keyword - description: The normalized account type identifier. - - name: uid - type: keyword - description: The unique identifier of the account (e.g. AWS Account ID). - - name: credential_uid - type: keyword - description: The unique identifier of the user's credential. For example, AWS Access Key ID. - - name: domain - type: keyword - description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' - - name: email_addr - type: keyword - description: The user's email address. - - name: full_name - type: keyword - description: The full name of the person, as per the LDAP Common Name attribute (cn). - - name: groups - type: group - fields: - - name: desc - type: keyword - description: The group description. + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - name: name type: keyword - description: The group name. - - name: privileges - type: keyword - description: The group privileges. + description: The username. For example, janedoe1. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword - description: The type of the group or account. - - name: uid - type: keyword - description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. - - name: name - type: keyword - description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + description: The account type identifier. - name: uid type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. - - name: type - type: keyword - description: The type of the user. For example, System, AWS IAM User, etc. - - name: type_id - type: keyword - description: The account type identifier. - - name: uid + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder type: keyword - description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. - - name: uid_alt + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path type: keyword - description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. - - name: parent_folder - type: keyword - description: 'The parent folder in which the file resides. For example: c:\windows\system32.' - - name: path - type: keyword - description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' - - name: product - type: group - fields: - - name: feature + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product type: group fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - name: name type: keyword - description: The name of the feature. + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. - name: uid type: keyword - description: The unique identifier of the feature. + description: The unique identifier of the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. - name: version type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: security_descriptor - type: keyword - description: The object security descriptor. - - name: signature - type: group - fields: - - name: algorithm - type: keyword - description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor type: keyword - description: The identifier of the normalized digital signature algorithm. - - name: certificate + description: The object security descriptor. + - name: signature type: group fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. - name: created_time type: date - description: The time when the certificate was created. + description: The time when the digital signature was created. - name: created_time_dt type: date - description: The time when the certificate was created. - - name: expiration_time - type: date - description: The expiration time of the certificate. - - name: expiration_time_dt - type: date - description: The expiration time of the certificate. - - name: fingerprints + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest type: group fields: - name: algorithm @@ -3142,57 +547,95 @@ - name: value type: keyword description: The digital fingerprint value. - - name: issuer - type: keyword - description: The certificate issuer distinguished name. - - name: serial_number - type: keyword - description: The serial number of the certificate used to create the digital signature. - - name: subject - type: keyword - description: The certificate subject distinguished name. - - name: version - type: keyword - description: The certificate version. - - name: created_time - type: date - description: The time when the digital signature was created. - - name: created_time_dt - type: date - description: The time when the digital signature was created. - - name: developer_uid + - name: size + type: long + description: The size of data, in bytes. + - name: type type: keyword - description: The developer ID on the certificate that signed the file. - - name: digest - type: group - fields: - - name: algorithm - type: keyword - description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. - - name: algorithm_id - type: keyword - description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. - - name: value - type: keyword - description: The digital fingerprint value. - - name: size - type: long - description: The size of data, in bytes. + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + - name: duration + type: long + description: The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. + - name: end_time + type: date + description: The end time of a time period, or the time of the most recent event included in the aggregate event. + - name: end_time_dt + type: date + description: The end time of a time period, or the time of the most recent event included in the aggregate event. + - name: enrichments + type: group + fields: + - name: data + type: flattened + ignore_malformed: true + description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record. + - name: name + type: keyword + description: The name of the attribute to which the enriched data pertains. + - name: provider + type: keyword + description: The enrichment data provider name. - name: type type: keyword - description: The file type. - - name: type_id + description: The enrichment type. For example, location. + - name: value + type: keyword + description: The value of the attribute to which the enriched data pertains. + - name: exit_code + type: keyword + description: The exit code reported by a process when it terminates. The convention is that zero indicates success and any non-zero exit code indicates that some error occurred. + - name: firewall_rule + description: The Firewall Rule object represents a specific rule within a firewall policy or event. + type: group + fields: + - name: category + type: keyword + description: The rule category. + - name: condition + type: text + description: The rule trigger condition for the rule. For example, SQL_INJECTION. + - name: desc + type: text + description: The description of the rule that generated the event. + - name: duration + type: integer + description: The rule response time duration, usually used for challenge completion time. + - name: match_details + type: keyword + description: The data in a request that rule matched. + - name: match_location + type: keyword + description: The location of the matched data in the source which resulted in the triggered firewall rule. For example, HEADER. + - name: name type: keyword - description: The file type ID. + description: The name of the rule that generated the event. + - name: rate_limit + type: integer + description: The rate limit for a rate-based rule. + - name: sensitivity + type: keyword + description: The sensitivity of the firewall rule in the matched event. For example, HIGH. + - name: type + type: keyword + description: The rule type. - name: uid type: keyword - description: The unique identifier of the file as defined by the storage system, such the file system file ID. + description: The unique identifier of the rule that generated the event. - name: version type: keyword - description: 'The file version. For example: 8.0.7601.17514.' - - name: xattributes - type: flattened - description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. + description: The rule version. For example, 1.1. - name: file_diff type: keyword description: File content differences used for change detection. For example, a common use case is to identify itemized changes within INI or configuration/property setting values. @@ -3574,18 +1017,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -3775,21 +1211,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -3871,21 +1296,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -3976,21 +1390,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -4057,21 +1460,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -4093,18 +1485,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -4396,18 +1781,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: The two letter lower case language codes, as defined by ISO 639-1. @@ -4450,108 +1828,6 @@ - name: message type: keyword description: The description of the event, as defined by the event source. - - name: metadata - type: group - fields: - - name: correlation_uid - type: keyword - description: The unique identifier used to correlate events. - - name: event_code - type: keyword - description: The Event ID or Code that the product uses to describe the event. - - name: extension - type: group - fields: - - name: name - type: keyword - description: 'The schema extension name. For example: dev.' - - name: uid - type: keyword - description: 'The schema extension unique identifier. For example: 999.' - - name: version - type: keyword - description: 'The schema extension version. For example: 1.0.0-alpha.2.' - - name: labels - type: keyword - description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. - - name: log_name - type: keyword - description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' - - name: log_provider - type: keyword - description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. - - name: log_version - type: keyword - description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. - - name: logged_time - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: logged_time_dt - type: date - description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. - - name: modified_time - type: date - description: The time when the event was last modified or enriched. - - name: modified_time_dt - type: date - description: The time when the event was last modified or enriched. - - name: original_time - type: keyword - description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. - - name: processed_time - type: date - description: The event processed time, such as an ETL operation. - - name: processed_time_dt - type: date - description: The event processed time, such as an ETL operation. - - name: product - type: group - fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. - - name: lang - type: keyword - description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' - - name: name - type: keyword - description: The name of the product. - - name: path - type: keyword - description: The installation path of the product. - - name: uid - type: keyword - description: The unique identifier of the product. - - name: url_string - type: keyword - description: The URL pointing towards the product. - - name: vendor_name - type: keyword - description: The name of the vendor of the product. - - name: version - type: keyword - description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' - - name: profiles - type: keyword - description: The list of profiles used to create the event. - - name: sequence - type: long - description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. - - name: uid - type: keyword - description: The logging system-assigned unique identifier of an event instance. - - name: version - type: keyword - description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' - name: module type: group fields: @@ -4618,21 +1894,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -4714,21 +1979,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -4819,21 +2073,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -4900,21 +2143,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -4936,18 +2168,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -5239,21 +2464,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -5335,21 +2549,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -5440,21 +2643,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -5521,21 +2713,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -5557,18 +2738,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -5854,21 +3028,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -5950,21 +3114,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -6055,21 +3209,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -6136,21 +3280,11 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: Organization and org unit related to the user. - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -6172,18 +3306,11 @@ - name: product type: group fields: - - name: feature - type: group - fields: - - name: name - type: keyword - description: The name of the feature. - - name: uid - type: keyword - description: The unique identifier of the feature. - - name: version - type: keyword - description: The version of the feature. + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" - name: lang type: keyword description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' @@ -6436,21 +3563,10 @@ - name: name type: keyword description: The username. For example, janedoe1. - - name: org - type: group - fields: - - name: name - type: keyword - description: The name of the organization. For example, Widget, Inc. - - name: ou_name - type: keyword - description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. - - name: ou_uid - type: keyword - description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. - - name: uid - type: keyword - description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: org.* + type: object + object_type: keyword + object_type_mapping_type: "*" - name: type type: keyword description: The type of the user. For example, System, AWS IAM User, etc. @@ -6598,6 +3714,9 @@ - name: raw_data type: flattened description: The event data as received from the event source. + - name: raw_data_keyword + type: match_only_text + description: The raw event data keyword as received from the event source. - name: requested_permissions type: long description: The permissions mask that were requested by the process. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/file-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/file-fields.yml new file mode 100644 index 000000000000..f0d2fe6bc6b1 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/file-fields.yml @@ -0,0 +1,509 @@ +- name: ocsf + type: group + fields: + - name: file + type: group + fields: + - name: accessed_time + type: date + description: The time when the file was last accessed. + - name: accessed_time_dt + type: date + description: The time when the file was last accessed. + - name: accessor + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: attributes + type: long + description: The Bitmask value that represents the file attributes. + - name: company_name + type: keyword + description: 'The name of the company that published the file. For example: Microsoft Corporation.' + - name: confidentiality + type: keyword + description: The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. + - name: confidentiality_id + type: keyword + description: The normalized identifier of the file content confidentiality indicator. + - name: created_time + type: date + description: The time when the file was created. + - name: created_time_dt + type: date + description: The time when the file was created. + - name: creator + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: desc + type: keyword + description: 'The description of the file, as returned by file system. For example: the description as returned by the Unix file command or the Windows file type.' + - name: hashes + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: is_system + type: boolean + description: The indication of whether the object is part of the operating system. + - name: mime_type + type: keyword + description: The Multipurpose Internet Mail Extensions (MIME) type of the file, if applicable. + - name: modified_time + type: date + description: The time when the file was last modified. + - name: modified_time_dt + type: date + description: The time when the file was last modified. + - name: modifier + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: name + type: keyword + description: 'The name of the file. For example: svchost.exe.' + - name: owner + type: group + fields: + - name: account + type: group + fields: + - name: name + type: keyword + description: The name of the account (e.g. GCP Account Name). + - name: type + type: keyword + description: The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. + - name: type_id + type: keyword + description: The normalized account type identifier. + - name: uid + type: keyword + description: The unique identifier of the account (e.g. AWS Account ID). + - name: credential_uid + type: keyword + description: The unique identifier of the user's credential. For example, AWS Access Key ID. + - name: domain + type: keyword + description: 'The domain where the user is defined. For example: the LDAP or Active Directory domain.' + - name: email_addr + type: keyword + description: The user's email address. + - name: full_name + type: keyword + description: The full name of the person, as per the LDAP Common Name attribute (cn). + - name: groups + type: group + fields: + - name: desc + type: keyword + description: The group description. + - name: name + type: keyword + description: The group name. + - name: privileges + type: keyword + description: The group privileges. + - name: type + type: keyword + description: The type of the group or account. + - name: uid + type: keyword + description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. + - name: ldap_person + type: flattened + description: The LDAP person object. + - name: name + type: keyword + description: The username. For example, janedoe1. + - name: org + type: group + fields: + - name: name + type: keyword + description: The name of the organization. For example, Widget, Inc. + - name: ou_name + type: keyword + description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D. + - name: ou_uid + type: keyword + description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. + - name: uid + type: keyword + description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID. + - name: type + type: keyword + description: The type of the user. For example, System, AWS IAM User, etc. + - name: type_id + type: keyword + description: The account type identifier. + - name: uid + type: keyword + description: The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. + - name: uid_alt + type: keyword + description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. + - name: parent_folder + type: keyword + description: 'The parent folder in which the file resides. For example: c:\windows\system32.' + - name: path + type: keyword + description: 'The full path to the file. For example: c:\windows\system32\svchost.exe.' + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: security_descriptor + type: keyword + description: The object security descriptor. + - name: signature + type: group + fields: + - name: algorithm + type: keyword + description: The digital signature algorithm used to create the signature, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized digital signature algorithm. + - name: certificate + type: group + fields: + - name: created_time + type: date + description: The time when the certificate was created. + - name: created_time_dt + type: date + description: The time when the certificate was created. + - name: expiration_time + type: date + description: The expiration time of the certificate. + - name: expiration_time_dt + type: date + description: The expiration time of the certificate. + - name: fingerprints + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: issuer + type: keyword + description: The certificate issuer distinguished name. + - name: serial_number + type: keyword + description: The serial number of the certificate used to create the digital signature. + - name: subject + type: keyword + description: The certificate subject distinguished name. + - name: version + type: keyword + description: The certificate version. + - name: created_time + type: date + description: The time when the digital signature was created. + - name: created_time_dt + type: date + description: The time when the digital signature was created. + - name: developer_uid + type: keyword + description: The developer ID on the certificate that signed the file. + - name: digest + type: group + fields: + - name: algorithm + type: keyword + description: The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. + - name: algorithm_id + type: keyword + description: The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. + - name: value + type: keyword + description: The digital fingerprint value. + - name: size + type: long + description: The size of data, in bytes. + - name: type + type: keyword + description: The file type. + - name: type_id + type: keyword + description: The file type ID. + - name: uid + type: keyword + description: The unique identifier of the file as defined by the storage system, such the file system file ID. + - name: version + type: keyword + description: 'The file version. For example: 8.0.7601.17514.' + - name: xattributes + type: flattened + description: An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. diff --git a/packages/amazon_security_lake/data_stream/system_activity/fields/metadata-fields.yml b/packages/amazon_security_lake/data_stream/system_activity/fields/metadata-fields.yml new file mode 100644 index 000000000000..01b1c11c4dc4 --- /dev/null +++ b/packages/amazon_security_lake/data_stream/system_activity/fields/metadata-fields.yml @@ -0,0 +1,122 @@ +- name: ocsf + type: group + fields: + - name: metadata + type: group + fields: + - name: tenant_uid + type: keyword + description: The audit level at which an event was generated. + - name: correlation_uid + type: keyword + description: The unique identifier used to correlate events. + - name: event_code + type: keyword + description: The Event ID or Code that the product uses to describe the event. + - name: extension + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: extensions + type: group + fields: + - name: name + type: keyword + description: 'The schema extension name. For example: dev.' + - name: uid + type: keyword + description: 'The schema extension unique identifier. For example: 999.' + - name: version + type: keyword + description: 'The schema extension version. For example: 1.0.0-alpha.2.' + - name: labels + type: keyword + description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. + - name: log_level + type: keyword + description: The log level of the event. + - name: loggers + type: flattened + description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. + - name: log_name + type: keyword + description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.' + - name: log_provider + type: keyword + description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. + - name: log_version + type: keyword + description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. + - name: logged_time + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: logged_time_dt + type: date + description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. + - name: modified_time + type: date + description: The time when the event was last modified or enriched. + - name: modified_time_dt + type: date + description: The time when the event was last modified or enriched. + - name: original_time + type: keyword + description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. + - name: processed_time + type: date + description: The event processed time, such as an ETL operation. + - name: processed_time_dt + type: date + description: The event processed time, such as an ETL operation. + - name: product + type: group + fields: + - name: feature.* + type: object + description: The Feature object provides information about the software product feature that generated a specific event. + object_type: keyword + object_type_mapping_type: "*" + - name: lang + type: keyword + description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).' + - name: name + type: keyword + description: The name of the product. + - name: path + type: keyword + description: The installation path of the product. + - name: uid + type: keyword + description: The unique identifier of the product. + - name: url_string + type: keyword + description: The URL pointing towards the product. + - name: vendor_name + type: keyword + description: The name of the vendor of the product. + - name: version + type: keyword + description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.' + - name: cpe_name + type: keyword + description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. + - name: profiles + type: keyword + description: The list of profiles used to create the event. + - name: sequence + type: long + description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. + - name: uid + type: keyword + description: The logging system-assigned unique identifier of an event instance. + - name: version + type: keyword + description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.' diff --git a/packages/amazon_security_lake/data_stream/system_activity/manifest.yml b/packages/amazon_security_lake/data_stream/system_activity/manifest.yml index 9ed929df109b..c6a2cf87a577 100644 --- a/packages/amazon_security_lake/data_stream/system_activity/manifest.yml +++ b/packages/amazon_security_lake/data_stream/system_activity/manifest.yml @@ -1,3 +1,9 @@ title: Amazon Security Lake System Activity Events dataset: amazon_security_lake.system_activity type: logs +elasticsearch: + dynamic_dataset: true + dynamic_namespace: true + index_template: + mappings: + dynamic: true diff --git a/packages/amazon_security_lake/docs/README.md b/packages/amazon_security_lake/docs/README.md index b956a9743b4a..f5ca56c338b8 100644 --- a/packages/amazon_security_lake/docs/README.md +++ b/packages/amazon_security_lake/docs/README.md @@ -10,7 +10,7 @@ The Amazon Security Lake integration can be used in two different modes to colle ## Compatibility -This module follows the latest OCSF Schema Version **v1.0.0**. +This module follows the OCSF Schema Version **v1.1.0**. ## Data streams @@ -19,6 +19,8 @@ The Amazon Security Lake integration collects logs from both [Third-party servic ### **NOTE**: - The Amazon Security Lake integration supports events collected from [AWS services](https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html) and [third-party services](https://docs.aws.amazon.com/security-lake/latest/userguide/custom-sources.html). +- Due to the nature and structure of the OCSF schema, this integration has limitations on how deep the mappings run. Some important objects like 'Actor', 'User' and 'Product' have more fleshed-out mappings compared to others which get flattened after the initial 2-3 levels of nesting to keep them maintainable and stay within field mapping [limits](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-settings-limit.html). This will evolve as needed. + ## Requirements - Elastic Agent must be installed. @@ -88,15 +90,20 @@ This is the `Event` dataset. | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | event.dataset | Event dataset. | constant_keyword | +| event.message | Log message optimized for viewing in a log viewer. | text | | event.module | Event module. | constant_keyword | -| input.type | Type of filebeat input. | keyword | -| log.offset | Log offset. | long | +| input.type | Type of Filebeat input. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | | ocsf.access_mask | The access mask in a platform-native format. | long | +| ocsf.action | The normalized caption of action_id. | keyword | +| ocsf.action_id | The action taken by a control or other policy-based system leading to an outcome or disposition. Dispositions conform to an action of 1 'Allowed' or 2 'Denied' in most cases. | integer | | ocsf.activity_id | The normalized identifier of the activity that triggered the event. | keyword | | ocsf.activity_name | The event activity name, as defined by the activity_id. | keyword | | ocsf.actor.authorizations.decision | Authorization Result/outcome, e.g. allowed, denied. | keyword | | ocsf.actor.authorizations.policy.desc | The description of the policy. | keyword | | ocsf.actor.authorizations.policy.group.desc | The group description. | keyword | +| ocsf.actor.authorizations.policy.group.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.authorizations.policy.group.name | The group name. | keyword | | ocsf.actor.authorizations.policy.group.privileges | The group privileges. | keyword | | ocsf.actor.authorizations.policy.group.type | The type of the group or account. | keyword | @@ -140,15 +147,14 @@ This is the `Event` dataset. | ocsf.actor.process.file.accessor.email_addr | The user's email address. | keyword | | ocsf.actor.process.file.accessor.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.file.accessor.groups.desc | The group description. | keyword | +| ocsf.actor.process.file.accessor.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.file.accessor.groups.name | The group name. | keyword | | ocsf.actor.process.file.accessor.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.file.accessor.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.file.accessor.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.file.accessor.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.file.accessor.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.file.accessor.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.file.accessor.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.file.accessor.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.file.accessor.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.file.accessor.type_id | The account type identifier. | keyword | | ocsf.actor.process.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -156,7 +162,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.attributes | The Bitmask value that represents the file attributes. | long | | ocsf.actor.process.file.company_name | The name of the company that published the file. For example: Microsoft Corporation. | keyword | | ocsf.actor.process.file.confidentiality | The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.file.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | keyword | +| ocsf.actor.process.file.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | integer | | ocsf.actor.process.file.created_time | The time when the file was created. | date | | ocsf.actor.process.file.created_time_dt | The time when the file was created. | date | | ocsf.actor.process.file.creator.account.name | The name of the account (e.g. GCP Account Name). | keyword | @@ -168,15 +174,14 @@ This is the `Event` dataset. | ocsf.actor.process.file.creator.email_addr | The user's email address. | keyword | | ocsf.actor.process.file.creator.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.file.creator.groups.desc | The group description. | keyword | +| ocsf.actor.process.file.creator.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.file.creator.groups.name | The group name. | keyword | | ocsf.actor.process.file.creator.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.file.creator.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.file.creator.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.file.creator.name | The name of the city. | keyword | -| ocsf.actor.process.file.creator.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.file.creator.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.file.creator.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.file.creator.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.file.creator.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.file.creator.type_id | The account type identifier. | keyword | | ocsf.actor.process.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -198,15 +203,14 @@ This is the `Event` dataset. | ocsf.actor.process.file.modifier.email_addr | The image name. For example: elixir. | keyword | | ocsf.actor.process.file.modifier.full_name | The user's email address. | keyword | | ocsf.actor.process.file.modifier.groups.desc | The group description. | keyword | +| ocsf.actor.process.file.modifier.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.file.modifier.groups.name | The group name. | keyword | | ocsf.actor.process.file.modifier.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.file.modifier.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.file.modifier.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.file.modifier.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.file.modifier.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.file.modifier.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.file.modifier.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.file.modifier.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.file.modifier.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.file.modifier.type_id | The account type identifier. | keyword | | ocsf.actor.process.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -221,24 +225,21 @@ This is the `Event` dataset. | ocsf.actor.process.file.owner.email_addr | The user's email address. | keyword | | ocsf.actor.process.file.owner.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.file.owner.groups.desc | The group description. | keyword | +| ocsf.actor.process.file.owner.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.file.owner.groups.name | The group name. | keyword | | ocsf.actor.process.file.owner.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.file.owner.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.file.owner.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.file.owner.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.file.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.file.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.file.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.file.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.file.owner.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.file.owner.type | The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.file.owner.type_id | The account type identifier. | keyword | | ocsf.actor.process.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | | ocsf.actor.process.file.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword | -| ocsf.actor.process.file.product.feature.name | The name of the feature. | keyword | -| ocsf.actor.process.file.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.actor.process.file.product.feature.version | The version of the feature. | keyword | +| ocsf.actor.process.file.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.actor.process.file.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.actor.process.file.product.name | The name of the feature. | keyword | | ocsf.actor.process.file.product.path | The installation path of the product. | keyword | @@ -259,6 +260,7 @@ This is the `Event` dataset. | ocsf.actor.process.file.signature.certificate.issuer | The certificate issuer distinguished name. | keyword | | ocsf.actor.process.file.signature.certificate.serial_number | The serial number of the certificate used to create the digital signature. | keyword | | ocsf.actor.process.file.signature.certificate.subject | The certificate subject distinguished name. | keyword | +| ocsf.actor.process.file.signature.certificate.uid | The unique identifier of the certificate. | keyword | | ocsf.actor.process.file.signature.certificate.version | The certificate version. | keyword | | ocsf.actor.process.file.signature.created_time | The time when the digital signature was created. | date | | ocsf.actor.process.file.signature.created_time_dt | The time when the digital signature was created. | date | @@ -273,12 +275,13 @@ This is the `Event` dataset. | ocsf.actor.process.file.version | The file version. For example: 8.0.7601.17514. | keyword | | ocsf.actor.process.file.xattributes | An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. | flattened | | ocsf.actor.process.group.desc | The group description. | keyword | +| ocsf.actor.process.group.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.group.name | The group name. | keyword | | ocsf.actor.process.group.privileges | The group privileges. | keyword | | ocsf.actor.process.group.type | The type of the group or account. | keyword | | ocsf.actor.process.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.actor.process.integrity | The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). | keyword | -| ocsf.actor.process.integrity_id | The normalized identifier of the process integrity level (Windows only). | keyword | +| ocsf.actor.process.integrity_id | The normalized identifier of the process integrity level (Windows only). | integer | | ocsf.actor.process.lineage | The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']. | keyword | | ocsf.actor.process.loaded_modules | The list of loaded module names. | keyword | | ocsf.actor.process.name | The friendly name of the process, for example: Notepad++. | keyword | @@ -316,15 +319,14 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.accessor.email_addr | The user's email address. | keyword | | ocsf.actor.process.parent_process.file.accessor.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.parent_process.file.accessor.groups.desc | The group description. | keyword | +| ocsf.actor.process.parent_process.file.accessor.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.parent_process.file.accessor.groups.name | The group name. | keyword | | ocsf.actor.process.parent_process.file.accessor.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.file.accessor.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.parent_process.file.accessor.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.parent_process.file.accessor.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.parent_process.file.accessor.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.parent_process.file.accessor.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.parent_process.file.accessor.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.parent_process.file.accessor.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.parent_process.file.accessor.org.\* | | object | | ocsf.actor.process.parent_process.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.parent_process.file.accessor.type_id | The account type identifier. | keyword | | ocsf.actor.process.parent_process.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -332,7 +334,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.attributes | The Bitmask value that represents the file attributes. | long | | ocsf.actor.process.parent_process.file.company_name | The name of the company that published the file. For example: Microsoft Corporation. | keyword | | ocsf.actor.process.parent_process.file.confidentiality | The file content confidentiality, normalized to the confidentiality_id value. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.actor.process.parent_process.file.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | keyword | +| ocsf.actor.process.parent_process.file.confidentiality_id | The normalized identifier of the file content confidentiality indicator. | integer | | ocsf.actor.process.parent_process.file.created_time | The time when the file was created. | date | | ocsf.actor.process.parent_process.file.created_time_dt | The time when the file was created. | date | | ocsf.actor.process.parent_process.file.creator.account.name | The name of the account (e.g. GCP Account Name). | keyword | @@ -344,15 +346,14 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.creator.email_addr | The user's email address. | keyword | | ocsf.actor.process.parent_process.file.creator.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.parent_process.file.creator.groups.desc | The group description. | keyword | +| ocsf.actor.process.parent_process.file.creator.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.parent_process.file.creator.groups.name | The group name. | keyword | | ocsf.actor.process.parent_process.file.creator.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.file.creator.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.parent_process.file.creator.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.parent_process.file.creator.name | The name of the city. | keyword | -| ocsf.actor.process.parent_process.file.creator.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.parent_process.file.creator.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.parent_process.file.creator.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.parent_process.file.creator.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.parent_process.file.creator.org.\* | | object | | ocsf.actor.process.parent_process.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.parent_process.file.creator.type_id | The account type identifier. | keyword | | ocsf.actor.process.parent_process.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -374,15 +375,14 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.modifier.email_addr | The image name. For example: elixir. | keyword | | ocsf.actor.process.parent_process.file.modifier.full_name | The user's email address. | keyword | | ocsf.actor.process.parent_process.file.modifier.groups.desc | The group description. | keyword | +| ocsf.actor.process.parent_process.file.modifier.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.parent_process.file.modifier.groups.name | The group name. | keyword | | ocsf.actor.process.parent_process.file.modifier.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.file.modifier.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.parent_process.file.modifier.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.parent_process.file.modifier.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.parent_process.file.modifier.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.parent_process.file.modifier.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.parent_process.file.modifier.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.parent_process.file.modifier.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.parent_process.file.modifier.org.\* | | object | | ocsf.actor.process.parent_process.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.parent_process.file.modifier.type_id | The account type identifier. | keyword | | ocsf.actor.process.parent_process.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -397,24 +397,21 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.owner.email_addr | The user's email address. | keyword | | ocsf.actor.process.parent_process.file.owner.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.parent_process.file.owner.groups.desc | The group description. | keyword | +| ocsf.actor.process.parent_process.file.owner.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.parent_process.file.owner.groups.name | The group name. | keyword | | ocsf.actor.process.parent_process.file.owner.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.file.owner.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.parent_process.file.owner.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.parent_process.file.owner.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.parent_process.file.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.parent_process.file.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.parent_process.file.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.parent_process.file.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.parent_process.file.owner.org.\* | | object | | ocsf.actor.process.parent_process.file.owner.type | The event occurred on a personal device.The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.parent_process.file.owner.type_id | The account type identifier. | keyword | | ocsf.actor.process.parent_process.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.parent_process.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.parent_process.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | | ocsf.actor.process.parent_process.file.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword | -| ocsf.actor.process.parent_process.file.product.feature.name | The name of the feature. | keyword | -| ocsf.actor.process.parent_process.file.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.actor.process.parent_process.file.product.feature.version | The version of the feature. | keyword | +| ocsf.actor.process.parent_process.file.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.actor.process.parent_process.file.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.actor.process.parent_process.file.product.name | The name of the feature. | keyword | | ocsf.actor.process.parent_process.file.product.path | The installation path of the product. | keyword | @@ -435,6 +432,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.signature.certificate.issuer | The certificate issuer distinguished name. | keyword | | ocsf.actor.process.parent_process.file.signature.certificate.serial_number | The serial number of the certificate used to create the digital signature. | keyword | | ocsf.actor.process.parent_process.file.signature.certificate.subject | The certificate subject distinguished name. | keyword | +| ocsf.actor.process.parent_process.file.signature.certificate.uid | The unique identifier of the certificate. | keyword | | ocsf.actor.process.parent_process.file.signature.certificate.version | The certificate version. | keyword | | ocsf.actor.process.parent_process.file.signature.created_time | The time when the digital signature was created. | date | | ocsf.actor.process.parent_process.file.signature.created_time_dt | The time when the digital signature was created. | date | @@ -449,12 +447,13 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.file.version | The file version. For example: 8.0.7601.17514. | keyword | | ocsf.actor.process.parent_process.file.xattributes | An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. | flattened | | ocsf.actor.process.parent_process.group.desc | The group description. | keyword | +| ocsf.actor.process.parent_process.group.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.parent_process.group.name | The group name. | keyword | | ocsf.actor.process.parent_process.group.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.group.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.actor.process.parent_process.integrity | The process integrity level, normalized to the caption of the direction_id value. In the case of 'Other', it is defined by the event source (Windows only). | keyword | -| ocsf.actor.process.parent_process.integrity_id | The normalized identifier of the process integrity level (Windows only). | keyword | +| ocsf.actor.process.parent_process.integrity_id | The normalized identifier of the process integrity level (Windows only). | integer | | ocsf.actor.process.parent_process.lineage | The lineage of the process, represented by a list of paths for each ancestor process. For example: ['/usr/sbin/sshd', '/usr/bin/bash', '/usr/bin/whoami']. | keyword | | ocsf.actor.process.parent_process.loaded_modules | The list of loaded module names. | keyword | | ocsf.actor.process.parent_process.name | The friendly name of the process, for example: Notepad++. | keyword | @@ -471,6 +470,7 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.session.is_remote | The indication of whether the session is remote. | boolean | | ocsf.actor.process.parent_process.session.issuer | The identifier of the session issuer. | keyword | | ocsf.actor.process.parent_process.session.mfa | | boolean | +| ocsf.actor.process.parent_process.session.terminal | The Pseudo Terminal associated with the session. Ex, the tty or pts value. | keyword | | ocsf.actor.process.parent_process.session.uid | The unique identifier of the session. | keyword | | ocsf.actor.process.parent_process.session.uuid | The universally unique identifier of the session. | keyword | | ocsf.actor.process.parent_process.terminated_time | The time when the process was terminated. | date | @@ -486,15 +486,14 @@ This is the `Event` dataset. | ocsf.actor.process.parent_process.user.email_addr | The user's email address. | keyword | | ocsf.actor.process.parent_process.user.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.parent_process.user.groups.desc | The group description. | keyword | +| ocsf.actor.process.parent_process.user.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.parent_process.user.groups.name | The group name. | keyword | | ocsf.actor.process.parent_process.user.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.parent_process.user.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.parent_process.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.process.parent_process.user.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.process.parent_process.user.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.parent_process.user.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.parent_process.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.parent_process.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.parent_process.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.parent_process.user.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.process.parent_process.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.parent_process.user.type_id | The account type identifier. | keyword | | ocsf.actor.process.parent_process.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -510,6 +509,7 @@ This is the `Event` dataset. | ocsf.actor.process.session.is_remote | The indication of whether the session is remote. | boolean | | ocsf.actor.process.session.issuer | The identifier of the session issuer. | keyword | | ocsf.actor.process.session.mfa | | boolean | +| ocsf.actor.process.session.terminal | The Pseudo Terminal associated with the session. Ex, the tty or pts value. | keyword | | ocsf.actor.process.session.uid | The unique identifier of the session. | keyword | | ocsf.actor.process.session.uuid | The universally unique identifier of the session. | keyword | | ocsf.actor.process.terminated_time | The time when the process was terminated. | date | @@ -525,29 +525,33 @@ This is the `Event` dataset. | ocsf.actor.process.user.email_addr | The user's email address. | keyword | | ocsf.actor.process.user.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.process.user.groups.desc | The group description. | keyword | +| ocsf.actor.process.user.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.process.user.groups.name | The group name. | keyword | | ocsf.actor.process.user.groups.privileges | The group privileges. | keyword | | ocsf.actor.process.user.groups.type | The type of the group or account. | keyword | | ocsf.actor.process.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.actor.process.user.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.process.user.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.process.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.process.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.process.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.process.user.org.\* | | object | | ocsf.actor.process.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.process.user.type_id | The account type identifier. | keyword | | ocsf.actor.process.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.actor.process.user.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.actor.process.xattributes | An unordered collection of zero or more name/value pairs that represent a process extended attribute. | flattened | +| ocsf.actor.session.count | The number of identical sessions spawned from the same source IP, destination IP, application, and content/threat type seen over a period of time. | integer | | ocsf.actor.session.created_time | The time when the session was created. | date | | ocsf.actor.session.created_time_dt | The time when the session was created. | date | | ocsf.actor.session.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | +| ocsf.actor.session.expiration_reason | The reason which triggered the session expiration. | keyword | | ocsf.actor.session.expiration_time | The session expiration time. | date | | ocsf.actor.session.expiration_time_dt | The session expiration time. | date | +| ocsf.actor.session.is_mfa | Indicates whether Multi Factor Authentication was used during authentication. | boolean | | ocsf.actor.session.is_remote | The indication of whether the session is remote. | boolean | +| ocsf.actor.session.is_vpn | The indication of whether the session is a VPN session. | boolean | | ocsf.actor.session.issuer | The identifier of the session issuer. | keyword | | ocsf.actor.session.mfa | | boolean | +| ocsf.actor.session.terminal | The Pseudo Terminal associated with the session. Ex, the tty or pts value. | keyword | | ocsf.actor.session.uid | The unique identifier of the session. | keyword | +| ocsf.actor.session.uid_alt | The alternate unique identifier of the session. e.g. AWS ARN - arn:aws:sts::123344444444:assumed-role/Admin/example-session. | keyword | | ocsf.actor.session.uuid | The universally unique identifier of the session. | keyword | | ocsf.actor.user.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.actor.user.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | @@ -558,15 +562,14 @@ This is the `Event` dataset. | ocsf.actor.user.email_addr | The user's email address. | keyword | | ocsf.actor.user.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.actor.user.groups.desc | The group description. | keyword | +| ocsf.actor.user.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.actor.user.groups.name | The group name. | keyword | | ocsf.actor.user.groups.privileges | The group privileges. | keyword | | ocsf.actor.user.groups.type | The type of the group or account. | keyword | | ocsf.actor.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.actor.user.ldap_person | The LDAP attributes of the user. | flattened | | ocsf.actor.user.name | The username. For example, janedoe1. | keyword | -| ocsf.actor.user.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.actor.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.actor.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.actor.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.actor.user.org.\* | Organization and org unit related to the user. | object | | ocsf.actor.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.actor.user.type_id | The account type identifier. | keyword | | ocsf.actor.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -594,22 +597,48 @@ This is the `Event` dataset. | ocsf.answers.rdata | The data describing the DNS resource. The meaning of this data depends on the type and class of the resource record. | keyword | | ocsf.answers.ttl | The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached. | long | | ocsf.answers.type | The type of data contained in this resource record. See RFC1035. For example: CNAME. | keyword | +| ocsf.api.group.desc | The group description. | text | +| ocsf.api.group.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | +| ocsf.api.group.name | The group name. | keyword | +| ocsf.api.group.privileges | The group privileges. | keyword | +| ocsf.api.group.type | The type of the group or account. | keyword | +| ocsf.api.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.api.operation | Verb/Operation associated with the request. | keyword | -| ocsf.api.request.flags | The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. | keyword | +| ocsf.api.request.containers.hash | Commit hash of image created for docker or the SHA256 hash of the container. | flattened | +| ocsf.api.request.containers.image | The container image used as a template to run the container. | flattened | +| ocsf.api.request.containers.name | The container name. | keyword | +| ocsf.api.request.containers.network_driver | The network driver used by the container. For example, bridge, overlay, host, none, etc. | keyword | +| ocsf.api.request.containers.orchestrator | The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. | keyword | +| ocsf.api.request.containers.pod_uuid | The unique identifier of the pod (or equivalent) that the container is executing on. | keyword | +| ocsf.api.request.containers.runtime | The backend running the container, such as containerd or cri-o. | keyword | +| ocsf.api.request.containers.size | The size of the container image. | integer | +| ocsf.api.request.containers.tag | The tag used by the container. It can indicate version, format, OS. | keyword | +| ocsf.api.request.containers.uid | The full container unique identifier for this instantiation of the container. | keyword | +| ocsf.api.request.data | The additional data that is associated with the api request. | flattened | +| ocsf.api.request.flags | The list of communication flags, normalized to the captions of the flag_ids values. | keyword | | ocsf.api.request.uid | The unique request identifier. | keyword | -| ocsf.api.response.code | The numeric response sent to a request. | long | +| ocsf.api.response.code | The numeric response sent to a request. | integer | +| ocsf.api.response.containers.hash | Commit hash of image created for docker or the SHA256 hash of the container. | flattened | +| ocsf.api.response.containers.image | The container image used as a template to run the container. | flattened | +| ocsf.api.response.containers.name | The container name. | keyword | +| ocsf.api.response.containers.network_driver | The network driver used by the container. For example, bridge, overlay, host, none, etc. | keyword | +| ocsf.api.response.containers.orchestrator | The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift. | keyword | +| ocsf.api.response.containers.pod_uuid | The unique identifier of the pod (or equivalent) that the container is executing on. | keyword | +| ocsf.api.response.containers.runtime | The backend running the container, such as containerd or cri-o. | keyword | +| ocsf.api.response.containers.size | The size of the container image. | integer | +| ocsf.api.response.containers.tag | The tag used by the container. It can indicate version, format, OS. | keyword | +| ocsf.api.response.containers.uid | The full container unique identifier for this instantiation of the container. | keyword | +| ocsf.api.response.data | The additional data that is associated with the api response. | flattened | | ocsf.api.response.error | Error Code. | keyword | -| ocsf.api.response.error_message | Error Message. | keyword | -| ocsf.api.response.flags | The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. | keyword | -| ocsf.api.response.message | The description of the event, as defined by the event source. | keyword | +| ocsf.api.response.error_message | Error Message. | text | +| ocsf.api.response.flags | The list of communication flags, normalized to the captions of the flag_ids values. | keyword | +| ocsf.api.response.message | The description of the event/finding, as defined by the source. | text | | ocsf.api.service.labels | The list of labels associated with the service. | keyword | | ocsf.api.service.name | The name of the service. | keyword | | ocsf.api.service.uid | The unique identifier of the service. | keyword | | ocsf.api.service.version | The version of the service. | keyword | | ocsf.api.version | The version of the API service. | keyword | -| ocsf.app.feature.name | The name of the feature. | keyword | -| ocsf.app.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.app.feature.version | The version of the feature. | keyword | +| ocsf.app.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.app.lang | The two letter lower case language codes, as defined by ISO 639-1. | keyword | | ocsf.app.name | The CIS benchmark name. | keyword | | ocsf.app.path | The installation path of the product. | keyword | @@ -618,6 +647,8 @@ This is the `Event` dataset. | ocsf.app.vendor_name | The name of the vendor of the product. | keyword | | ocsf.app.version | The version of the product, as defined by the event source. | keyword | | ocsf.app_name | The name of the application that is associated with the event or object. | keyword | +| ocsf.assignee | The details of the user assigned to an Incident. | flattened | +| ocsf.assignee_group | The details of the group assigned to an Incident. | flattened | | ocsf.attacks.tactics.name | The tactic name that is associated with the attack technique, as defined by ATT&CK MatrixTM. | keyword | | ocsf.attacks.tactics.uid | The tactic ID that is associated with the attack technique, as defined by ATT&CK MatrixTM. | keyword | | ocsf.attacks.technique.name | The name of the attack technique, as defined by ATT&CK MatrixTM. For example: Drive-by Compromise. | keyword | @@ -626,6 +657,17 @@ This is the `Event` dataset. | ocsf.attempt | The attempt number for attempting to deliver the email. | long | | ocsf.auth_protocol | The authentication protocol as defined by the caption of 'auth_protocol_id'. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.auth_protocol_id | The normalized identifier of the authentication protocol used to create the user session. | keyword | +| ocsf.authorizations.decision | Authorization Result/outcome, e.g. allowed, denied. | keyword | +| ocsf.authorizations.policy.desc | The description of the policy. | keyword | +| ocsf.authorizations.policy.group.desc | The group description. | keyword | +| ocsf.authorizations.policy.group.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | +| ocsf.authorizations.policy.group.name | The group name. | keyword | +| ocsf.authorizations.policy.group.privileges | The group privileges. | keyword | +| ocsf.authorizations.policy.group.type | The type of the group or account. | keyword | +| ocsf.authorizations.policy.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.authorizations.policy.name | The policy name. For example: IAM Policy. | keyword | +| ocsf.authorizations.policy.uid | A unique identifier of the policy instance. | keyword | +| ocsf.authorizations.policy.version | The policy version number. | keyword | | ocsf.banner | The initial SMTP connection response that a messaging server receives after it connects to a email server. | keyword | | ocsf.base_address | The memory address that was access or requested. | keyword | | ocsf.capabilities | A list of RDP capabilities. | keyword | @@ -646,7 +688,9 @@ This is the `Event` dataset. | ocsf.cis_benchmark_result.desc | The CIS benchmark description. | keyword | | ocsf.cis_benchmark_result.name | The CIS benchmark name. | keyword | | ocsf.cis_benchmark_result.remediation.desc | The description of the remediation strategy. | keyword | +| ocsf.cis_benchmark_result.remediation.kb_article_list | A list of KB articles or patches related to an endpoint. | flattened | | ocsf.cis_benchmark_result.remediation.kb_articles | The KB article/s related to the entity. | keyword | +| ocsf.cis_benchmark_result.remediation.references | A list of supporting URL/s, references that help describe the remediation strategy. | keyword | | ocsf.cis_benchmark_result.rule.category | The rule category. | keyword | | ocsf.cis_benchmark_result.rule.desc | The description of the rule that generated the event. | keyword | | ocsf.cis_benchmark_result.rule.name | The name of the rule that generated the event. | keyword | @@ -677,10 +721,15 @@ This is the `Event` dataset. | ocsf.codes | The list of return codes to the FTP command. | long | | ocsf.command | The command name. | keyword | | ocsf.command_responses | The list of responses to the FTP command. | keyword | +| ocsf.command_uid | The command identifier that is associated with this scan event. This ID uniquely identifies the proactive scan command, e.g., if remotely initiated. | keyword | | ocsf.comment | The user provided comment about why the entity was changed. | keyword | -| ocsf.compliance.requirements | A list of applicable compliance requirements for which this finding is related to. | keyword | -| ocsf.compliance.status | The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.compliance.status_detail | The status details contains additional information about the event outcome. | keyword | +| ocsf.compliance.control | A Control is prescriptive, prioritized, and simplified set of best practices that one can use to strengthen their cybersecurity posture. e.g. AWS SecurityHub Controls, CIS Controls. | keyword | +| ocsf.compliance.requirements | A list of requirements associated to a specific control in an industry or regulatory framework. e.g. NIST.800-53.r5 AU-10. | keyword | +| ocsf.compliance.standards | Security standards are a set of criteria organizations can follow to protect sensitive and confidential information. e.g. NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001. | keyword | +| ocsf.compliance.status | The resultant status of the compliance check normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source. | keyword | +| ocsf.compliance.status_code | The resultant status code of the compliance check. | keyword | +| ocsf.compliance.status_detail | The contextual description of the status, status_code values. | text | +| ocsf.compliance.status_id | The normalized status identifier of the compliance check. | integer | | ocsf.component | The name or relative pathname of a sub-component of the data object, if applicable. | keyword | | ocsf.confidence | The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.confidence_id | The normalized confidence refers to the accuracy of the rule that created the finding. A rule with a low confidence means that the finding scope is wide and may create finding reports that may not be malicious in nature. | keyword | @@ -699,6 +748,8 @@ This is the `Event` dataset. | ocsf.count | The number of times that events in the same logical group occurred during the event Start Time to End Time period. | long | | ocsf.create_mask | The original Windows mask that is required to create the object. | keyword | | ocsf.data_sources | The data sources for the finding. | keyword | +| ocsf.database | The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data. | flattened | +| ocsf.databucket | The data bucket object is a basic container that holds data, typically organized through the use of data partitions. | flattened | | ocsf.dce_rpc.command | The request command (e.g. REQUEST, BIND). | keyword | | ocsf.dce_rpc.command_response | The reply to the request command (e.g. RESPONSE, BINDACK or FAULT). | keyword | | ocsf.dce_rpc.flags | The list of interface flags. | keyword | @@ -707,7 +758,9 @@ This is the `Event` dataset. | ocsf.dce_rpc.rpc_interface.ack_result | An integer that denotes the acknowledgment result of the DCE/RPC call. | long | | ocsf.dce_rpc.rpc_interface.uuid | The unique identifier of the particular remote procedure or service. | keyword | | ocsf.dce_rpc.rpc_interface.version | The version of the DCE/RPC protocol being used in the session. | keyword | +| ocsf.desc | The short description of the incident. | keyword | | ocsf.device.autoscale_uid | The unique identifier of the cloud autoscale configuration. | keyword | +| ocsf.device.container | The information describing an instance of a container. | flattened | | ocsf.device.created_time | The time when the device was known to have been created. | date | | ocsf.device.created_time_dt | TThe time when the device was known to have been created. | date | | ocsf.device.desc | The description of the device, ordinarily as reported by the operating system. | keyword | @@ -715,6 +768,7 @@ This is the `Event` dataset. | ocsf.device.first_seen_time | The initial discovery time of the device. | date | | ocsf.device.first_seen_time_dt | The initial discovery time of the device. | date | | ocsf.device.groups.desc | The group description. | keyword | +| ocsf.device.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.device.groups.name | The group name. | keyword | | ocsf.device.groups.privileges | The group privileges. | keyword | | ocsf.device.groups.type | The type of the group or account. | keyword | @@ -772,6 +826,7 @@ This is the `Event` dataset. | ocsf.device.modified_time | The time when the device was last known to have been modified. | date | | ocsf.device.modified_time_dt | The time when the device was last known to have been modified. | date | | ocsf.device.name | The alternate device name, ordinarily as assigned by an administrator. The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234. | keyword | +| ocsf.device.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | integer | | ocsf.device.network_interfaces.hostname | The hostname associated with the network interface. | keyword | | ocsf.device.network_interfaces.ip | The IP address associated with the network interface. | ip | | ocsf.device.network_interfaces.mac | The MAC address of the network interface. | keyword | @@ -808,6 +863,7 @@ This is the `Event` dataset. | ocsf.device.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.device.vlan_uid | The Virtual LAN identifier. | keyword | | ocsf.device.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword | +| ocsf.device.zone | The network zone or LAN segment. | keyword | | ocsf.dialect | The negotiated protocol dialect. | keyword | | ocsf.direction | The direction of the email, as defined by the direction_id value. | keyword | | ocsf.direction_id | The direction of the email relative to the scanning host or organization. | keyword | @@ -829,10 +885,7 @@ This is the `Event` dataset. | ocsf.driver.file.accessor.groups.type | The type of the group or account. | keyword | | ocsf.driver.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.driver.file.accessor.name | The username. For example, janedoe1. | keyword | -| ocsf.driver.file.accessor.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.driver.file.accessor.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.driver.file.accessor.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.driver.file.accessor.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.driver.file.accessor.org.\* | | object | | ocsf.driver.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.driver.file.accessor.type_id | The account type identifier. | keyword | | ocsf.driver.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -857,10 +910,7 @@ This is the `Event` dataset. | ocsf.driver.file.creator.groups.type | The type of the group or account. | keyword | | ocsf.driver.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.driver.file.creator.name | The username. For example, janedoe1. | keyword | -| ocsf.driver.file.creator.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.driver.file.creator.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.driver.file.creator.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.driver.file.creator.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.driver.file.creator.org.\* | | object | | ocsf.driver.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.driver.file.creator.type_id | The account type identifier. | keyword | | ocsf.driver.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -887,10 +937,7 @@ This is the `Event` dataset. | ocsf.driver.file.modifier.groups.type | The type of the group or account. | keyword | | ocsf.driver.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.driver.file.modifier.name | The username. For example, janedoe1. | keyword | -| ocsf.driver.file.modifier.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.driver.file.modifier.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.driver.file.modifier.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.driver.file.modifier.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.driver.file.modifier.org.\* | | object | | ocsf.driver.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.driver.file.modifier.type_id | The account type identifier. | keyword | | ocsf.driver.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -910,19 +957,14 @@ This is the `Event` dataset. | ocsf.driver.file.owner.groups.type | The type of the group or account. | keyword | | ocsf.driver.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.driver.file.owner.name | The username. For example, janedoe1. | keyword | -| ocsf.driver.file.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.driver.file.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.driver.file.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.driver.file.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.driver.file.owner.org.\* | | object | | ocsf.driver.file.owner.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.driver.file.owner.type_id | The account type identifier. | keyword | | ocsf.driver.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.driver.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.driver.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | | ocsf.driver.file.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword | -| ocsf.driver.file.product.feature.name | The name of the feature. | keyword | -| ocsf.driver.file.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.driver.file.product.feature.version | The version of the feature. | keyword | +| ocsf.driver.file.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.driver.file.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.driver.file.product.name | The name of the product. | keyword | | ocsf.driver.file.product.path | The installation path of the product. | keyword | @@ -955,8 +997,10 @@ This is the `Event` dataset. | ocsf.driver.file.uid | The unique identifier of the file as defined by the storage system, such the file system file ID. | keyword | | ocsf.driver.file.version | The file version. For example: 8.0.7601.17514. | keyword | | ocsf.driver.file.xattributes | An unordered collection of zero or more name/value pairs where each pair represents a file or folder extended attribute. | flattened | +| ocsf.dst_endpoint.container | The information describing an instance of a container. | flattened | | ocsf.dst_endpoint.domain | The name of the domain. | keyword | | ocsf.dst_endpoint.hostname | The fully qualified name of the endpoint. | keyword | +| ocsf.dst_endpoint.hw_info | The endpoint hardware information. | flattened | | ocsf.dst_endpoint.instance_uid | The unique identifier of a VM instance. | keyword | | ocsf.dst_endpoint.interface_name | The name of the network interface (e.g. eth2). | keyword | | ocsf.dst_endpoint.interface_uid | The unique identifier of the network interface. | keyword | @@ -974,12 +1018,18 @@ This is the `Event` dataset. | ocsf.dst_endpoint.location.region | The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. | keyword | | ocsf.dst_endpoint.mac | The Media Access Control (MAC) address of the endpoint. | keyword | | ocsf.dst_endpoint.name | The short name of the endpoint. | keyword | +| ocsf.dst_endpoint.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | integer | +| ocsf.dst_endpoint.os | The endpoint operating system. | flattened | | ocsf.dst_endpoint.port | The port used for communication within the network connection. | long | +| ocsf.dst_endpoint.proxy_endpoint | The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). | flattened | | ocsf.dst_endpoint.subnet_uid | The unique identifier of a virtual subnet. | keyword | | ocsf.dst_endpoint.svc_name | The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. | keyword | +| ocsf.dst_endpoint.type | The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. | keyword | +| ocsf.dst_endpoint.type_id | The network endpoint type ID. | keyword | | ocsf.dst_endpoint.uid | The unique identifier of the endpoint. | keyword | | ocsf.dst_endpoint.vlan_uid | The Virtual LAN identifier. | keyword | | ocsf.dst_endpoint.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword | +| ocsf.dst_endpoint.zone | The network zone or LAN segment. | keyword | | ocsf.duration | The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds. | long | | ocsf.email.cc | The email header Cc values, as defined by RFC 5322. | keyword | | ocsf.email.delivered_to | The Delivered-To email header field. | keyword | @@ -1020,6 +1070,7 @@ This is the `Event` dataset. | ocsf.entity_result.uid | The identifier of the managed entity. | keyword | | ocsf.entity_result.version | The version of the managed entity. | keyword | | ocsf.evidence | The data the finding exposes to the analyst. | flattened | +| ocsf.evidences | Describes various evidence artifacts associated to the activity/activities that triggered a security detection. | flattened | | ocsf.exit_code | The exit code reported by a process when it terminates. The convention is that zero indicates success and any non-zero exit code indicates that some error occurred. | keyword | | ocsf.expiration_time | The share expiration time. | date | | ocsf.expiration_time_dt | The share expiration time. | date | @@ -1038,6 +1089,7 @@ This is the `Event` dataset. | ocsf.file.accessor.groups.privileges | The group privileges. | keyword | | ocsf.file.accessor.groups.type | The type of the group or account. | keyword | | ocsf.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.file.accessor.ldap_person | The LDAP person object. | flattened | | ocsf.file.accessor.name | The username. For example, janedoe1. | keyword | | ocsf.file.accessor.org.name | The name of the organization. For example, Widget, Inc. | keyword | | ocsf.file.accessor.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | @@ -1066,6 +1118,7 @@ This is the `Event` dataset. | ocsf.file.creator.groups.privileges | The group privileges. | keyword | | ocsf.file.creator.groups.type | The type of the group or account. | keyword | | ocsf.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.file.creator.ldap_person | The LDAP person object. | flattened | | ocsf.file.creator.name | The username. For example, janedoe1. | keyword | | ocsf.file.creator.org.name | The name of the organization. For example, Widget, Inc. | keyword | | ocsf.file.creator.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | @@ -1096,6 +1149,7 @@ This is the `Event` dataset. | ocsf.file.modifier.groups.privileges | The group privileges. | keyword | | ocsf.file.modifier.groups.type | The type of the group or account. | keyword | | ocsf.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.file.modifier.ldap_person | The LDAP person object. | flattened | | ocsf.file.modifier.name | The username. For example, janedoe1. | keyword | | ocsf.file.modifier.org.name | The name of the organization. For example, Widget, Inc. | keyword | | ocsf.file.modifier.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | @@ -1119,6 +1173,7 @@ This is the `Event` dataset. | ocsf.file.owner.groups.privileges | The group privileges. | keyword | | ocsf.file.owner.groups.type | The type of the group or account. | keyword | | ocsf.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.file.owner.ldap_person | The LDAP person object. | flattened | | ocsf.file.owner.name | The username. For example, janedoe1. | keyword | | ocsf.file.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword | | ocsf.file.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | @@ -1130,9 +1185,7 @@ This is the `Event` dataset. | ocsf.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | | ocsf.file.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword | -| ocsf.file.product.feature.name | The name of the feature. | keyword | -| ocsf.file.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.file.product.feature.version | The version of the feature. | keyword | +| ocsf.file.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.file.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.file.product.name | The name of the product. | keyword | | ocsf.file.product.path | The installation path of the product. | keyword | @@ -1274,9 +1327,7 @@ This is the `Event` dataset. | ocsf.file_result.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.file_result.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | | ocsf.file_result.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword | -| ocsf.file_result.product.feature.name | The name of the feature. | keyword | -| ocsf.file_result.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.file_result.product.feature.version | The version of the feature. | keyword | +| ocsf.file_result.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.file_result.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.file_result.product.name | The name of the product. | keyword | | ocsf.file_result.product.path | The installation path of the product. | keyword | @@ -1324,12 +1375,16 @@ This is the `Event` dataset. | ocsf.finding.related_events.type_uid | The unique identifier of the related event type. For example: 100701. | keyword | | ocsf.finding.related_events.uid | The unique identifier of the related event. | keyword | | ocsf.finding.remediation.desc | The description of the remediation strategy. | keyword | +| ocsf.finding.remediation.kb_article_list | A list of KB articles or patches related to an endpoint. | flattened | | ocsf.finding.remediation.kb_articles | The KB article/s related to the entity. | keyword | +| ocsf.finding.remediation.references | A list of supporting URL/s, references that help describe the remediation strategy. | keyword | | ocsf.finding.src_url | The URL pointing to the source of the finding. | keyword | | ocsf.finding.supporting_data | Additional data supporting a finding as provided by security tool. | flattened | | ocsf.finding.title | The title of the reported finding. | keyword | | ocsf.finding.types | One or more types of the reported finding. | keyword | | ocsf.finding.uid | The unique identifier of the reported finding. | keyword | +| ocsf.finding_info | Describes the supporting information about a generated finding. | flattened | +| ocsf.firewall_rule | The firewall rule that triggered the event. | flattened | | ocsf.group.desc | The group description. | keyword | | ocsf.group.name | The group name. | keyword | | ocsf.group.privileges | The group privileges. | keyword | @@ -1372,6 +1427,18 @@ This is the `Event` dataset. | ocsf.is_new_logon | Indicates logon is from a device not seen before or a first time account logon. | boolean | | ocsf.is_remote | The attempted authentication is over a remote connection. | boolean | | ocsf.is_renewal | The indication of whether this is a lease/session renewal event. | boolean | +| ocsf.kb_article_list.bulletin | The kb article bulletin identifier. | keyword | +| ocsf.kb_article_list.classification | The vendors classification of the kb article. | keyword | +| ocsf.kb_article_list.created_time | The date the kb article was released by the vendor. | long | +| ocsf.kb_article_list.created_time_dt | The date the kb article was released by the vendor. | date | +| ocsf.kb_article_list.is_superseded | The patch is superseded | boolean | +| ocsf.kb_article_list.os | The operating system the kb article applies. | flattened | +| ocsf.kb_article_list.product | The product details the kb article applies. | flattened | +| ocsf.kb_article_list.severity | The severity of the kb article. | keyword | +| ocsf.kb_article_list.size | The size in bytes for the kb article. | long | +| ocsf.kb_article_list.src_url | The kb article link from the source vendor. | keyword | +| ocsf.kb_article_list.title | The title of the kb article. | keyword | +| ocsf.kb_article_list.uid | The unique identifier for the kb article. | keyword | | ocsf.kernel.is_system | The indication of whether the object is part of the operating system. | boolean | | ocsf.kernel.name | The name of the kernel resource. | keyword | | ocsf.kernel.path | The full path of the kernel resource. | keyword | @@ -1381,6 +1448,7 @@ This is the `Event` dataset. | ocsf.kill_chain.phase | The cyber kill chain phase. | keyword | | ocsf.kill_chain.phase_id | The cyber kill chain phase identifier. | keyword | | ocsf.lease_dur | This represents the length of the DHCP lease in seconds. This is present in DHCP Ack events. (activity_id = 1) | long | +| ocsf.load_balancer | The Load Balancer object contains information related to the device that is distributing incoming traffic to specified destinations. | flattened | | ocsf.logon_type | The logon type, normalized to the caption of the logon_type_id value. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.logon_type_id | The normalized logon type identifier | keyword | | ocsf.malware.classification_ids | The list of normalized identifiers of the malware classifications. | keyword | @@ -1399,9 +1467,7 @@ This is the `Event` dataset. | ocsf.malware.cves.cwe_url | Common Weakness Enumeration (CWE) definition URL. | keyword | | ocsf.malware.cves.modified_time | The Record Modified Date identifies when the CVE record was last updated. | date | | ocsf.malware.cves.modified_time_dt | The Record Modified Date identifies when the CVE record was last updated. | date | -| ocsf.malware.cves.product.feature.name | The name of the feature. | keyword | -| ocsf.malware.cves.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.malware.cves.product.feature.version | The version of the feature. | keyword | +| ocsf.malware.cves.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.malware.cves.product.lang | The two letter lower case language codes, as defined by ISO 639-1. | keyword | | ocsf.malware.cves.product.name | The name of the product. | keyword | | ocsf.malware.cves.product.path | The installation path of the product. | keyword | @@ -1421,20 +1487,24 @@ This is the `Event` dataset. | ocsf.metadata.extension.name | The schema extension name. For example: dev. | keyword | | ocsf.metadata.extension.uid | The schema extension unique identifier. For example: 999. | keyword | | ocsf.metadata.extension.version | The schema extension version. For example: 1.0.0-alpha.2. | keyword | +| ocsf.metadata.extensions.name | The schema extension name. For example: dev. | keyword | +| ocsf.metadata.extensions.uid | The schema extension unique identifier. For example: 999. | keyword | +| ocsf.metadata.extensions.version | The schema extension version. For example: 1.0.0-alpha.2. | keyword | | ocsf.metadata.labels | The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time. | keyword | +| ocsf.metadata.log_level | The log level of the event. | keyword | | ocsf.metadata.log_name | The event log name. For example, syslog file name or Windows logging subsystem: Security. | keyword | | ocsf.metadata.log_provider | The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. | keyword | | ocsf.metadata.log_version | The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. | keyword | | ocsf.metadata.logged_time | The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. | date | | ocsf.metadata.logged_time_dt | The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. | date | +| ocsf.metadata.loggers | An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. | flattened | | ocsf.metadata.modified_time | The time when the event was last modified or enriched. | date | | ocsf.metadata.modified_time_dt | The time when the event was last modified or enriched. | date | | ocsf.metadata.original_time | The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs. | keyword | | ocsf.metadata.processed_time | The event processed time, such as an ETL operation. | date | | ocsf.metadata.processed_time_dt | The event processed time, such as an ETL operation. | date | -| ocsf.metadata.product.feature.name | The name of the feature. | keyword | -| ocsf.metadata.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.metadata.product.feature.version | The version of the feature. | keyword | +| ocsf.metadata.product.cpe_name | The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2. | keyword | +| ocsf.metadata.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.metadata.product.lang | The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.metadata.product.name | The name of the product. | keyword | | ocsf.metadata.product.path | The installation path of the product. | keyword | @@ -1444,6 +1514,7 @@ This is the `Event` dataset. | ocsf.metadata.product.version | The version of the product, as defined by the event source. For example: 2013.1.3-beta. | keyword | | ocsf.metadata.profiles | The list of profiles used to create the event. | keyword | | ocsf.metadata.sequence | Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision. | long | +| ocsf.metadata.tenant_uid | The audit level at which an event was generated. | keyword | | ocsf.metadata.uid | The logging system-assigned unique identifier of an event instance. | keyword | | ocsf.metadata.version | The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes. | keyword | | ocsf.module.base_address | The memory address where the module was loaded. | keyword | @@ -1463,10 +1534,7 @@ This is the `Event` dataset. | ocsf.module.file.accessor.groups.type | The type of the group or account. | keyword | | ocsf.module.file.accessor.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.module.file.accessor.name | The username. For example, janedoe1. | keyword | -| ocsf.module.file.accessor.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.module.file.accessor.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.module.file.accessor.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.module.file.accessor.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.module.file.accessor.org.\* | | object | | ocsf.module.file.accessor.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.module.file.accessor.type_id | The account type identifier. | keyword | | ocsf.module.file.accessor.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -1491,10 +1559,7 @@ This is the `Event` dataset. | ocsf.module.file.creator.groups.type | The type of the group or account. | keyword | | ocsf.module.file.creator.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.module.file.creator.name | The username. For example, janedoe1. | keyword | -| ocsf.module.file.creator.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.module.file.creator.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.module.file.creator.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.module.file.creator.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.module.file.creator.org.\* | | object | | ocsf.module.file.creator.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.module.file.creator.type_id | The account type identifier. | keyword | | ocsf.module.file.creator.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -1521,10 +1586,7 @@ This is the `Event` dataset. | ocsf.module.file.modifier.groups.type | The type of the group or account. | keyword | | ocsf.module.file.modifier.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.module.file.modifier.name | The username. For example, janedoe1. | keyword | -| ocsf.module.file.modifier.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.module.file.modifier.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.module.file.modifier.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.module.file.modifier.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.module.file.modifier.org.\* | | object | | ocsf.module.file.modifier.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.module.file.modifier.type_id | The account type identifier. | keyword | | ocsf.module.file.modifier.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -1544,19 +1606,14 @@ This is the `Event` dataset. | ocsf.module.file.owner.groups.type | The type of the group or account. | keyword | | ocsf.module.file.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.module.file.owner.name | The username. For example, janedoe1. | keyword | -| ocsf.module.file.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.module.file.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.module.file.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.module.file.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.module.file.owner.org.\* | | object | | ocsf.module.file.owner.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.module.file.owner.type_id | The account type identifier. | keyword | | ocsf.module.file.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.module.file.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.module.file.parent_folder | The parent folder in which the file resides. For example: c:\windows\system32. | keyword | | ocsf.module.file.path | The full path to the file. For example: c:\windows\system32\svchost.exe. | keyword | -| ocsf.module.file.product.feature.name | The name of the feature. | keyword | -| ocsf.module.file.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.module.file.product.feature.version | The version of the feature. | keyword | +| ocsf.module.file.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.module.file.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.module.file.product.name | The name of the product. | keyword | | ocsf.module.file.product.path | The installation path of the product. | keyword | @@ -1596,6 +1653,7 @@ This is the `Event` dataset. | ocsf.module.type | The module type. | keyword | | ocsf.name | The name of the data affiliated with the command. | keyword | | ocsf.nist | The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk. | keyword | +| ocsf.num_\* | The number fields for counting various item scan results. | integer | | ocsf.observables.name | The full name of the observable attribute. The name is a pointer/reference to an attribute within the event data. For example: file.name. | keyword | | ocsf.observables.reputation.base_score | The reputation score as reported by the event source. | double | | ocsf.observables.reputation.provider | The provider of the reputation information. | keyword | @@ -1605,7 +1663,13 @@ This is the `Event` dataset. | ocsf.observables.type_id | The observable value type identifier. | keyword | | ocsf.observables.value | The value associated with the observable attribute. | keyword | | ocsf.open_type | Indicates how the file was opened (e.g. normal, delete on close). | keyword | +| ocsf.policy | The policy that was used to scan the device. | flattened | | ocsf.port | The dynamic port established for impending data transfers. | long | +| ocsf.precision | The NTP precision quantifies a clock's accuracy and stability in log2 seconds, as defined in RFC-5905. | integer | +| ocsf.prev_security_states.state | The security state, normalized to the caption of the state_id value. | keyword | +| ocsf.prev_security_states.state_id | The security state of the managed entity. | keyword | +| ocsf.priority | The priority, normalized to the caption of the priority_id value. | keyword | +| ocsf.priority_id | The priority, normalized to the ID of the priority_id value. | integer | | ocsf.privileges | The list of sensitive privileges, assigned to the new user session. | keyword | | ocsf.protocol_ver | The Protocol version. | keyword | | ocsf.proxy.domain | The name of the domain. | keyword | @@ -1633,16 +1697,55 @@ This is the `Event` dataset. | ocsf.proxy.uid | The unique identifier of the endpoint. | keyword | | ocsf.proxy.vlan_uid | The Virtual LAN identifier. | keyword | | ocsf.proxy.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword | +| ocsf.proxy_connection_info | The connection information from the proxy server to the remote server. | flattened | +| ocsf.proxy_endpoint.container | The information describing an instance of a container. | flattened | +| ocsf.proxy_endpoint.domain | The name of the domain. | keyword | +| ocsf.proxy_endpoint.hostname | The fully qualified name of the endpoint. | keyword | +| ocsf.proxy_endpoint.hw_info | The endpoint hardware information. | flattened | +| ocsf.proxy_endpoint.instance_uid | The unique identifier of a VM instance. | keyword | +| ocsf.proxy_endpoint.interface_name | The name of the network interface (e.g. eth2). | keyword | +| ocsf.proxy_endpoint.interface_uid | The unique identifier of the network interface. | keyword | +| ocsf.proxy_endpoint.intermediate_ips | The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header. | ip | +| ocsf.proxy_endpoint.ip | The IP address of the endpoint, in either IPv4 or IPv6 format. | ip | +| ocsf.proxy_endpoint.location.city | The name of the city. | keyword | +| ocsf.proxy_endpoint.location.continent | The name of the continent. | keyword | +| ocsf.proxy_endpoint.location.coordinates | A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. | geo_point | +| ocsf.proxy_endpoint.location.country | The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. | keyword | +| ocsf.proxy_endpoint.location.desc | The description of the geographical location. | keyword | +| ocsf.proxy_endpoint.location.is_on_premises | The indication of whether the location is on premises. | boolean | +| ocsf.proxy_endpoint.location.isp | The name of the Internet Service Provider (ISP). | keyword | +| ocsf.proxy_endpoint.location.postal_code | The postal code of the location. | keyword | +| ocsf.proxy_endpoint.location.provider | The provider of the geographical location data. | keyword | +| ocsf.proxy_endpoint.location.region | The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. | keyword | +| ocsf.proxy_endpoint.mac | The Media Access Control (MAC) address of the endpoint. | keyword | +| ocsf.proxy_endpoint.name | The short name of the endpoint. | keyword | +| ocsf.proxy_endpoint.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | integer | +| ocsf.proxy_endpoint.os | The endpoint operating system. | flattened | +| ocsf.proxy_endpoint.port | The port used for communication within the network connection. | long | +| ocsf.proxy_endpoint.proxy_endpoint | The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). | flattened | +| ocsf.proxy_endpoint.subnet_uid | The unique identifier of a virtual subnet. | keyword | +| ocsf.proxy_endpoint.svc_name | The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. | keyword | +| ocsf.proxy_endpoint.type | The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. | keyword | +| ocsf.proxy_endpoint.type_id | The network endpoint type ID. | keyword | +| ocsf.proxy_endpoint.uid | The unique identifier of the endpoint. | keyword | +| ocsf.proxy_endpoint.vlan_uid | The Virtual LAN identifier. | keyword | +| ocsf.proxy_endpoint.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword | +| ocsf.proxy_endpoint.zone | The network zone or LAN segment. | keyword | +| ocsf.proxy_http_request | The HTTP Request from the proxy server to the remote server. | flattened | +| ocsf.proxy_http_response | The HTTP Response from the remote server to the proxy server. | flattened | +| ocsf.proxy_tls | The TLS protocol negotiated between the proxy server and the remote server. | flattened | +| ocsf.proxy_traffic | The network traffic refers to the amount of data moving across a network, from proxy to remote server at a given point of time. | flattened | | ocsf.query.class | The class of resource records being queried. See RFC1035. For example: IN. | keyword | | ocsf.query.hostname | The hostname or domain being queried. For example: www.example.com | keyword | | ocsf.query.opcode | The DNS opcode specifies the type of the query message. | keyword | | ocsf.query.opcode_id | The DNS opcode ID specifies the normalized query message type. | keyword | | ocsf.query.packet_uid | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | | ocsf.query.type | The type of resource records being queried. See RFC1035. For example: A, AAAA, CNAME, MX, and NS. | keyword | +| ocsf.query_info | The query info object holds information related to data access within a datastore. | flattened | | ocsf.query_time | The Domain Name System (DNS) query time. | date | | ocsf.query_time_dt | The Domain Name System (DNS) query time. | date | | ocsf.raw_data | The event data as received from the event source. | flattened | -| ocsf.raw_data_keyword | | keyword | +| ocsf.raw_data_keyword | The event data as received from the event source. | match_only_text | | ocsf.rcode | The DNS server response code, normalized to the caption of the rcode_id value. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.rcode_id | The normalized identifier of the DNS server response code. | keyword | | ocsf.relay.hostname | The hostname associated with the network interface. | keyword | @@ -1654,6 +1757,10 @@ This is the `Event` dataset. | ocsf.relay.type | The type of network interface. | keyword | | ocsf.relay.type_id | The network interface type identifier. | keyword | | ocsf.relay.uid | The unique identifier for the network interface. | keyword | +| ocsf.remediation.desc | The description of the remediation strategy. | keyword | +| ocsf.remediation.kb_article_list | A list of KB articles or patches related to an endpoint. | flattened | +| ocsf.remediation.kb_articles | The KB article/s related to the entity. | keyword | +| ocsf.remediation.references | A list of supporting URL/s, references that help describe the remediation strategy. | keyword | | ocsf.remote_display.color_depth | The numeric color depth. | long | | ocsf.remote_display.physical_height | The numeric physical height of display. | long | | ocsf.remote_display.physical_orientation | The numeric physical orientation of display. | long | @@ -1662,42 +1769,6 @@ This is the `Event` dataset. | ocsf.request.flags | The list of communication flags, normalized to the captions of the flag_ids values. In the case of 'Other', they are defined by the event source. | date | | ocsf.request.uid | The unique request identifier. | keyword | | ocsf.requested_permissions | The permissions mask that were requested by the process. | long | -| ocsf.resource.cloud_partition | The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov). | keyword | -| ocsf.resource.criticality | The criticality of the resource as defined by the event source. | keyword | -| ocsf.resource.data | Additional data describing the resource. | flattened | -| ocsf.resource.group.desc | The group description. | keyword | -| ocsf.resource.group.name | The group name. | keyword | -| ocsf.resource.group.privileges | The group privileges. | keyword | -| ocsf.resource.group.type | The type of the group or account. | keyword | -| ocsf.resource.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | -| ocsf.resource.labels | The list of labels/tags associated to a resource. | keyword | -| ocsf.resource.name | The name of the resource. | keyword | -| ocsf.resource.owner.account.name | The name of the account (e.g. GCP Account Name). | keyword | -| ocsf.resource.owner.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | -| ocsf.resource.owner.account.type_id | The normalized account type identifier. | keyword | -| ocsf.resource.owner.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | -| ocsf.resource.owner.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | -| ocsf.resource.owner.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | -| ocsf.resource.owner.email_addr | The user's email address. | keyword | -| ocsf.resource.owner.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | -| ocsf.resource.owner.groups.desc | The group description. | keyword | -| ocsf.resource.owner.groups.name | The group name. | keyword | -| ocsf.resource.owner.groups.privileges | The group privileges. | keyword | -| ocsf.resource.owner.groups.type | The type of the group or account. | keyword | -| ocsf.resource.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | -| ocsf.resource.owner.name | The username. For example, janedoe1. | keyword | -| ocsf.resource.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.resource.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.resource.owner.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.resource.owner.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | -| ocsf.resource.owner.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | -| ocsf.resource.owner.type_id | The account type identifier. | keyword | -| ocsf.resource.owner.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | -| ocsf.resource.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | -| ocsf.resource.region | The cloud region of the resource. | keyword | -| ocsf.resource.type | The resource type as defined by the event source. | keyword | -| ocsf.resource.uid | The unique identifier of the resource. | keyword | -| ocsf.resource.version | The version of the resource. For example 1.2.3. | keyword | | ocsf.resources.cloud_partition | The canonical cloud partition name to which the region is assigned (e.g. AWS Partitions: aws, aws-cn, aws-us-gov). | keyword | | ocsf.resources.criticality | The criticality of the resource as defined by the event source. | keyword | | ocsf.resources.data | Additional data describing the resource. | flattened | @@ -1708,6 +1779,7 @@ This is the `Event` dataset. | ocsf.resources.group.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | | ocsf.resources.labels | The list of labels/tags associated to a resource. | keyword | | ocsf.resources.name | The name of the resource. | keyword | +| ocsf.resources.namespace | The namespace is useful when similar entities exist that you need to keep separate. | keyword | | ocsf.resources.owner.account.name | The name of the account (e.g. GCP Account Name). | keyword | | ocsf.resources.owner.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.resources.owner.account.type_id | The normalized account type identifier. | keyword | @@ -1720,7 +1792,9 @@ This is the `Event` dataset. | ocsf.resources.owner.groups.name | The group name. | keyword | | ocsf.resources.owner.groups.privileges | The group privileges. | keyword | | ocsf.resources.owner.groups.type | The type of the group or account. | keyword | +| ocsf.resources.owner.groups.type_id | The resource group type identifier. | keyword | | ocsf.resources.owner.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.resources.owner.ldap_person | The LDAP person object. | flattened | | ocsf.resources.owner.name | The username. For example, janedoe1. | keyword | | ocsf.resources.owner.org.name | The name of the organization. For example, Widget, Inc. | keyword | | ocsf.resources.owner.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | @@ -1732,6 +1806,7 @@ This is the `Event` dataset. | ocsf.resources.owner.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | | ocsf.resources.region | The cloud region of the resource. | keyword | | ocsf.resources.type | The resource type as defined by the event source. | keyword | +| ocsf.resources.type_id | The resource type identifier. | keyword | | ocsf.resources.uid | The unique identifier of the resource. | keyword | | ocsf.resources.version | The version of the resource. For example 1.2.3. | keyword | | ocsf.response.code | The numeric response sent to a request. | long | @@ -1744,6 +1819,15 @@ This is the `Event` dataset. | ocsf.risk_level | The risk level, normalized to the caption of the risk_level_id value. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.risk_level_id | The normalized risk level id. | keyword | | ocsf.risk_score | The risk score as reported by the event source. | long | +| ocsf.scan.name | The administrator-supplied or application-generated name of the scan. | keyword | +| ocsf.scan.type | The type of scan. | keyword | +| ocsf.scan.type_id | The type id of the scan. | keyword | +| ocsf.scan.uid | The application-defined unique identifier assigned to an instance of a scan. | keyword | +| ocsf.schedule_uid | The unique identifier of the schedule associated with a scan job. | keyword | +| ocsf.security_level | The current security level of the entity. | keyword | +| ocsf.security_level_id | The current security level of the entity. | integer | +| ocsf.security_states.state | The security state, normalized to the caption of the state_id value. | keyword | +| ocsf.security_states.state_id | The security state of the managed entity. | keyword | | ocsf.server_hassh.algorithm | The concatenation of key exchange, encryption, authentication and compression algorithms (separated by ';'). NOTE: This is not the underlying algorithm for the hash implementation. | keyword | | ocsf.server_hassh.fingerprint.algorithm | The hash algorithm used to create the digital fingerprint, normalized to the caption of 'algorithm_id'. In the case of 'Other', it is defined by the event source. | keyword | | ocsf.server_hassh.fingerprint.algorithm_id | The identifier of the normalized hash algorithm, which was used to create the digital fingerprint. | keyword | @@ -1769,8 +1853,10 @@ This is the `Event` dataset. | ocsf.share_type_id | The normalized identifier of the SMB share type. | keyword | | ocsf.size | The memory size that was access or requested. | long | | ocsf.smtp_hello | The value of the SMTP HELO or EHLO command sent by the initiator (client). | keyword | +| ocsf.src_endpoint.container | The information describing an instance of a container. | flattened | | ocsf.src_endpoint.domain | The name of the domain. | keyword | | ocsf.src_endpoint.hostname | The fully qualified name of the endpoint. | keyword | +| ocsf.src_endpoint.hw_info | The endpoint hardware information. | flattened | | ocsf.src_endpoint.instance_uid | The unique identifier of a VM instance. | keyword | | ocsf.src_endpoint.interface_name | The name of the network interface (e.g. eth2). | keyword | | ocsf.src_endpoint.interface_uid | The unique identifier of the network interface. | keyword | @@ -1788,12 +1874,19 @@ This is the `Event` dataset. | ocsf.src_endpoint.location.region | The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. | keyword | | ocsf.src_endpoint.mac | The Media Access Control (MAC) address of the endpoint. | keyword | | ocsf.src_endpoint.name | The short name of the endpoint. | keyword | +| ocsf.src_endpoint.namespace_pid | If running under a process namespace (such as in a container), the process identifier within that process namespace. | integer | +| ocsf.src_endpoint.os | The endpoint operating system. | flattened | | ocsf.src_endpoint.port | The port used for communication within the network connection. | long | +| ocsf.src_endpoint.proxy_endpoint | The network proxy information pertaining to a specific endpoint. This can be used to describe information pertaining to network address translation (NAT). | flattened | | ocsf.src_endpoint.subnet_uid | The unique identifier of a virtual subnet. | keyword | | ocsf.src_endpoint.svc_name | The service name in service-to-service connections. For example, AWS VPC logs the pkt-src-aws-service and pkt-dst-aws-service fields identify the connection is coming from or going to an AWS service. | keyword | +| ocsf.src_endpoint.type | The network endpoint type. For example, unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other. | keyword | +| ocsf.src_endpoint.type_id | The network endpoint type ID. | keyword | | ocsf.src_endpoint.uid | The unique identifier of the endpoint. | keyword | | ocsf.src_endpoint.vlan_uid | The Virtual LAN identifier. | keyword | | ocsf.src_endpoint.vpc_uid | The unique identifier of the Virtual Private Cloud (VPC). | keyword | +| ocsf.src_endpoint.zone | The network zone or LAN segment. | keyword | +| ocsf.src_url | A Url link used to access the original incident. | keyword | | ocsf.start_time | The start time of a time period, or the time of the least recent event included in the aggregate event. | date | | ocsf.start_time_dt | The start time of a time period, or the time of the least recent event included in the aggregate event. | date | | ocsf.state | The normalized state of a security finding. | keyword | @@ -1802,6 +1895,9 @@ This is the `Event` dataset. | ocsf.status_code | The event status code, as reported by the event source. For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18. | keyword | | ocsf.status_detail | The status details contains additional information about the event outcome. | keyword | | ocsf.status_id | The normalized identifier of the event status. | keyword | +| ocsf.stratum | The stratum level of the NTP server's time source, normalized to the caption of the stratum_id value. | keyword | +| ocsf.stratum_id | The normalized identifier of the stratum level, as defined in RFC-5905. | integer | +| ocsf.table | The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried. | flattened | | ocsf.time | The normalized event occurrence time. | date | | ocsf.time_dt | The normalized event occurrence time. | date | | ocsf.timezone_offset | The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080. | long | @@ -1836,6 +1932,7 @@ This is the `Event` dataset. | ocsf.tls.server_ciphers | The server cipher suites that were exchanged during the TLS handshake negotiation. | keyword | | ocsf.tls.sni | The Server Name Indication (SNI) extension sent by the client. | keyword | | ocsf.tls.version | The TLS protocol version. | keyword | +| ocsf.total | The total number of items that were scanned; zero if no items were scanned. | integer | | ocsf.traffic.bytes | The total number of bytes (in and out). | long | | ocsf.traffic.bytes_in | The number of bytes sent from the destination to the source. | long | | ocsf.traffic.bytes_out | The number of bytes sent from the source to the destination. | long | @@ -1844,7 +1941,8 @@ This is the `Event` dataset. | ocsf.traffic.packets_out | The number of packets sent from the source to the destination. | long | | ocsf.transaction_uid | The unique identifier of the transaction. This is typically a random number generated from the client to associate a dhcp request/response pair. | keyword | | ocsf.tree_uid | The tree id is a unique SMB identifier which represents an open connection to a share. | keyword | -| ocsf.type | The type of FTP network connection (e.g. active, passive). | keyword | +| ocsf.type | The type the event. | keyword | +| ocsf.type_id | The normalized event type identifier. | keyword | | ocsf.type_name | The event type name, as defined by the type_uid. | keyword | | ocsf.type_uid | The event type ID. It identifies the events semantics and structure. The value is calculated by the logging system as: class_uid \* 100 + activity_id. | keyword | | ocsf.unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. | flattened | @@ -1867,15 +1965,65 @@ This is the `Event` dataset. | ocsf.user.email_addr | The user's email address. | keyword | | ocsf.user.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | | ocsf.user.groups.desc | The group description. | keyword | +| ocsf.user.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | | ocsf.user.groups.name | The group name. | keyword | | ocsf.user.groups.privileges | The group privileges. | keyword | | ocsf.user.groups.type | The type of the group or account. | keyword | | ocsf.user.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.user.ldap_person.cost_center | The cost center associated with the user. | keyword | +| ocsf.user.ldap_person.created_time | The timestamp when the user was created. | date | +| ocsf.user.ldap_person.created_time_dt | The date when the user was created. | date | +| ocsf.user.ldap_person.deleted_time | The timestamp when the user was deleted. | date | +| ocsf.user.ldap_person.deleted_time_dt | The date when the user was deleted. | date | +| ocsf.user.ldap_person.email_addrs | A list of additional email addresses for the user. | keyword | +| ocsf.user.ldap_person.employee_uid | The employee identifier assigned to the user by the organization. | keyword | +| ocsf.user.ldap_person.given_name | The given or first name of the user. | keyword | +| ocsf.user.ldap_person.hire_time | The timestamp when the user was or will be hired by the organization. | date | +| ocsf.user.ldap_person.hire_time_dt | The date when the user was or will be hired by the organization. | date | +| ocsf.user.ldap_person.job_title | The user's job title. | keyword | +| ocsf.user.ldap_person.labels | The labels associated with the user. For example in AD this could be the userType, employeeType. | keyword | +| ocsf.user.ldap_person.last_login_time | The last time when the user logged in. | date | +| ocsf.user.ldap_person.last_login_time_dt | The last date when the user logged in. | date | +| ocsf.user.ldap_person.ldap_cn | The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe. | keyword | +| ocsf.user.ldap_person.ldap_dn | The X.500 Distinguished Name (DN) is a structured string that uniquely identifies an entry, such as a user, in an X.500 directory service For example, cn=John Doe,ou=People,dc=example,dc=com. | keyword | +| ocsf.user.ldap_person.leave_time | The timestamp when the user left or will be leaving the organization. | date | +| ocsf.user.ldap_person.leave_time_dt | The date when the user left or will be leaving the organization. | date | +| ocsf.user.ldap_person.location.city | The name of the city. | keyword | +| ocsf.user.ldap_person.location.continent | The name of the continent. | keyword | +| ocsf.user.ldap_person.location.coordinates | A two-element array, containing a longitude/latitude pair. The format conforms with GeoJSON. | geo_point | +| ocsf.user.ldap_person.location.country | The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see ISO 3166-1 alpha-2 codes. The two letter country code should be capitalized. | keyword | +| ocsf.user.ldap_person.location.desc | The description of the geographical location. | keyword | +| ocsf.user.ldap_person.location.is_on_premises | The indication of whether the location is on premises. | boolean | +| ocsf.user.ldap_person.location.isp | The name of the Internet Service Provider (ISP). | keyword | +| ocsf.user.ldap_person.location.postal_code | The postal code of the location. | keyword | +| ocsf.user.ldap_person.location.provider | The provider of the geographical location data. | keyword | +| ocsf.user.ldap_person.location.region | The alphanumeric code that identifies the principal subdivision (e.g. province or state) of the country. Region codes are defined at ISO 3166-2 and have a limit of three characters. For example, see the region codes for the US. | keyword | +| ocsf.user.ldap_person.manager.account.name | The name of the account (e.g. GCP Account Name). | keyword | +| ocsf.user.ldap_person.manager.account.type | The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source. | keyword | +| ocsf.user.ldap_person.manager.account.type_id | The normalized account type identifier. | keyword | +| ocsf.user.ldap_person.manager.account.uid | The unique identifier of the account (e.g. AWS Account ID). | keyword | +| ocsf.user.ldap_person.manager.credential_uid | The unique identifier of the user's credential. For example, AWS Access Key ID. | keyword | +| ocsf.user.ldap_person.manager.domain | The domain where the user is defined. For example: the LDAP or Active Directory domain. | keyword | +| ocsf.user.ldap_person.manager.email_addr | The user's email address. | keyword | +| ocsf.user.ldap_person.manager.full_name | The full name of the person, as per the LDAP Common Name attribute (cn). | keyword | +| ocsf.user.ldap_person.manager.groups.desc | The group description. | keyword | +| ocsf.user.ldap_person.manager.groups.domain | The domain where the group is defined. For example, the LDAP or Active Directory domain. | keyword | +| ocsf.user.ldap_person.manager.groups.name | The group name. | keyword | +| ocsf.user.ldap_person.manager.groups.privileges | The group privileges. | keyword | +| ocsf.user.ldap_person.manager.groups.type | The type of the group or account. | keyword | +| ocsf.user.ldap_person.manager.groups.uid | The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group. | keyword | +| ocsf.user.ldap_person.manager.name | The username. For example, janedoe1. | keyword | +| ocsf.user.ldap_person.manager.org.\* | Organization and org unit related to the user. | object | +| ocsf.user.ldap_person.manager.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | +| ocsf.user.ldap_person.manager.type_id | The account type identifier. | keyword | +| ocsf.user.ldap_person.manager.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | +| ocsf.user.ldap_person.manager.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | +| ocsf.user.ldap_person.modified_time | The timestamp when the user entry was last modified. | date | +| ocsf.user.ldap_person.modified_time_dt | The date when the user entry was last modified. | date | +| ocsf.user.ldap_person.office_location | The primary office location associated with the user. This could be any string and isn't a specific address. | keyword | +| ocsf.user.ldap_person.surname | The last or family name for the user. | keyword | | ocsf.user.name | The username. For example, janedoe1. | keyword | -| ocsf.user.org.name | The name of the organization. For example, Widget, Inc. | keyword | -| ocsf.user.org.ou_name | The name of the organizational unit, within an organization. For example, Finance, IT, R&D. | keyword | -| ocsf.user.org.ou_uid | The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID. | keyword | -| ocsf.user.org.uid | The unique identifier of the organization. For example, its Active Directory or AWS Org ID. | keyword | +| ocsf.user.org.\* | Organization and org unit related to the user. | object | | ocsf.user.type | The type of the user. For example, System, AWS IAM User, etc. | keyword | | ocsf.user.type_id | The account type identifier. | keyword | | ocsf.user.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | @@ -1902,6 +2050,9 @@ This is the `Event` dataset. | ocsf.user_result.type_id | The account type identifier. | keyword | | ocsf.user_result.uid | The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN. | keyword | | ocsf.user_result.uid_alt | The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID. | keyword | +| ocsf.verdict | The verdict assigned to an Incident finding. | keyword | +| ocsf.verdict_id | The normalized verdict of an Incident. | integer | +| ocsf.version | The version number of the NTP protocol. | keyword | | ocsf.vulnerabilities.cve.created_time | The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. | date | | ocsf.vulnerabilities.cve.created_time_dt | The Record Creation Date identifies when the CVE ID was issued to a CVE Numbering Authority (CNA) or the CVE Record was published on the CVE List. Note that the Record Creation Date does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. | date | | ocsf.vulnerabilities.cve.cvss.base_score | The CVSS base score. For example: 9.1. | double | @@ -1912,13 +2063,15 @@ This is the `Event` dataset. | ocsf.vulnerabilities.cve.cvss.severity | The Common Vulnerability Scoring System (CVSS) Qualitative Severity Rating. A textual representation of the numeric score. | keyword | | ocsf.vulnerabilities.cve.cvss.vector_string | The CVSS vector string is a text representation of a set of CVSS metrics. It is commonly used to record or transfer CVSS metric information in a concise form. For example: 3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. | keyword | | ocsf.vulnerabilities.cve.cvss.version | The CVSS version. For example: 3.1. | keyword | +| ocsf.vulnerabilities.cve.cwe | The Common Weakness Enumeration (CWE) object describes the type of weakness identified in the vulnerability. | flattened | | ocsf.vulnerabilities.cve.cwe_uid | The Common Weakness Enumeration (CWE) unique identifier. For example: CWE-787. | keyword | | ocsf.vulnerabilities.cve.cwe_url | Common Weakness Enumeration (CWE) definition URL. For example: https://cwe.mitre.org/data/definitions/787.html. | keyword | +| ocsf.vulnerabilities.cve.desc | The description of the vulnerability. | keyword | +| ocsf.vulnerabilities.cve.epss | The Exploit Prediction Scoring System (EPSS) object describes the estimated probability a vulnerability will be exploited. | flattened | +| ocsf.vulnerabilities.cve.fix_available | Indicates if a fix is available for the reported vulnerability. | boolean | | ocsf.vulnerabilities.cve.modified_time | The Record Modified Date identifies when the CVE record was last updated. | date | | ocsf.vulnerabilities.cve.modified_time_dt | The Record Modified Date identifies when the CVE record was last updated. | date | -| ocsf.vulnerabilities.cve.product.feature.name | The name of the feature. | keyword | -| ocsf.vulnerabilities.cve.product.feature.uid | The unique identifier of the feature. | keyword | -| ocsf.vulnerabilities.cve.product.feature.version | The version of the feature. | keyword | +| ocsf.vulnerabilities.cve.product.feature.\* | The Feature object provides information about the software product feature that generated a specific event. | object | | ocsf.vulnerabilities.cve.product.lang | The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French). | keyword | | ocsf.vulnerabilities.cve.product.name | The name of the product. | keyword | | ocsf.vulnerabilities.cve.product.path | The installation path of the product. | keyword | @@ -1926,10 +2079,13 @@ This is the `Event` dataset. | ocsf.vulnerabilities.cve.product.url_string | The URL pointing towards the product. | keyword | | ocsf.vulnerabilities.cve.product.vendor_name | The name of the vendor of the product. | keyword | | ocsf.vulnerabilities.cve.product.version | The version of the product, as defined by the event source. For example: 2013.1.3-beta. | keyword | +| ocsf.vulnerabilities.cve.references | Supporting reference URLs. | keyword | +| ocsf.vulnerabilities.cve.title | The title of the cve. | keyword | | ocsf.vulnerabilities.cve.type | The vulnerability type as selected from a large dropdown menu during CVE refinement. | keyword | | ocsf.vulnerabilities.cve.uid | The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: CVE-2021-12345. | keyword | -| ocsf.vulnerabilities.desc | The description of the vulnerability. | keyword | -| ocsf.vulnerabilities.fix_available | Indicates if a fix is available for the reported vulnerability. | boolean | +| ocsf.vulnerabilities.cwe.caption | The caption assigned to the Common Weakness Enumeration unique identifier. | keyword | +| ocsf.vulnerabilities.cwe.src_url | URL pointing to the CWE Specification. | keyword | +| ocsf.vulnerabilities.cwe.uid | The Common Weakness Enumeration unique number assigned to a specific weakness. | keyword | | ocsf.vulnerabilities.kb_articles | The KB article/s related to the entity. | keyword | | ocsf.vulnerabilities.packages.architecture | Architecture is a shorthand name describing the type of computer hardware the packaged software is meant to run on. | keyword | | ocsf.vulnerabilities.packages.epoch | The software package epoch. Epoch is a way to define weighted dependencies based on version numbers. | long | diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1.json index 26f37d13c239..78b2c7d3c090 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- **[Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)** \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the behavior of applications and services.\n\nPlease visit the [Application Activity](https://schema.ocsf.io/1.0.0/categories/application) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- **[Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)** \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the behavior of applications and services.\n\nPlease visit the [Application Activity](https://schema.ocsf.io/1.1.0/categories/application) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386.json index 640aa6cc6f46..0af7bd6a9c53 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - **[DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386)** \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n \n\n**Overview**\n\nThis dashboard shows an overview of DNS queries and answers as seen on the network.\n\nPlease visit the [DNS Activity](https://schema.ocsf.io/1.0.0/classes/dns_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - **[DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386)** \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n \n\n**Overview**\n\nThis dashboard shows an overview of DNS queries and answers as seen on the network.\n\nPlease visit the [DNS Activity](https://schema.ocsf.io/1.1.0/classes/dns_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15.json index 252783b257e6..40810d7f0bd0 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - **[Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15)** \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n \n\n**Overview**\n\nThis dashboard shows an overview of Network connections and traffic activity.\n\nPlease visit the [Network Activity](https://schema.ocsf.io/1.0.0/classes/network_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - **[Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15)** \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n \n\n**Overview**\n\nThis dashboard shows an overview of Network connections and traffic activity.\n\nPlease visit the [Network Activity](https://schema.ocsf.io/1.1.0/classes/network_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112.json index 1c8940e9e13e..c8786042bd6b 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - **[Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112)** \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the Email and it's file and URL related activity on Network.\n\nPlease visit the [Email Activity](https://schema.ocsf.io/1.0.0/classes/email_activity), [Email File Activity](https://schema.ocsf.io/1.0.0/classes/email_file_activity) and [Email URL Activity](https://schema.ocsf.io/1.0.0/classes/email_url_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - **[Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112)** \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the Email and it's file and URL related activity on Network.\n\nPlease visit the [Email Activity](https://schema.ocsf.io/1.1.0/classes/email_activity), [Email File Activity](https://schema.ocsf.io/1.1.0/classes/email_file_activity) and [Email URL Activity](https://schema.ocsf.io/1.1.0/classes/email_url_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d.json index 29c8d9d7f5e7..ae34823c2765 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- **[Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d)** \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of Identity \u0026 Access Management (IAM) events relate to the supervision of the system's authentication and access control model.\n\nPlease visit the [Identity \u0026 Access Management](https://schema.ocsf.io/1.0.0/categories/iam) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- **[Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d)** \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of Identity \u0026 Access Management (IAM) events relate to the supervision of the system's authentication and access control model.\n\nPlease visit the [Identity \u0026 Access Management](https://schema.ocsf.io/1.1.0/categories/iam) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112.json index ff86ded51434..96229b2bb4ac 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - **[HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)** \n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n \n\n**Overview**\n\nThis dashboard shows an overview of HTTP, RDP, DHCP, SMB, SSH, FTP and Network File related activity on the network.\n\nPlease visit the [HTTP](https://schema.ocsf.io/1.0.0/classes/http_activity), [DHCP](https://schema.ocsf.io/1.0.0/classes/dhcp_activity), [RDP](https://schema.ocsf.io/1.0.0/classes/rdp_activity), [SMB](https://schema.ocsf.io/1.0.0/classes/smb_activity), [SSH](https://schema.ocsf.io/1.0.0/classes/ssh_activity), [FTP](https://schema.ocsf.io/1.0.0/classes/ftp_activity), [Network File Activity](https://schema.ocsf.io/1.0.0/classes/network_file_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - **[HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)** \n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n \n\n**Overview**\n\nThis dashboard shows an overview of HTTP, RDP, DHCP, SMB, SSH, FTP and Network File related activity on the network.\n\nPlease visit the [HTTP](https://schema.ocsf.io/1.1.0/classes/http_activity), [DHCP](https://schema.ocsf.io/1.1.0/classes/dhcp_activity), [RDP](https://schema.ocsf.io/1.1.0/classes/rdp_activity), [SMB](https://schema.ocsf.io/1.1.0/classes/smb_activity), [SSH](https://schema.ocsf.io/1.1.0/classes/ssh_activity), [FTP](https://schema.ocsf.io/1.1.0/classes/ftp_activity), [Network File Activity](https://schema.ocsf.io/1.1.0/classes/network_file_activity) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112.json index 43a1bfee4156..a78d640b902c 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- **[System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112)** \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)\n \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the process, memory, file, scheduled job and kernel related activity.\n\nPlease visit the [System Activity](https://schema.ocsf.io/1.0.0/categories/system) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- **[System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112)** \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)\n \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the process, memory, file, scheduled job and kernel related activity.\n\nPlease visit the [System Activity](https://schema.ocsf.io/1.1.0/categories/system) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112.json index 20483d18ed6d..3567cfd7c294 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- **[Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112)** \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the device inventory data and device configuration data.\n\nPlease visit the [Discovery](https://schema.ocsf.io/1.0.0/categories/discovery) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- **[Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112)** \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of detailed information about the device inventory data and device configuration data.\n\nPlease visit the [Discovery](https://schema.ocsf.io/1.1.0/categories/discovery) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c.json index 435f1fd1abf2..ad394ef841b3 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- **[Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c)** \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)\n \n\n**Overview**\n\nThis dashboard shows an overview of findings, detections, anomalies, alerts, and/or actions performed by security products.\n\nPlease visit the [Findings](https://schema.ocsf.io/1.0.0/categories/findings) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3) \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- **[Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c)** \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1)\n \n\n**Overview**\n\nThis dashboard shows an overview of findings, detections, anomalies, alerts, and/or actions performed by security products.\n\nPlease visit the [Findings](https://schema.ocsf.io/1.1.0/categories/findings) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3.json b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3.json index 9db5a24f0746..d42628658559 100644 --- a/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3.json +++ b/packages/amazon_security_lake/kibana/dashboard/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3.json @@ -43,7 +43,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n**[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3)** \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of the most common data collected from the Amazon Security Lake Integration.\n\nPlease visit the [Base Event](https://schema.ocsf.io/1.0.0/base_event) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n\n", + "markdown": "**Navigation**\n\n**Amazon Security Lake** \n\n**[Overview Dashboard](/app/dashboards#/view/amazon_security_lake-f21df8e0-249d-11ee-aa05-4dd9349682f3)** \n- [System Activity](/app/dashboards#/view/amazon_security_lake-9f829d40-7e1e-11ee-8bb4-f99e39910112) \n- [Findings](/app/dashboards#/view/amazon_security_lake-ed18e3a0-2565-11ee-be5c-17edc959116c) \n- [Identity \u0026 Access Management](/app/dashboards#/view/amazon_security_lake-41b73270-25fe-11ee-983a-17fb20a3b25d) \n- Network Activity\n - [Network Activity (4001)](/app/dashboards#/view/amazon_security_lake-1bbac7b0-2632-11ee-a94e-bfa24df19b15) \n - [DNS Activity (4003)](/app/dashboards#/view/amazon_security_lake-15b6e140-24a3-11ee-bb84-975fc16e8386) \n - [HTTP (4002), DHCP (4004), RDP (4005), SMB (4006), SSH (4007), FTP (4008), Network File Activity (4010)](/app/dashboards#/view/amazon_security_lake-48997710-7d65-11ee-8bb4-f99e39910112)\n - [Email Activity (4009), Email File Activity (4011), Email URL Activity (4012)](/app/dashboards#/view/amazon_security_lake-3ec9b110-7d82-11ee-8bb4-f99e39910112) \n- [Discovery](/app/dashboards#/view/amazon_security_lake-c2efb230-7d48-11ee-8bb4-f99e39910112) \n- [Application Activity](/app/dashboards#/view/amazon_security_lake-0d2d7a60-2472-11ee-8d80-89e82659e0f1) \n\n**Overview**\n\nThis dashboard shows an overview of the most common data collected from the Amazon Security Lake Integration.\n\nPlease visit the [Base Event](https://schema.ocsf.io/1.1.0/base_event) documentation for more information.\n\n[**Integration Page**](/app/integrations/detail/amazon_security_lake/overview)\n\n", "openLinksInNewTab": false }, "title": "", diff --git a/packages/amazon_security_lake/manifest.yml b/packages/amazon_security_lake/manifest.yml index 5c3d3542857f..c8ab9b1cc655 100644 --- a/packages/amazon_security_lake/manifest.yml +++ b/packages/amazon_security_lake/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: amazon_security_lake title: Amazon Security Lake -version: "1.5.0" +version: "2.0.0" description: Collect logs from Amazon Security Lake with Elastic Agent. type: integration categories: ["aws", "security"]